I have a vlan created for the inside traffic destined to the firewall

so

vlan 20 (172.16.20.0/24)

then a default route 0.0.0.0 0.0.0.0 172.16.20.100

The Pix does NOT run a dynamic routing protocol. It's managed using static routes on the inside interface that point back to the core.

So if i understand right, all the internal networks are being learnt and adverstised via OSPF and you would be using the static route for default route?

I need to inject an external static route into OSPF area 0 but i'm not sure the best way to achieve this (Route-Map) perhaps but then do i have to enable OSPF process on the internet router?

Traffic that's leaving the Outside interface on the pix (L2 vlan 666) should exit the network via internet router's sub interface then to the ISP.

Internet Router Interfaces

fa0/0

no ip address

duplex full

speed 100

!

fa0/0.666

ip address 192.168.1.253/23

!

fa0/1

ip address dynamic

duplex auto

speed auto

ip route 0.0.0.0. 0.0.0.0. dhcp

--------------------------------------------------------------------------------------------------------

Core Switch (Area 0)

int fa0/5

desc ** Uplink Internet-R1__fa0/0 **

switchport

switchport trunk allowed vlan 666

switchport mode trunk

speed 100

duplex full

spanning-tree portfast

fa0/23

desc ** Ouside link to snet-fw01 **

switchport

switchport access vlan 666

speed 100

duplex full

spanning-tree portfast

fa0/24

desc ** Inside link to snet-fw01 **

switchport

switchport access vlan 20

speed 100

duplex full

I will include OSPF Setup in a little while. That may help with the seeing how this works a little better.
      

Message was edited by: Jay Stants

yes for traffic that wants to exit to the internet .. there's already a static (Default) route in area 0 that is point to the pix inside interface. Traffic must go there first then leave the pix outside interface and exit via internet router.

Unless I'm missing something, it sounds as simple as redistributing this static route:

ip route 0.0.0.0 0.0.0.0

ip prefix-list Default permit 0.0.0.0/0

route-map DefaultRoute permit 10

match ip addre prefix Default

router ospf 1

default-information originate route-map DefaultRoute

HTH,

John

I've attached the routing configuration for area0 and the IP Routes currently seen in the routing table. I'm hoping this will help clarify routing in Area0

the objective is still to fwd traffic from area0 core-s1 to internet router AFTER traffic exits the Outside interface of the firewall

path should go as follows:

area 1 --> area0 --> default route points to pix inside interface 172.16.20.100 | filter traffic in pix | allowed traffic exits Outside interface (192.168.1.2) --> back to area0 Core Switch and should exit via Internet-r1 fa0/0.666(192.168.1.253)

I hope this makes more sense at this point. If more detail is needed let me know and i will include whatever is missing to help follow what i'm trying to achieve.

Jay,

What path does the internet traffic take when coming into the network (new traffic for hosted services)? This setup seems odd to me that you wouldn't have your firewall in-path, unless we're seeing just a portion of the network. Otherwise, I'm assuming that your traffic comes from the internet, into the core switch(?), to the outside interface of the pix and back out the inside interface of the pix to the core switch again? I think pbr is going to be the answer, but I'm trying to figure out where to place it

John

John

Correct the inbound traffic would follow this path.

internet-r1 -> Core Switch (Isolated layer 2 vlan) -> outside interface of firewall [filtering] then pass to inside interface which is on a layer 3 routed vlan

so essentially 666 is a layer 2 (isolated) vlan

vlan 20 (172.16.20.0/24) is on the inside network (layer 3 routed vlan)

I am thinking that what i'm "attempting" to do is not feasible with the provider i have currently.

the internet router i do not want to perform any natting

the Pix i want to handle NAT/PAT and eventually will also be the VPN Concentrator when i manage to get there . that's for later so i will not even discuss VPN right now. I did a whole bunch of reading up on PBR / Route-Maps / conditional route injection.

Where i still lack understanding:

Should Internet-R1 run OSPF process and then i inject routes into that process to be redistributed back into the core? or should Core-s1(Area0) have the static routes injected from there into the ospf domain (Area 0). My biggest lack of understanding is on the placement of where i should be doing what i wish to achieve.

Message was edited by: Jay Stants

John -

I think i have this figured out - I will put together a config shortly and post it , then perhaps you can validate it and see if it makes sense.

Jay,

What is your default route on the pix? Does it point back to the core switch or toward the internet router? If it points to the internet router, I would say that you should be able transfer unknown traffic to the switch, the switch forwards to the pix, and then the pix forwards it to the internet router and then out...no ospf needed on internet router.

I think I'm missing something in your design, so I'm looking forward to see what you're coming up with. I can lab this up tomorrow too....

Thanks!

John

John

Your last post is almost bang on with what i'm attempting ..

I've not implemented the following yet but here's what i have been working on.

In Area 0 - core-s1 build a route-map and inject the static routes that way

on my firewall i do have a default --> route outside 0.0.0.0 0.0.0.0. 192.168.1.253 (local interface fa0/0) on inet-r1

here's what i've put together so far, i will have to implement this to see if this works correctly.

ip route 192.168.0.0 255.255.254.0 172.16.20.200 name snet-outside

route-map redist-static permit 10
match ip address REDIST
set metric-type type-1

ip access-list REDIST
permit 0.0.0.0
permit 192.168.0.0

router ospf 1
redistribute static subnets route-map redist-static

Jay,

Here's the way that I did it, and it seems to be working fine:

On R1, I have a loopback for 1.1.1.1/32. R2 has a default route pointing to R1 (172.12.0.1) and R2 is assigned 172.23.0.0/24 on the inside interface. R3 is connected to R7 (Switch) on vlan 23 along with R2 on the same vlan. The other port (fa0/1) from R3 is connected to a routed port on the core switch addressed as 192.168.73.3. (The core switch address is 192.168.73.7 and the 192.168.73.0/24 subnet is seen as connected on the switch.

R4 and R5 are on vlan 456 and R7 has a l3 svi of 10.45.0.0/24 and address as 10.45.0.7. I have a default route on R7 pointing to 192.168.73.3. The "pix" (R3) has nat configured for a pool of addresses in the 172.23.0.0/24 subnet. The "pix" (R3) has a default route pointing to R2 at 172.23.0.2. R3 also has a static route of 10.0.0.0/8 pointing to 192.168.73.7. (R7 - Core switch)

OSPF is configured on R7 with 10.45.0.0/24 in area 0 and distributing a default route. R4 shows it's default route as 10.45.0.7:

R4:

Gateway of last resort is 10.45.0.7 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets

C       10.45.0.0 is directly connected, FastEthernet0/0

O IA    10.56.0.0 [110/20] via 10.45.0.5, 00:21:54, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 10.45.0.7, 00:15:54, FastEthernet0/0

R4#

R6 shows its default route as 10.57.0.5 (R5):

Gateway of last resort is 10.56.0.5 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets

O IA    10.45.0.0 [110/20] via 10.56.0.5, 00:21:42, FastEthernet0/0

C       10.56.0.0 is directly connected, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 10.56.0.5, 00:16:30, FastEthernet0/0

R6#

Basically, the default route is distributed from R7 to all of the other routers using ospf. The router (R3) doesn't have ospf configured. I used a default route pointing to R2 172.23.0.2 and another static route pointing all 10.0.0.0/8 traffic back to the switch.

I also set up a static nat for R4 (10.45.0.4) to nat out as a static address. I tested outside -> inside traffic by pinging that address from R1's loopback (1.1.1.1) to 172.23.0.50 and was able to get a response, so no blackholed traffic

HTH,

John

*** Please rate all useful posts ***