Cisco Firewall :: Policy Based Routing To ASA5550 Inside Interface?

Mar 4, 2011

Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
 
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc. 

Here's what we are adding:
 
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution 

Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535 

Question: how to best use PBR to selectively direct traffic to the ASA inside interface?

View 4 Replies


ADVERTISEMENT

Cisco Firewall :: Does PIX 6.3 Support Dual ISP And Policy Based Routing

Mar 19, 2011

Just want to ask if a PIX firewall specific with a 6.3 OS version do support Dual WAN and PBR.

View 2 Replies View Related

Cisco Switching/Routing :: 9941 - Policy Based Routing With Firewall

May 10, 2012

I have problem while implementing policy based routing with a firewall. Let me explain in detail.
 
I have 2 remote site(Site A-small , Site B - Big) , Site B is connected with HQ with Tunnels 1 and 2 ,  Site B and Site A is connected with Tunnel 9941.
 
What I want is: Scenirio for Communication :
 
1)Site A--------->VPN Router Site B-----------> FW-------------->VPN Router Site B------------------>Central Site
2)Central Site--------->VPN Router Site B-----------> FW---------->VPN Router Site B-------------->Site A
3)Site B--------->FW-------------------->VPN Router Site B------>Central Site
4)Central Site--------->VPN Router Site B-------------------->FW------>Site B
5)Site A--------->VPN Router Site B-----------> Site B(no firewall)
6)Site B--------->VPN Router Site B-----------> Site A(no firewall)
 
Tunnel 1: 10.13.199.1-2
Tunnel 2: 10.13.199.1-2
Tunnel9941: 172.22.99.1-2
 
Site A LAN- 10.99.41.0/24
Site B LAN- 10.99.0.0/16
Central LAN - 10.18.0.0/16

View 4 Replies View Related

Cisco Firewall :: Policy Based NAT On ASA 8.4.1

Feb 27, 2011

How can I configure police-based nat to allow ICMP-only traffic on asaos 8.4.1 or 8.3?On 8.3 it was very simple:global (outside) 1 interface ,access-list outside_nat_outbound extended permit icmp any any,nat (outside) 1 access-list outside_nat_outbound.

View 10 Replies View Related

Cisco Firewall :: 1811 / Zone-Based Policy Firewall Configuration

May 16, 2011

I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything.  I had match icmp added to the class-map, but took it out to test if icmp would fail.  It didn't.  Basically, I don't think the firewall is working at all.  Any thoughts on how I can configure this so that the policies will work between zone-pairs?

Here's an quick drawing:

Here are the configurations:

 Local router:
 hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy

[code]....

View 11 Replies View Related

Cisco WAN :: Policy Based Routing On 2911 ISR?

Mar 18, 2013

I have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.
 
Config attached minus the crypto stuff and the publics have been changed.

View 17 Replies View Related

Cisco WAN :: 1811 Policy Based Routing

Aug 21, 2012

Last night I had a crack at setting up PBR on my companies Cisco 1811.Joy, I thought, it's actually working.  Alas I was wrong, the addresses were getting translated to our ADSLs external ip address but routed over our EFM.What I want to acheive is to send all HTTP(s) traffic from our workstations over the ADSL (FastEthernet1) whilst all other traffic and VPN goes out over our Bonded ADSL (FastEthernet0).  There is also a minor failover in place for traffic routed to the ADSL in the route-map PBR_VLAN1.  The servers are on IPs 200, 202, 204 and 240.
 
Anyway, I have re-written the configuration and xxx'd and x.a/b/c'd all the IP addresses I want to keep secret. Need to make sure that the PBR is correct, and will do what I want it to?  I have a very small time-frame to get this correct and I dont want to fudge the bucket so to speak.

View 8 Replies View Related

Cisco WAN :: ME 3600X Policy Based Routing

Sep 15, 2011

I have a ME3600X switch and I would like configure a PBR (Policy Based Routing), how I can make this?

View 1 Replies View Related

Cisco Switching/Routing :: 3560 Policy Based Routing Verify-availability

Apr 19, 2012

Cisco 3560 does not support "set ip next-hop verify-availabilty". I need this command in my config. "set ip next-hop"  do not do the same job.

View 8 Replies View Related

Cisco Switching/Routing :: Policy Routing Based On Client Gateway (6509-E)

Feb 26, 2012

If client gateway = 192.168.64.9 then next-hop = 192.168.64.8 else use default-route 0.0.0.0
 
I know it's possible to do a route-map match ip-address ACL list. But is it possible to match on gateway?
 
Some info about hardware and config:

6509-E in VSS (IOS 12.2(17r)SX5) withVS-S720-10G supervisor.

All routes are static, IP for 192.168.64.9 is on SVI vlan.

View 3 Replies View Related

Cisco Switching/Routing :: 1941 / Policy Based Routing With Two Default Routes

Jun 24, 2012

I have a 1941 router configured for Policy based routing with two ISPs.Two static default routes configured to point the gateways of respoective ISPs with same metric.But the problem is, packets are going throug the one ISP only while doing traceroute.
 
N/W connectivity:
 
ISP1----->                <----------------------> LAN1   
               |  Router |
ISP------->                <----------------------> LAN 2
 
Below is my configuration :
 
Current configuration : 5958 bytes
!
! Last configuration change at 05:18:56 UTC Mon Jun 25 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

[code]....

View 26 Replies View Related

Cisco WAN :: 6506 Configuration Of Policy Based Routing

Jul 18, 2011

I need to configure Policy Based Routing. There are two WAN Links from two Different ISP : Campus NW has one CORE switch - Cisco Catalyst 6506. [code]

View 3 Replies View Related

Cisco WAN :: 3725 - Route-Map For Policy Based Routing

Feb 2, 2011

I have been using a route map to pick WAN exit points (PBR) on a 3725 router.  This have been working fine with /24 networks.  I am trying to pick the first /28 piece out of the 10.1.1.0 network and send it out a different exit from the rest of that network.  I have tried the /28 entry at the start and end of the route map, although I thought the first match would stop any further route map processing.  The entry does not seem to have any effect, as traffic from all addresses in the 10.1.1.0 /24 network exit per the "route-map 10-LAN permit 11" section.
 
access-list 5 remark Ten Dot 1 low 63 IPs
access-list 5 remark SDM_ACL Category=2access-list 5 remark Ten Dot One Low 63 IPs access-list 5 permit 10.1.1.0 0.0.0.63 log
[ code]....

View 11 Replies View Related

Cisco Switching/Routing :: Policy Based Routing With 3750 Switches

Oct 17, 2011

I have a simple design with 3750. I configured a route-map which define a next hop. I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR? I think of CEF .

View 5 Replies View Related

Cisco Switching/Routing :: How To Configure Policy Based Routing On 3750

Jan 28, 2013

In our datacenter we have a 3750 stack with IP base image.  I have enabled PBR and reloaded the switch.  Show sdm prefer says i am using default template.  The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.

Created access list to identify traffic:
 
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
 
Created policy:
 
route-map TestASA permit 10
match ip address 10
set ip next-hop 10.2.0.3
 
Assigned policy to the user vlan3:
 
ip policy route-map TestASA
 
Results:It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan. 

View 16 Replies View Related

Cisco Switching/Routing :: Make Policy Based Routing On 3560?

Apr 17, 2012

I have tried to make policy based routing on Cisco 3560. I use ipservices ios (SW version 12.2.(50)SE3 and SW-IMAGE C3560-IPSERVICESK9-M)  For below configuration there is no problem and pbr is working.
 
“Access-list 100 permit ip host  1.1.1.1 host 2.2.2.2
Access-list 101 permit ip host  1.1.1.1 host 3.3.3.3
 Route-map pbr1  permit 10
Match ip address  100
Set ip next-hop verify-availability  1.1.1.2 1 track 11
 interface fasthethernet  0/1
ip policy route-map  pbr1”
 
But when i add another sequence to the "pbr1" with another sequence number  like that.
 
“Route-map pbr1 permit  11
Match ip address  101
Set ip next-hop verify-availability  1.1.1.3 1 track 12”
 
pbr is not working. Switch gives message "PLATFORM_PBR-3-UNSUPPORTTED_RMP:Route-map pbr1 not supported for Policy Based  Routing”"ip policy route-map pbr1" command not shown in the running config. And "show ip policy" output is blank.Configuration guide says you have insert many sequence to the route-map with the same name. And also this command is not in the unsupported command list.

View 16 Replies View Related

Cisco Switching/Routing :: Policy Based Routing And 3750 Switches?

Sep 5, 2012

I have a simple design with 3750.I configured a route-map which define a next hop.I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR?

View 10 Replies View Related

Cisco Switching/Routing :: Policy Based Routing Not Done In Hardware With 7604-S

Mar 11, 2012

I am having a problem with PBR done on a 7604-S router - It seems like it is not done in harware. I have an Iperf client and an Iperf server, and would like to test the performance of 7600 router for PBR, supervisor is RSP720-3C-G and used interface card is 7600-ES20-GE3C ESM20G.

I have read  numerous discussions about PBR that is supposed to happen in hardware when you use it with matching access-list and set ip next-hop.Although, when I start the iperf, the 7600 cpu is hitting the 80-90 % boundary, and transfer bandwidth can't go over 120-130 Mbit/s.The IP Policy is applied on an interface part of vrf ONE maybe this is casing the problem... ?

The diagram and configuration follows:
Configuration:
 
c7604#sh run
boot system flash disk0:c7600rsp72043-advipservicesk9-mz.122-33.SRE2.bin
!
ip vrf one
[Code]...

View 8 Replies View Related

Cisco Switching/Routing :: 1900 - Clear DF Bit And Policy Based Routing

Jan 8, 2012

I've been implementing a setup where a remote office has a Cisco 1900 router. There are 2 GRE/ IP SEC tunnels to the headquarters, 1 over public internet, 1 over a private cloud. Because of some MTU issues we have to clear the DF bit for some of the traffic, but we also want to use PBR to send https traffic over the "public internet" tunnel and the rest of the traffic over the "private cloud" tunnel. I'm able to clear the DF bit and to do the PBR with route-maps, but I'm not able to implement both functionality at the same time.

View 1 Replies View Related

Cisco Switching/Routing :: 6509 Use Policy Based Routing To Redirect Http Traffic

May 29, 2012

We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?

View 11 Replies View Related

Cisco Switching/Routing :: Policy Based Routing 3750

Dec 2, 2012

I have 2 ISP connected to Router A and Router B.Both the routers are connected to the core 3750 switch.. I want to send the traffic from the switch that goes to router A to router B..[code]

View 10 Replies View Related

Cisco WAN :: 3560 / Policy Based Routing With InterVLan Routing

Jan 14, 2011

I have 3560 with attached 3 networks, 172.16.1.0/24 172.16.2.0/24 and 172.16.4.0/24, all of them have a vlan interface, 172.16.1.254, 172.16.2.254, and 172.16.4.254, I have enabled intervlan routing with command ip routing and they have route beetwen each other. Now I want to create PBR and let them go to the internet from different gateways.

so i did 3 access list:

access-list 20 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.2.0 0.0.0.255
access-list 30 permit 172.16.4.0 0.0.0.255
and 3 pbr
route-map supnet permit 20 match ip address 10 set ip next-hop 172.16.2.3
route-map blade permit 20 match ip address 30 set ip next-hop 172.16.4.250
route-map main permit 20 match ip address 20 set ip next-hop 172.16.1.4
 
attached them to corresponding vlan interfaces and everything ok they have different gateways to internet but now I dont have routing beetwen them?

View 2 Replies View Related

Cisco Switching/Routing :: Policy Based Routing On 6509

Mar 6, 2012

I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.

View 26 Replies View Related

Cisco Firewall :: PIX 501 / Can Traffic Goes From Inside Interface To Outside Interface

Oct 9, 2011

I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
 
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
 
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
 
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside

View 7 Replies View Related

Cisco Routers :: SR520 Not Criterion In Zone-based Policy Firewall Class-maps

Jan 16, 2012

I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.

View 0 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
 
This is a single point of failure and what I need is a way to mitigate that. Under:

redundancy
application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
 
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco VPN :: ASA 5505 To Use Router For Creating Policy Based Routing

May 29, 2011

I have an ASA 5505 at each of three locations.  We have VPN tunnels set up between the three sites.  I am currently using a single ISP to control the traffic between the sites.  I am adding a new ISP to the mix.  The goal is to have any internet traffic routed to ISP 2 and all internal traffic routed to ISP 1.The ASA does not do policy based routing (mostly because it is a firewall, not a router).  I need to configure a router that will accept the output of the ASA and route it according to the above rule.  All incoming routing will be done through ISP 1. Any suggestion on the device and the methodology to set it up?  I am planning on doing this in each location.

View 3 Replies View Related

Cisco WAN :: 2811 - Static Routes Need Some Input Policy Based Routing

Aug 13, 2011

I have 2 connections a single T1 for voip traffic only and a DSL line for data traffic.the dsl was migrated to a 2811 with out any issues now comes the time to move the T1 over.
 
on the T1 side I am able to ping the WAN router and the LAN router IP address but nothing behind it.

currently this is the only statment on the router:
ip route 0.0.0.0 0.0.0.0 Dialer1
 
as a quick a dirty to remove the above i tried:
no ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 66.55.110.0 255.255.255.0 Dialer1
 
but the DSL side dropped. we have a 66.55.110.152/29
 
for the T1 i would use the following statement.. we have a 209.98.53.192/27
 
ip route 209.98.53.0 255.255.255.255 65.32.70.177

View 12 Replies View Related

Cisco Switching/Routing :: ASA 5505 Cannot Ping From Inside Interface To Outside Interface

May 1, 2012

I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside.  I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue.  When I ping 4.2.2.2 for example I get:
 
Destination host unreachable
 
Do I need to add a static route from my inside interface to my outside interfaces?   

: Saved
:
ASA Version 8.2(5)
!
hostname pxasa

[Code].....

View 2 Replies View Related

Cisco Firewall :: 3945 / Zone Based Firewall And WAN Interface ACL?

Mar 16, 2011

I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site.  I will be terminating a site-to-site VPN tunnel on it and also configuring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets).  My question is about how to approach securing the WAN interface with the Zone based FW in place?what kind of ACL do I need beyond those allowing and restricting remote access to the outside ip? 

View 3 Replies View Related

Cisco Switching/Routing :: 7200 - QoS Input Policy Doesn't Classify ICMP Packet Based On DSCP

Dec 20, 2011

I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The "match dscp ef" or "match precedence 5" is not working only the "match protocol icmp" shows hits.
 
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.

View 6 Replies View Related

Cisco Firewall :: Failover ASA 5505 - Setup Second Inside Interface On Firewall?

Feb 19, 2012

I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?

View 1 Replies View Related

Cisco Firewall :: ASA5505 Can't Ping New Firewall On Inside Interface

Jul 14, 2011

I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.

View 32 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved