Customer asked when the IP message from extranet if the source address is 10.150.. 0.0/16, then the next hop is 10.150.222.1, if the source address is other IP address, the next hop is 10.150.224.1, here we use PBR to realize this demand. The following configuration are in the FWA:
In the beginning we use SRG20-31 to make configuration:
acl number 3000
rule 0 deny ip source 10.150.0.0 0.0.255.255 destination 10.0.0.0 0.255.255.255
rule 3 deny ip source 10.84.0.0 0.0.255.255 destination 126.96.36.199 0.0.0.255
rule 4 deny ip destination 188.8.131.52 0.0.0.255
rule 5 permit ip
traffic classifier class1
if-match acl 3000
traffic behavior behavior1
redirect ip-nexthop 10.150.224.1 interface GigabitEthernet3/1/6
qos policy mypolicy
classifier class1 behavior behavior1
The PBR is applied in the FWA extranet port.
This kind of circumstance, PBR become effective, and message from downstream port can ping passably to FWA.
Because the customer flow increased, need replace SRG20-31 to USG9100, directly copy the configuration to the USG9100, found that the extranet can normally access to the intranet server, but the extranet cannot ping passably to FWA.