Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
3
Replies

Force IP to jump out gateway.

kenmarin
Level 1
Level 1

‎04-16-2004 05:02 AM - edited ‎03-02-2019 03:02 PM

I have a small IP subnet in a VLAN and for security reasons I need it to only see the other side of the firewall (Internet). What command would I use to route this out? To make it easy it will be static IP and use a host table instead of DHCP and DNS.

Labels:
0 Helpful
3 Replies 3

Harold Ritter
Cisco Employee
Cisco Employee

‎04-16-2004 05:15 AM

You could use Policy Based Routing (PBR) to force all traffic coming from that subnet to be forwarded to the FW regardless of what the routing table looks like.

Here's a link to the PBR documentation:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1cfindep.htm#wp1001398

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

kenmarin
Level 1
Level 1
In response to Harold Ritter

‎04-26-2004 04:23 AM

I don't think I'm doing this correct.

I made a route map:

route-map Int_gateway permit 10

set ip next-hop <###.###.###.###> <###.###.###.###> <###.###.###.###> <###.###.###.###>

then pulled it into the VLAN:

interface Vlan505

description PHARMACY MCKESSON SYSTEM

ip address #.#.#.65 255.255.255.240

ip access-group 187 in

ip access-group 188 out

no ip redirects

ip policy route-map Int_gateway

standby ip #.#.#.67

standby priority 120

standby preempt

in the map I listed every next hop till the traffic was out of the firewall but it seems to ignore the path. What am I doing wrong?

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee
In response to kenmarin

‎04-26-2004 04:47 AM

I was under the assumption that this router was directly connected to the FW.

Do you mean that the router is not directly connected to the FW and that you specified each and every hop bw the router and the FW in the "set ip next-hop". If so, this is not going to work.

You would basically need to either implement PBR on every router int the path to the FW or use a tunnel between the ingress router and the egress router and then use PBR just on these two devices.

Let me know if that answers your question,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents