Policy based routing setup

发布时间:  2014-11-24 浏览次数:  141 下载次数:  1
问题描述
Currently, customer’s network has three devices: S9712, USG9560, NE40E. Router connects the internet line, firewall is between switch and router and is responsible for NAT translation, and switch contains customer’s private network. Firewall has a default route pointing to the router. Now, the bandwidth usage is nearly full and customer decides to buy another internet line with 13 usable public IP provided. Problem occurs. If the line is connected with router, some IP will be wasted as IP needs to be assigned to firewall for NAT use.

Current firewall setting: (Example: assume current public pool is 100.100.100.0/24)
nat server 0 zone untrust global 100.100.100.73 inside 172.19.12.101
nat server 1 zone untrust global 100.100.100.161 inside 172.19.12.111
nat server 2 zone untrust global 100.100.100.162 inside 172.19.12.112
nat server 3 zone untrust global 100.100.100.201 inside 172.19.12.121
nat server 4 zone untrust global 100.100.100.89 inside 172.19.12.131

ip route-static 0.0.0.0 0.0.0.0 100.100.100.5

IP 100.100.100.5 is router IP address.
处理过程
Procedure:
After discussion with customer, we recommend the new internet line should be connected to firewall, with policy based routing setting to redirect dedicated traffic to new internet line.

解决方案

Solution:

Configuration example:
acl number 3000
rule 5 permit ip source 200.200.200.0 0.0.0.15 destination any  -  200.200.200.0/28 (example: assume 200.200.200.0/28 is new public IP)
#
traffic classifier new_nat operator or  
if-match acl 3000
#
traffic behavior new_nat
#

redirect ip-nexthop 200.200.200.1
traffic policy new_nat
share-mode
classifier new_nat behavior new_nat
#
interface Eth-trunk 1  -  interface connected to switch
undo shutdown
traffic-policy new_nat inbound
#

END