12-06-2013 09:05 PM - edited 03-07-2019 04:58 PM
Firewall #1 (ASA 5580) injects the default route (0.0.0.0/0) toward the Edge router into the OSPF routing process.
How to route just 4.4.4.0/24 through Firewall #2 (ASA 5585) as it's default?
Edge router will have a static route back through Firewall #2 to 4.4.4.0/24.
12-06-2013 10:46 PM
Because OSPF is a link state protocol your options are limited, so the 3.3.3.0/24 network should still go out to Firewall #1?
If you put a static default route on the 4.4.4.0/24 router then that would affect the 3.3.3.0/24 network as well.
You could announce another default route from Firewall #2 but then all routers would receive that and you would need to filter that out on the routers that should not have it. That would affect the 3.3.3.0/24 network as well.
Really the only option if you have to do special forwarding for just one subnet like this is to use PBR. Something like:
conf t
ip access-list extended PBR_4-NET
permit ip 4.4.4.0 0.0.0.255 any
route-map PBR_SETNH permit 10
match ip address PBR_4-NET
set ip next-hop x.x.x.x
Where x.x.x.x is pointing towards Firewall #2. However I am unsure by looking at your diagram if you have an interface pointing towards Firewall #2 or if you have a common subnet where all routers and firewalls reside in. This could be troublesome in that case.
Daniel Dib
CCIE #37149
12-07-2013 06:42 AM
Daniel
However I am unsure by looking at your diagram if you have an interface pointing towards Firewall #2 or if you have a common subnet where all routers and firewalls reside in. This could be troublesome in that case.
Hope you don't mind me asking, but purely for my own clarification why would it matter if they were on a common subnet ? ie. i would have thought PBR would have worked anyway.
Jon
12-07-2013 10:45 PM
Hi Jon,
I was thinking that if normal forwarding is through interface X then we want the forwarding to go through interface Y. But now that you mention it, it should still work. The frame would be encapsulated with DST MAC of Firewall #2 so the packet should only be processed by Firewall #2.
Daniel Dib
CCIE #37149
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide