How to route packets without using a connected route.

netone.cisco · ‎04-29-2011

Hello all,

Im facing a challenge. Please check attachment.

From a remote network I want to be able to reach MngNetwor which is behind the firewall. All devices no this network have the firewall as their gateway.

The challenge: before the firewall there is a 4507 layer3 switch which I want to have an IP on that network. This creates a connected route on the switch which routes the packets to that network. when the devices reply the firewall blocks because it did not receive the initial request.

Is there anyway I can make the packets go from the computer to the network and back through the firewall and keep the ip address on the switch?

I also want connections initiated from the switch NOT to go through the firewall and use the connected route.

The switch is just a backup in case of any problem with the firewall.

Things I tried

1. create a static route to smaller subnets of MngNetwork. That has the problem of reaching the switch IP and connecting to the network from the switch.

2. loopback interface on the switch and eliminate the other interface. This makes the network and switch ip reachable but traffic goes through the firewall.

Thanks all

Antonio Knox · ‎04-29-2011

Try a route map (Assume 10.1.1.7 is the computer in vlan 10, 192.168.2.0/24 is the MngNetwork192.168.2.2 is the 1st router in MngNetwork behind the firewall).

conf t

!---Define traffic to redirect

ip access-list extended reroute

permit ip host 10.1.1.7 192.168.2.0 0.0.0.255

deny ip any any

exit

!---Define redirection

route-map RouteMgt permit 10

match ip address reroute

set ip next-hop 192.168.2.2

exit

!---Apply to vlan

int vlan 10

ip policy route-map RouteMgt

exit

That should do it.

Please rate this post if it helps.

netone.cisco · ‎05-01-2011

Hi Antonio thanks for your response,

I'm not familiar nor really have experience with route-maps and PBR so I didnt really think about it, but your post sparked some ideas.

Just to be clear where would this route-map be applied (refering to my drawing). Would it be in the 4507? What is it you considered "the first router behind the firewall"?

But from that a route-map could be created like below (suppose 192.168.100.254 the firewall address connected to the 4507 switch and 192.168.2.2 the 4507 mngnetwork ip)

conf t

!---Define traffic to redirect.

ip access-list extended reroute

deny ip host 10.1.1.7 192.168.2.2 0.0.0.0

permit ip host 10.1.1.7 192.168.2.0 0.0.0.255

deny ip any any

exit

!---Define redirection

route-map RouteMgt permit 10

match ip address reroute

set ip next-hop 192.168.100.254

exit

!---Apply to vlan

int vlan 10

ip policy route-map RouteMgt

exit

what do you think?