10-14-2014 12:19 PM - edited 03-07-2019 09:06 PM
I have attached a drawing for clarity.
I currently have one firewall that connects my network to he internet with web and VPN access. What I am trying to do is test my web filter to the internet for the a subnet 10.2.254.0/24. I would like the route to the internet for just the 10.2.254.0/24 network to go to 192.168.1.3. For the rest of the network it would continue to use 192.168.1.2.
The goal is to only have 10.2.254.0/24 being filtered and sent to the test firewall. Eventually It will be the web firewall but currently I just need to test the web filter.
Can this be done?
Solved! Go to Solution.
10-14-2014 04:49 PM
1-write ACL like this
#access-list 110 permit ip 10.2.254.0 0.0.0.255 any
2-define route-map like this:
#route-map pol permit 8
-map)#match ip adress 110
-map)#set ip next-hop <firewall address>
#route-map pol permit 10
3- apply defined route-map to inbound interface(interface that is connected to 10.2.254.0/24) of your router:
-if)# ip policy route-map pol
10-14-2014 12:35 PM
Unfortunately your drawing does not provide much information.
If I understand correctly you want the traffic from on particular subnet to be re-directed to another firewall. My suggestion if possible you can use an WCCP and an ACL on the device (depending on the model of your device) just before the firewall to redirect your traffic.
If you can update the diagram, maybe we can be able to assist you better.
Thanks,
Manny.
10-14-2014 01:15 PM
The only difference is I am using 2 Nexus 7000 as the core router before the ASA 5525 firewalls.
Yes that is correct, just one subnet's (10.2.254.0/24) 0.0.0.0 0.0.0.0 route to 192.168.1.3. The rest of the network would continue to use 0.0.0.0 0.0.0.0 192.168.1.2 as its default route which is currently in the nexus.
Sorry for the simplicity. I have been told that I just need to change the 192.168.1.2 to 192.168.1.3 but I do not what it for the rest of the network.
10-14-2014 02:17 PM
What is this device between the new firewall and the Core?
10-14-2014 03:21 PM
Barracuda 410
10-14-2014 09:59 PM
The most practical and flexible way is to deploy this using WCCP. On your filtering ACL you only allow that subnet and deny the rest.
Example from the cisco website:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/15-02SG/configuration/guide/config/wccp.html
Switch(config)# ip access-list extended 100
Switch(config-ext-nacl)# permit ip 10.2.254.0 255.255.255.0 any
Switch(config-ext-nacl)# exit
Switch(config)# ip wccp web-cache redirect-list 100
Switch(config)# interface xxx {the interface going to the barracuda}
Switch(config-if)# ip wccp web-cache redirect out
Check this out and I hope it will help:
https://techlib.barracuda.com/display/BWFv60/WCCP+Deployment/printable
and
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nx-os/unicast/configuration/guide/l3_cli_nxos/wccp.html
let me know if you need further assistance.
Thanks,
Manny.
10-17-2014 05:52 AM
I understand that is how to allow only 10.2.254.0/24 traffic out the interface. The issue I have is routing that subnet to another set of firewalls that has the barracuda connected for testing. The default route to 192.168.1.2 has to stay will it is in production. I need to set up the 10.2.254.0/24 to go out to the internet for last resort on 192.168.1.3. This is only for testing to verify that the connection is working and the filter is not blocking other options.
I say set because I have them 2 firewalls active/standby.
10-17-2014 07:07 AM
The example I gave above does not affect your current routing. What it will do is that all the traffic that if from the 10.2.254.0/24 subnet will be re-directed via WCCP out the interface that is facing those firewalls.
In practice you need to put the Barracuda before the firewall, and then the external going traffic will be sent by the web-filter [Barracuda] on its external facing interface to the firewalls.
To the best of my knowledge this solution, provided should work just fine for this particular need. The flexibility is that you can add and remove subnets or hosts from your ACL without affecting other traffic whatsoever.
Remember it is not about routing the traffic but directing it to the correct place you want it to go.
Thanks,
Manny.
10-14-2014 04:49 PM
1-write ACL like this
#access-list 110 permit ip 10.2.254.0 0.0.0.255 any
2-define route-map like this:
#route-map pol permit 8
-map)#match ip adress 110
-map)#set ip next-hop <firewall address>
#route-map pol permit 10
3- apply defined route-map to inbound interface(interface that is connected to 10.2.254.0/24) of your router:
-if)# ip policy route-map pol
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide