I'm working in an issue and working through fallout from a previous Network Engineer's migration. Whom which is no longer on staff.
For one of our locations, all of traffic reaching the internet used to flow like this.
User -> Palo Alto FW -> Cisco ASA -> Cisco 2921 -> Internet
A recent migration removed the Cisco ASA from certain aspects of the infrastructure. It is still in place and many aspects of the network still follow the same path for access to the internet and work fine. However, some of them were required to bypass the Cisco ASA due to a requirement which I'm trying to figure out.
Here is a section from the Cisco 2921 config. IP Addresses are arbitrary
16.18.22.124 is Palo Alto outside Interface IP
16.18.22.96 is Border route Cisco 2921 Inside interface
interface GigabitEthernet0/1.6
description DATA
encapsulation dot1Q 6
ip address 16.18.22.125 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
standby 0 ip 16.18.22.97
standby 0 preempt
no cdp enable
ip access-list extended In_2_Out
deny udp any any eq 3544 log
permit ip host 224.0.0.2 6.7.14.32 0.0.0.7 log
permit ip 6.7.43.32 0.0.0.7 host 13.16.7.5 log
permit ip 6.7.14.32 0.0.0.7 host 13.16.6.5 log
permit ip 16.18.22.64 0.0.0.63 any reflect Reflexive-LIST timeout 240 log
remark ------
remark ----
remark --
remark ----------------------------------------end of ACL
permit ip 16.18.22.96 0.0.0.31 any reflect Reflexive-LIST timeout 300 log
ip route 16.18.22.96 255.255.255.224 16.18.22.124
The Palo Alto has a PBF rule to route traffic from the associated internal subnet out of the interface with the 16.18.22.124/27 ip address. Next hop on the Palo Alto PBF rule is 16.18.22.97
No comments:
Post a Comment