I need one device to have a specific ip default route to another firewall

  • 0
  • 1
  • Question
  • Updated 3 years ago
Hi

I have a remote site that connects through our hub via LAN and they have their own independent Firewall connection for internet. They communicate to a few devices on our network and everything else is blocked via access-list but they need to have a server on our LAN. Now I need to move their server and host it on our network 172.16.x.x but they need it to use their Firewall for internet access. The only thing I can think of is create an access-list on our Firewall uplink to allow everything but their server and add the server to the access-list that connects to their LAN with addition to add another IP default route inside my hub. That’s the only thing I can think of at the moment, does anyone have a better solution?

Photo of Arison Mercado

Arison Mercado

  • 442 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Arison Mercado

Arison Mercado

  • 442 Points 250 badge 2x thumb
Photo of McKitrick, Mark

McKitrick, Mark, Employee

  • 170 Points 100 badge 2x thumb
The server 172.16.10.10  will have to have a default route of 172.16.10.1 .  On 172.16.10.1 create a policy based route, if it has that capability, to forward any traffic sourced from 172.16.10.10 to go to the IP address of the Customer Hub on the interface you have drawn and labeled LAN link.

It all depends on if your firewall supports policy based routing.
Photo of Arison Mercado

Arison Mercado

  • 442 Points 250 badge 2x thumb
Understood but where would this access-list entry reside on? On the uplink to our Firewall (That doesn't have a access-list) or on the access-list that is between my site and the customers? Because I would like the policy to redirect to there network and not my firewall.
Photo of McClane

McClane, Employee

  • 410 Points 250 badge 2x thumb
If you're 172.16.X.X is a flat /16 and that's the only network the customer server needs access to, then I would think a simple PBR ACL on the network hub switch would suffice... According to the subnet masks you have in your diagram everything else would be L2 switched... If there are additional subnets at your hub site that the customer server needs access to, then more specifics would need to be added to the policy. 

So something to the effect of:

entry PBR {
 if {
  source-address 172.16.10.10/32;
  destination-address 0.0.0.0/0;
    } then {
      redirect X.X.X.X (the appropriate next hop for the remote site)
}
}
Photo of McClane

McClane, Employee

  • 410 Points 250 badge 2x thumb
that makes sense
Photo of Arison Mercado

Arison Mercado

  • 442 Points 250 badge 2x thumb
Ok, I'll get working on this but I wont have a server until next week. I'll let you know how it went :)
Photo of Arison Mercado

Arison Mercado

  • 442 Points 250 badge 2x thumb
I attempted to create the PBR policy on the switch but I was unsuccessful because I couldn't figure out the next entry. Please see attachment. PS I have a x450a series Summit switch.
Photo of McClane

McClane, Employee

  • 410 Points 250 badge 2x thumb
you have to create the policy with:

edit policy pbr (policy name)

that will open a vi editor

http://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/?q=exos+acl&l=en_US&fs=Search&pn=1
(Edited)
Photo of Arison Mercado

Arison Mercado

  • 442 Points 250 badge 2x thumb
Update
Photo of Arison Mercado

Arison Mercado

  • 442 Points 250 badge 2x thumb
Hi Everyone,

So far what I have done is I just added a VLAN on my network that extendeds there so I can keep the servers within there own subnet. I'm able to get passed the ACL that resides on they're port uplink but I cannot default route through it. Is there where I need to apply a PBR somewhere?

My Business HUB                                                   Customer HUB
17216.0.0 /16                                                        192.168.0.0/24
                                                 ACL

Source                                                                    Destination
VLAN A - 172.16.0.0/16          Deny                      192.168.0.0/24
VLAN B - 192.168.2.1            Permit                     192.168.0.0/24


Lab address                          Permit                       ANY (Succesful)
192.168.2.4
Ping 8.8.8.8 from 192.168.2.4 (Request Timed out)

Next step is I would assume I create a PBR ACL under VLAN B that default routes to their Firewall? The reason for this is because the VLAN resides on my network?