I think I solved this way (hope it's fine):
I have my local subnet for istance (10.1.0.0/16 , 10.2.0.0/16, 10.60.0.0/16) which are routed by 3750 SVIs and access internet by the default route 0/0 10.60.0.253. and these are ok.
I also have traffic coming from a wan (subnets 10.70.0.0, 10.20.0.0) that need to reach my local subnets and access internet by a secondary fairewall (10.60.0.250).
so in the interface where my wan is connected i configured the following policy:
ip policy route-map PBR
route-map PBR permit 10
match ip address LOCAL
route-map PBR permit 20
set ip next-ho 10.60.0.250
IP access-list extende LOCAL
permit ip 10.0.0.0 0.255.255.255. 10.0.0.0 0.255.255.255
the statement 10 simply match communication patterns between local and private subnets and let them reach each other. (there is no set configured)
the statement 20 simply match all other traffic a (there is no acess-list) and set next-hop to the secondary firewall.
I tested it and seems to work. what do you think about?
Thanks to all for your collaboration.
Jhonny
