Different default routes based on source

[jbrotschul]

Hi,

I have a Cisco Catalyst 4506. Currently there is a default route configured pointing to my firewall for internet traffic...

ip route 0.0.0.0 0.0.0.0 192.168.100.7

I installed a new firewall - 192.168.4.7, and want to route traffic based on the source ip to this new firewall for only specific source ip addresses (that are in a particular vlan).

Here's my current configuration:

access-list 151 remark NEWPIX DEFAULT ROUTE
access-list 151 permit ip host 192.168.151.0 any

route-map NEWPIX_DEFAULT_ROUTE permit 10
match ip address 151
set ip default next-hop 192.168.4.7


interface Vlan50
ip address 192.168.151.4 255.255.255.0
no ip redirects
ip policy route-map NEWPIX_DEFAULT_ROUTE
standby 50 ip 192.168.151.254
standby 50 preempt


Server is 192.168.151.40 connected to this switch port:

interface FastEthernet6/45
switchport access vlan 50
switchport mode access
ip access-group 151 in


I see hit count incrementing on the ACL, and policy matches on the route-map, but internet traffic is still going out through the original firewall - 192.168.100.7.

What am I missing?

Thanks,
Jeff

 

[North323]

ip route 0.0.0.0 0.0.0.0 192.168.100.7 is your gateway of last resort... meaning source 0.0.0.0 with mask 0.0.0.0 go out 192.168.100.7

you have to create another route like
ip router 192.168.151.0 255.255.255.0 192.168.4.7 other wise is going out your original firewall.

 

[jbrotschul]

ip route 192.168.151.0 255.255.255.0 192.168.4.7" would route all traffic destined to 192.168.151.0/24 to 192.168.4.7...

I need to route all traffic from source ip range 192.168.151.0/24 without a destination specified in the routing table to 192.168.4.7 rather than 192.168.100.7.

 

[North323]

your traffic will always have a destination you cant have a static route 192.168.151.0 255.255.255.0 0.0.0.0 otherwise you need to make your gateway of last resort 0.0.0.0 0.0.0.0 192.168.4.7 and statically assign all other traffic out 192.168.100.7

 

[jimfixit]

Jeff,

Take a look at this:

http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_s1g.html#wp1038121

which says, in part, " The set ip next-hop and set ip default next-hop are similar commands but have a different order of operations. Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table. Configuring the set ip default next-hop command causesthe system to use the routing table first and then policy route the specified next hop."

If I read this right, your use of set ip default next-hop" won't do what you want because that command is only going to help you if there isn't some viable route in your table for the network in question. Try using the set ip next-hop instead. That works for us.

Something else to keep in mind is the route map policy only applies to *inbound* traffic on the interface you apply it to, so you have to think carefully about where to apply the map and what the access list should look like to catch traffic at that point in time.

HTH
Jim