dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
758
share rss forum feed


fcisler
Premium
join:2004-06-14
Riverhead, NY

[Config] next-hop redirect to firewall

On my main switch/router I have several vlan's configured:

interface Vlan201
 description TRUSTED
 ip address 172.20.20.1 255.255.255.0
 
interface Vlan202
 description RESTRICTED
 ip address 172.20.30.1 255.255.255.0
 

Now either machine on either subnet can see each other.

Now what I have is a firewall setup on RESTRICTED, 172.20.30.2, which I would like to force everyone through. I've added the following:

ip access-list extended SUBNET
 permit ip 172.20.30.0 0.0.0.255 any
ip access-list extended ROUTER
 permit ip host 172.20.30.2 any
!
!
route-map RESTRICTED permit 5
 match ip address ROUTER
!
route-map RESTRICTED permit 10
 match ip address SUBNET
 set ip next-hop 172.20.30.2
!
interface Vlan202
 description RESTRICTED
 ip address 172.20.30.1 255.255.255.0
 ip policy route-map RESTRICTED
 

Now from ROUTER I can get into TRUSTED with no issues. When I have a client attempt to use the firewall, it is routed through 172.20.30.2 and goes in an infinite loop between .2 and .1.

1) How can I get this to work?
2) Is there a better way to accomplish this?


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1

How do you have the firewall configured? Ideally what you should do is configure it so that the firewall sits in between the router and the restricted network. This would be a better situation than using PBR to redirect traffic (more efficient too). Another option that depends on the router/switch you are using is to just filter at the interface level. If you are just preventing restricted from accessing trusted (dmz type of setup) then an access list will do the trick:


access-list # deny ip any 172.20.20.0 255.255.255.0
access-list # permit ip any any
int vlan202
ip access-group # in


Ryan

--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams



fcisler
Premium
join:2004-06-14
Riverhead, NY
reply to fcisler

The firewall is configured wide open for the time being until I can get this to work.

Unfortunately I cannot configure the firewall (software) to sit in between. I am not just preventing a single ip (or subnet), I need firewall capabilities.



fcisler
Premium
join:2004-06-14
Riverhead, NY

1 edit
reply to fcisler

This appears to work:

route-map RESTRICTED permit 5
match ip address ROUTER
set tag 2
!
route-map RESTRICTED permit 10
match ip address ROUTER
match tag 2
!
route-map RESTRICTED permit 15
match ip address SUBNET
set tag 1
set ip next-hop 172.20.30.2

Is there anything wrong with using it in this way?

EDIT: OOps, nope. Does not work as intended.



RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1

The problem is that traffic is still coming from the same subnet, even if it is redirected through the router, the source IP is the same. You will need to have different subnets to make it work the way you want or rather 2 interfaces.

For example traffic comes in to .1 and clients are redirected to .2 (firewall) on an inside or trusted interface. Traffic leaves the firewall on an untrusted interface which goes back to the router. The interface it returns to the router on needs to be different and use a different subnet.

You could use router on a stick to accomplish this if both sides support trunking/encapsulation.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams



fcisler
Premium
join:2004-06-14
Riverhead, NY

There has to be a way to accomplish this...I cannot use different subnets. I tried routing out to another subnet but due to the !@)($ piece of garbage that Cisco WLC's are, I'm having some serious issues



RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1

If you have limited or no control over the firewall then you are at a huge disadvantage. The tags you tried are for routing protocols and wont work for what you are trying to do.

I cant see a way to perform what you are wanting without changing the config given the options you can set/match with a route-map. Id be interested in seeing what you end up with however!

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams


nosx

join:2004-12-27
00000
kudos:5

Configure the firewall in transparent bridging mode and logically insert it inline, or use VRF's to force traffic through the firewall. Either way, using PBR here is a pretty painful solution.



fcisler
Premium
join:2004-06-14
Riverhead, NY
reply to fcisler

This firewall is software and on a HA VMWare cluster. I have full control of the firewall/router. Inline is out of the question, unfortunately.

Due to a limit on other factors I cannot easily add another subnet. Guess I'll have to put in a request for one and go that route. I guess a /31 to one interface of the firewall and move 172.20.30.1 to the other side of the firewall would be my best bet?



RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1

that is correct, and you may need a /30 if the OS does not support a /31 (even though its a PtP link). For example, my asa denies configuring a /31 on its interfaces but standard IOS based devices allow it.

An added benefit to this is that all traffic is funneled through the firewall if it wants to hit the next hop; Theres no chance that a policy or rule is coded incorrectly and traffic bypasses the route-map.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams