cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
544
Views
0
Helpful
3
Replies
tmikelson
Beginner

How to impose a different default route on a particular subnet?

Firewall #1 (ASA 5580) injects the default route (0.0.0.0/0) toward the Edge router into the OSPF routing process.

How to route just 4.4.4.0/24 through Firewall #2 (ASA 5585) as it's default?

Edge router will have a static route back through Firewall #2 to 4.4.4.0/24.

question.gif

3 REPLIES 3
daniel.dib
Rising star

Because OSPF is a link state protocol your options are limited, so the 3.3.3.0/24 network should still go out to Firewall #1?

If you put a static default route on the 4.4.4.0/24 router then that would affect the 3.3.3.0/24 network as well.

You could announce another default route from Firewall #2 but then all routers would receive that and you would need to filter that out on the routers that should not have it. That would affect the 3.3.3.0/24 network as well.

Really the only option if you have to do special forwarding for just one subnet like this is to use PBR. Something like:

conf t

ip access-list extended PBR_4-NET

permit ip 4.4.4.0 0.0.0.255 any

route-map PBR_SETNH permit 10

match ip address PBR_4-NET

set ip next-hop x.x.x.x

Where x.x.x.x is pointing towards Firewall #2. However I am unsure by looking at your diagram if you have an interface pointing towards Firewall #2 or if you have a common subnet where all routers and firewalls reside in. This could be troublesome in that case.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

Daniel

However I am unsure by looking at your diagram if you have an interface pointing towards Firewall #2 or if you have a common subnet where all routers and firewalls reside in. This could be troublesome in that case.

Hope you don't mind me asking, but purely for my own clarification why would it matter if they were on a common subnet ?  ie. i would have thought PBR would have worked anyway.

Jon

Hi Jon,

I was thinking that if normal forwarding is through interface X then we want the forwarding to go through interface Y. But now that you mention it, it should still work. The frame would be encapsulated with DST MAC of Firewall #2 so the packet should only be processed by Firewall #2.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.