10-27-2022 10:20 AM
I am configuring a test firewall, and I need to route traffic from single PC, via this firewall, to the Internet.
The firewall is configured with routing, inside and outside interfaces, access policy, and
- able to access both Internet and LAN
- reachable from the LAN
On the switch, we have a single default route pointing to the production firewall. What is the easiest way to route traffic from a single IP to the test firewall for Internet access?
Solved! Go to Solution.
10-27-2022 10:58 AM
Hello,
on the switch, you could configure PBR to redirect traffic from that specific IP source address towards the test firewall. The configuration would look something like this:
access-list 101 permit ip host 192.168.1.10 any
!
route-map PBR_TEST_FW permit 10
match ip address 101
set ip next-hop x.x.x.x (where x.x.x.x the test firewall
!
interface GigabitEthernet0/0
description LAN interface
ip policy route-map PBR_TEST_FW
10-27-2022 11:39 AM
Thank for the clarification, not sure what switch model, some model and switch IOS version has Access list issue. so you need to test it.
Then @Georg Pauwen suggestion is good to go, instead of gi0/0 you apply in the VLAN SVI Layer3 interface.
even if anything goes wrong, only single IP gets affected. make sure PC/ device has static IP.
10-27-2022 10:58 AM
Hello,
on the switch, you could configure PBR to redirect traffic from that specific IP source address towards the test firewall. The configuration would look something like this:
access-list 101 permit ip host 192.168.1.10 any
!
route-map PBR_TEST_FW permit 10
match ip address 101
set ip next-hop x.x.x.x (where x.x.x.x the test firewall
!
interface GigabitEthernet0/0
description LAN interface
ip policy route-map PBR_TEST_FW
10-27-2022 11:27 AM
Hi,
Thanks. That is the approach I was taking, but wasn't sure where to apply the route-map.
I am not able to apply it to the interface as it an access interface. I was thinking about applying it to the interface VLAN the PC is part of, but as that is a production VLAN, I wasn't sure how that would affect the other traffic on that VLAN.
Is it safe to apply the route-map to the VLAN without some unintended issues?
10-27-2022 11:16 AM
some of the information not clear here?
if the switch acts Later 2 only ? (since you mentioned default routing ?)
what is the other device acting now as fw or routing in the network to the internet?
10-27-2022 11:32 AM
Hi,
It is a layer 3 switch. By default route, I meant gateway of last resort.
S* 0.0.0.0/0 [1/0] via 10.x.x.x
This is the inside interface of the production firewall. I would like to sent traffic from a single PC/IP to a different inside interface of a different firewall.
10-27-2022 11:39 AM
Thank for the clarification, not sure what switch model, some model and switch IOS version has Access list issue. so you need to test it.
Then @Georg Pauwen suggestion is good to go, instead of gi0/0 you apply in the VLAN SVI Layer3 interface.
even if anything goes wrong, only single IP gets affected. make sure PC/ device has static IP.
10-27-2022 11:58 AM
Thank you all! That worked perfectly.
10-27-2022 12:17 PM
Glad all worked, and thank you for the feedback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide