Thanks guys,

Here is a logical of the environment, I basically need to change the default route for this one user to the new NAT firewall to go to the new internet, and make sure he can still get to the corporate network.

You can create PBR, and attach it to the interface 10.9.100.1,

in the PBR,

deny 10.0.0.0 0.255.255.255

permit any

Then next hop to the NAT firewall..

HTH..

Ahmed

So the PBR would do the deny or the ACL? I would deny 10.9.100.5 to all 10/8, then the next hop to the NAT firewall?

This statement makes sure the traffic is routed (that's why "deny" is there) to your 10/8 and policy routed (permit any) to the new internet. Should work fine.

-serg

OK, here is exactly what I have, and it is not working at the moment:

ACL:

10 deny ip host 10.9.100.5 10.0.0.0 0.255.255.255

20 permit ip host 10.9.100.5 any

Route-Map:

route-map Chuck permit 10

match ip address Chuck

set ip next-hop 10.9.99.5

Thanks

did you apply this map to the router interface where your host is connected?

-serg

yes, had to ask though right!

interface Vlan100

ip address 10.9.100.4 255.255.255.0

ip helper-address 10.9.43.13

no ip redirects

ip policy route-map Chuck

standby 1 ip 10.9.100.1

standby 1 priority 110

standby 1 preempt

end

And your acl is named "Chuck" ?

do you see any hits on the acl?

The name of the acl is Chuck, and it is very strange, I see 3 hits on the deny, and none on the permit.

There should be many hits on the acl is why it is strange.

So you generating traffic to the internet and see no hits on permit? can you check your new firewall if the traffic makes there and it allows that host to go out?

can you connect to 10/8 network?

what switch you using?

can you debug pbr ?

keep in mind for certain switch types (3750 for example) you can not use deny statementd in PBR ACLs... in this case you have to do an explicit route map statement and forward traffic to your 10/8 vlan interface.