Policy based routing setup

发布时间:  2014-11-24 浏览次数:  155 下载次数:  1
Currently, customer’s network has three devices: S9712, USG9560, NE40E. Router connects the internet line, firewall is between switch and router and is responsible for NAT translation, and switch contains customer’s private network. Firewall has a default route pointing to the router. Now, the bandwidth usage is nearly full and customer decides to buy another internet line with 13 usable public IP provided. Problem occurs. If the line is connected with router, some IP will be wasted as IP needs to be assigned to firewall for NAT use.

Current firewall setting: (Example: assume current public pool is
nat server 0 zone untrust global inside
nat server 1 zone untrust global inside
nat server 2 zone untrust global inside
nat server 3 zone untrust global inside
nat server 4 zone untrust global inside

ip route-static

IP is router IP address.
After discussion with customer, we recommend the new internet line should be connected to firewall, with policy based routing setting to redirect dedicated traffic to new internet line.



Configuration example:
acl number 3000
rule 5 permit ip source destination any  - (example: assume is new public IP)
traffic classifier new_nat operator or  
if-match acl 3000
traffic behavior new_nat

redirect ip-nexthop
traffic policy new_nat
classifier new_nat behavior new_nat
interface Eth-trunk 1  -  interface connected to switch
undo shutdown
traffic-policy new_nat inbound