Seeking static route help

After having inserted my own router as the internet gateway router and relegated the Verizon one to be a secondary one that just communicates with the STBs I would like to know if any could explain to me how to set up static routes to be able to access it via a wired connection as I would like to turn of the wireless side of it.
Now have a double NAT'd setup as follows
ONT -> WAN Netgear subnet 192.168.0
Netgear Lan port 1 -> Wan VZ Westell subnet 192.168.1
Moca connections to STBs
Ethernet connections to exposed (Port forwarded) machines
Netgear Lan Port 2 -> Wan Dlink subnet 192.168.3
Dlink Lan port -> 1GB NIC desktop machine 192.168.3.99
From the desktop machine at 192.168.3.99 I want to be able to get to the admin pages of the VZ router at 192.168.1.1 and also to some exposed machines on the 192.168.1 subnet
I'm guessing I need static routes defined at the dlink router at 192.168.3.1 and the netgear router at 192.168.0.1
On paper this looks very simple but I cannot work out what the static routes are meant to say
Any have any hints that would help me out?

Fixed it. once I looked at the Westell logs
Finally realized that the static routes I built were fine and the problem is that I was being blocked at the firewall.
Can't put the router in the DMZ and can't port forward to the the router's lan ip address (192.168.1.1). Allowed remote admin on the router and it works fine - would be nice if the router allowed you to choose some obscure port but I guess it's not really much of a sexurity risk as the router's wan port is inside the private network anyway.

Similar Messages

Need Help for configuring Floating static route in My ASA.

Hi All,
I need your support for doing a floating static route in My ASA.
I have tried this last time but i was not able to make it. But this time i have to Finish it.
Please find our network Diagram and configuration of ASA
route outside 0.0.0.0 0.0.0.0 6.6.6.6 1 track 1
route outside 0.0.0.0 0.0.0.0 6.6.6.6 1
route rOutside 0.0.0.0 0.0.0.0 3.3.3.3 10
route inside 10.10.4.0 255.255.255.0 10.10.3.1 1
route inside 10.10.8.0 255.255.255.0 10.10.3.1 1
route inside 10.10.9.0 255.255.255.0 10.10.3.1 1
route inside 10.10.15.0 255.255.255.0 10.10.3.1 1
route rOutside x.x.x.x 255.255.255.255 5.5.5.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.3.77 255.255.255.255 inside
http 10.10.8.157 255.255.255.255 inside
http 10.10.3.59 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set cpa esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpn_cpa 1 match address acl_cpavpn
crypto map vpn_cpa 1 set peer a.a.a.a
crypto map vpn_cpa 1 set transform-set abc
crypto map vpn_cpa 1 set security-association lifetime seconds 3600
crypto map vpn_cpa interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet 10.10.3.77 255.255.255.255 inside
telnet 10.10.8.157 255.255.255.255 inside
telnet 10.10.3.61 255.255.255.255 inside
telnet timeout 500
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.3.14
webvpn
tunnel-group .a.a.a.a ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 10.10.5.11
prompt hostname context
Cryptochecksum:eea6e7b6efe5d1a180439658c3912942
: end
i think half of the configuration stil there in the ASA.
Diagram.
Thanks
Roopesh

You have missed the last command in your configuration, Please check it again
route ISP1 0.0.0.0 0.0.0.0 6.6.6.6 track 1
route ISP2 0.0.0.0 0.0.0.0 3.3.3.3
sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
You can do NAT in same way, here the logical name of the interface will be different.
Share the result
Please rate any helpful posts.

Help with RV042 Static Routing

I just purchased an RV042 Dual WAN Router. Both WAN's are connected from different ISP's. I have a PBX phone server connected to this router and want all traffic to and from this phone server going out strictly on one WAN and all the computers and the rest of the traffic on the other WAN. If I understand correctly, this needs to be set up in static routes? If that's the case, how would I do that? If not, the question still stands. Please help.

Hello Vitaly,
What you are looking for is Protocol Binding. By setting this up you will be able to control what traffic goes out which WAN port. Protocol Binding can be done for certain traffic types or for certain IP addressess.

I´m doing a design for presale, where I will need a router what support PAT for 500 or a little more of users, it not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?

I´m doing a design for presale, where I will need a router what support PAT for 500 or a little more of users, it not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?

What is your WAN speed currently and projected WAN speed in the next 3 years?

Help !!! Static route between two router WRT160NL

Hi all,
I have my internet connection connect to my main Linksys router WRT160NL (192.168.1.1) with 192.168.1.x.
My 2nd Linksys router connect to the first one as Gateway as well.
The 2nd router has its WAN ip of 192.168.1.100 and it's local subnet as 192.168.2.x.
My machines at 192.168.2.x can get to the internet and connect to all machines in the 192.168.1.x network.
However, the 1.x network can't access the machines on the 2's network. And because of that, i can not sharing or printing between two network.
I try to add static routes on my main router (192.168.1.1) with the route: 192.168.2.0 mask 255.255.255.0 and defaute gateway 192.168.1.100
However, the route not work still.
anyway to make sure that the 1.x network able to access the 2.x network and from 2.x access 1.x for sharing files and printing.
thanks for your help!
Solved!
Go to Solution.

In gateway the router does NAT which makes the LAN side inaccessible from the WAN side unless you configure port forwarding or similar. If it wouldn't do so your 192.168.1 LAN would be accessible from the internet. Static routing won't change this.
You have to disable NAT (aka switch to router mode) on the second router. You have to set up a static route on the main router then. However, most likely your network 192.168.2.* won't have internet anymore because the main router will only do NAT for 192.168.1.* and not for 192.168.2.*.
Thus, if possible set up the second router as access point only and run a single LAN.

Problems setting up static routing

HI
I'm having a problem setting up static routing. I keep getting the message "invalid static route". I have an E1550 router and my frimware is up to date. I have tried a few different gateway addresses ie 192.168.1.1, 127.0.0.1 and my router's address on the net, but I keep getting the same message. Has anyone else had this problem and been able to fix it?

I think the E1550 router supports LAN to LAN routing provided that you have two local networks. If you only have a plain modem and the E1550, I believe you can't do Static routing on that type of setup. Found this link that might help: http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=12a84336a124498eb5d6f0204b85191e_17589.xml&pid=80&...

Interworking on Static Routing as IGP

Was testing interworking between Vlan over ethernet and FR. As long as my LDP was on static routing, I couldnt reach end-to-end. The moment i configured OSPF as my routing protocol it came up. Can anyone let me know what the reason could be ?

Gautam,
This is actually normal behavior.
Before the label learnt via an LDP peer is coupled to a route in the FIB, the next-hop IP address of the route needs to match one of the interface IP addresses bound to the LDP peer (see below). So basically it will not work without a next IP address.
r2#sh mpls ldp nei
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
TCP connection: 3.3.3.3.11004 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 27/27; Downstream
Up time: 00:15:07
LDP discovery sources:
Serial3/0, Src IP addr: 192.168.23.3
Addresses bound to peer LDP Ident:
3.3.3.3 192.168.34.3 192.168.23.3 <++++++ the route next hop has to match one of these addresses.
Hope this helps,

In A Perfect World - Using Static Routes In RRAS 2012 To Traverse Sites

I have site-to-site VPN tunnels between my main sites
NYC <--> UK
NYC <----> SANFRAN
NYC <----> BOSTON
NYC <----> MALTA
UK <----> SANFRAN
UK <----> BOSTON
And could see ALL sites when I had my DA/RRAS server using one of the existing subnets (for example, when I used US VPN on NYC DHCP (192.168.2.x) I was able to see EVERYTHING on any site we had a site-to-site VPN with (i.e. from VPN client I could access
MALTA, UK, SANFRAN, BOSTON).
Alas I had to change that to a different subnet (192.168.145.x) and now only see the 192.168.2.x network in NYC.
Is there a way to add static routes on the NYC & UK DA/RRAS servers so this access is restored? Or would this be solved at the Layer 2/3 network level?
Michael P. O'Hara

No, you need to allow forwarding of broadcast packet, but it's really against the best-practice, as you can kill easilly your satellite link.
I agree with you for wins, as I personnaly does not use it and try to remove it when I see someone use it, but it's the only solution for what you want (network discovery over LAN). (even LLTD is not routable beyond router)
Editted: You need to see all machines, but does the enduser must see them ?
Regards, Philippe
Don't forget to mark as answer or vote as
helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
Answer an interesting question ? Create a
wiki article about it!

2 router help.. computer guy needs help

Hey everyone.. trying to isolate wireless on my network.
router one netgear setup as dhcp and ppoe to my dsl modem. would like to keep the wired network first on the netgear.
router 2 linksys wireless is plugged from netgear port into linksys wan .. would like to use this isolated from the 0.1 sub that netgear is putting out. so i have connected using 1.1 sub and it gets its ip and can ping from the routers internal ping test although the pcs cannont. it works if in gateway mode although i dont want the users to be able to ping my netgear network so i put in router mode to isolate . problem is that the pc cant get out.. tried some static routing with no avail and i think possible the double nat is causing troubles. i need to have dhcp on the wireless so i can get this icafe working and keep users of the network. i dont want to use the ap isolation in the adavanced tab because i think i shouldnt have to and should be able to get these beeachess (that bitches for u wonder) working like i have the plugged.. if you test u'll notice that the if in gateway mode the two networks can see each other (tell me why and i will kiss u- although must be some double nat or gatewaycrap ) ok thats the speel... which one of ya thinks that he can help.
i am leaving them in gateway over the weekend but if someone stumbles this they might get on the local network and figure how much i a charging them to get this to work
thanks
tony
bugeyed computer guy

Yes, you are on the right track. As stated in the included instruction manual, you will need to charge your iPod for four hours or until the display changes so that it shows a power plug (meaning that it is fully charged).
Also note that while your iPod is charging, you can also add songs and videos to it.

Cannot add static routes wrt350n

Router has latest firmware and was just set to default values. I cannot add a static route, says "static route invalid" no matter what address I input (keeping it simple, trying 192.168.1.XXX)
I have never had this problem with any other router and I'm thinking it's broken. Thought I'd ask here to make sure I wasn't missing a setting before I throw this thing out the window.
Any help would be appreciated.
Thanks, Nick.

Thanks for the help, it is appreciated...
I would like to use a static IP address for my LAN multimedia server, MythTV reccommends a static address for the backend server. I have also always used Static IP addresses for my LAN.
I am a little confused, and my networking is very rusty so please bear with me. Perhaps I have not provided enough information, because I do not fully understand your response. I don't understand how subnetting is relevant.
My network is a simple home network, with one router separating my LAN from the cloud. I have one LAN, no subnetting, 192.168.1.0/255.255.255.0.
Every home router I have used before I have set up the LAN portion like this... And it has always worked in the past...
gateway: 192.168.1.1/24.
static routes 192.168.1.(2-5)/24 for my stationary hosts.
dhcp range 192.168.1.(10-15)/24 for laptops and guests.
In response:
1) Yes it is LAN traffic, but the hosts still need addresses, right? Not sure what you're getting at here.
2) Not sure what you mean... example host 192.168.1.20/24, and the router 192.168.1.1/24are both within the 192.168.1.0/24 network, right? So requests from the cloud are broadcast to all in my LAN, right? How is this relevant?
3) I thought the gateway (on my only router) has to be part of the LAN addressing. By Linksys/Cisco default, the router LAN side gateway is 192.168.1.1/24 and it sends out dhcp addresses to 192.168.1.(100-149)/24.
Am I severly confused or are we just on the wrong page?

Static routes within VRF

Is there a limit to the number of static route one could use within a VRF ?
We have a large customer connected to MPLS VRF based backbone and due to various limiting factors this customer uses static routing from a PE-CE perspective.
We have been experiencing a problem where a static needsto be removed and placed back as routing to a site stops (No traffic passed) , this happes intermittently and to different sites within diffrent regions as well. All the general or expected troubleshooting procedures have been followed i.e. Check routing table , bgp , CEF tables , FIB etc. All seems fine , the only thing that reloves this is removing the static and then replacing it.
My thinking is that there might be a limit to the number of static's that one can use within a VRF and that we have reached the limit for this customer , which causes the intermittent failure.
Please advise.

I know of a "maximum routes limit " command to limit the number of routes in a Vrf on a PE.
From this command reference i find there are no default values for this.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd3.htm#1032272
So I assume, the default is to allow a huge value and the only limitations would be the memory/capacity and the number of vrfs on the PE router.
If you are experiencing a problem in this regard and removing a static route is helping to overcome it, then I would only suspect a bug here.
I am also curious to know how may many static routes you have in this particular vrf.

Is it possible in IOS to have two static routes for the same subnet, one a higher priority and "failover" between the 2?

Hi All
Is it possible in IOS to have for a particular subnet:
a) Two static routes?
b) Make one static route a higher priority than the other?
c) If one static router "goes down", failover to the lower priority static route?
We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
Again, many thanks in advance for all responses!
Thanks
John

Hi John,
Hope the below explaination will help you...
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
R1(config)# ip sla 1
R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 1 life forever start-time now
The above configuration defines and starts an IP SLA probe.
The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
R1(config)# track 1 ip sla 1 reachability
The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
To verify the track status use the use the “show track” command as shown below:
R1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:03:19
Latest operation return code: Unknown
The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
Tracking
Return Code
Track State
Reachability
OK or over threshold
(all other return codes)
Up
Down
The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
Please rate the helpfull posts.
Regards,
Naidu.

How do you promote a static route over a directly connected?

Hi all,
I have a need for a static route to be used instead of a directly connected route. (Long story - involving firewalls and anti-spoofing.. but can go further if required)
I am using a Cisco 3750 switch. I notice directly connected routes have a metric of 0, and the highest metric I can give a static route is 1.
Therefore, how is it possible for me to make the switch use the static route and not the directly connected?
Any help would be appreciated!
Cheers,
Ben

Hi Rick,
Thanks for your patience.
Maybe I should start again.
Initially we had 16 VLANs within the 10.0/16 address space. We have some Cisco 3750's connected by dark fibre accross a couple of kms and then lower access switches all hanging of these by some means. The network is flat.
We have a checkpoint firewall hanging off one of the 3750s connected using a TRUNK port. The firewall has an IP address on all VLANs and is used to route traffic between VLANs based on its ruleset.
So if I have a user in VLAN 10 who wants to talk to VLAN 20, they travel to the firewall, if a rule permits the access, the firewall routes the packet on to VLAN 2 and the switches deliver at Layer 2.
The switches all have their default VLAN 1 disabled, and have an IP address on our management VLAN to allow us to manage the switches.
Its quite important that this IP is on a secured management VLAN as we don't want just anyone being able to snoop switch logins etc..
If we need to login to a switch, the firewall routes our traffic from whatever VLAN we are on to the Management VLAN.
One of our VLANs (the Desktop VLAN) is quite large (approx 1300 hosts) and suffers a great deal from too much arp broadcast traffic.
As we have a flat switched network across several kms, the cost of putting in routers to subnet this large VLAN is excessive.
However, the 3750's we have are perfectly capable of routing between VLANs, so we decide to create a load of new VLANs instead of subnetting our large VLAN. We don't want to use the firewall to route between these new VLANs as thats just giving the firewall more to do, and previously all these hosts were on a single subnet, so we have no need for any strict security - at most we can use ACLs on the switches if we even need that!
So far so good.
With 1300 hosts, we obviously can't make sudden topology changes. Therefore we need to be able to route between the Desktop VLAN and the new VLANs.
We therefore introduce the static routes between the firewall and the switches.
So the firewall says:
route 10.1.0.0/16 via Multilayer switch IP on 10.1.0.0/16
The multilayer switch says:
route 10.0.0.0/16 via Firewall IP on 10.1.0.0/16
This allows routing perfectly between the Desktop VLAN and the new VLANs.
However the moment we enable ip routing on the switches we break access between the desktop VLAN and the Management VLAN.
A packet leaves the desktop VLAN through the default gateway on the firewall. This is then routed to the Management VLAN. The return packet doesn't use the Management VLAN default gateway (firewall), it follows the static route on the switch and ends up at the firewall on 10.1.0.0/16. This is subsequently dropped as the firewall knows the packet hasn't come from the 10.1.0.0/16 network, it originally came from the desktop VLAN on 10.0.0.0/16.
It might seem we can define a route on the switch to say:
route 10.0.50.0/24 (management VLAN) via 10.0.50.254 (firewall). However, this would result in all packets from 10.1.0.0/16 being dropped by the firewall.
The other problem is that if we are on a new VLAN and want to talk to the management VLAN. The packet goes to its default gateway on the switch. The switch says - "I have an IP on the management VLAN, its directly connected" - therefore it ignores the static route, and passes the packet on its way. We have now bypassed the firewall, which is bad.
Incidentally the return packets get routed through the firewall and dropped, as the original packet didn't come through the firewall, there is no entry in the state table for its return.
I think if we turned off the management interface on the switch and managed it through the interface on 10.1.0.0/16, I assume everything would work. However, we don't want to do this for a whole load of other reasons I wont go into.
Im sure there must be a fairly simple solution - I just don't have enough experience!
Cheers,
Ben

WCCP Redirect ACL with Static Routes

I need help in creating a redirect ACL (along with an explanation) for one of our sites that has multiple static routes on the router pointing to a customers device on his network. I have attached relevant config for review. We have tried numerious combo's for this and so far nothing has worked correctly. Essentially we need the 165. network, 10.48 and the 10.0 network to all be redirected to the WAE appliance hanging off FA0/1 to be optimized and returned back, but not break communication b/w 10.0 and 10.48 network. Thoughts and/or suggestions?
Thank you

Have you try to do the static route in the WAE?
Jan

Multiple instances of EIGRP or static routes

I'm building a network which needs to have All but one of it's private networks pass through a DMVPN, all the routes are advertised through EIGRP, that part works great!
I have a private VLAN that only has access onto the internet, the address is Nat'ed over to a public IP address. Each router, there's six of them, are neighbors to two other routers. The furthest router to the internet has to go through three routers to get to the internet. My current idea is to use static routes on all the routers to the Internet gateway router. Then let recursive routing sort out each hop. What I would rather do is have EIGRP do all that. I really don't want to mess with the EIGRP that's running for the DMVPN tunnels, I'd like to have another instance of EIGRP run on the routers that will route the users to the Internet.
Does anyone have any thoughts concerning this design.
Thanks.
Mitch

Mitch
I am not clear about what you are attempting to achieve and not very clear about the topology. So my answer may or may not be on target. If it is not perhaps you can help us understand a little better what is involved.
I believe that what you are saying is that you have an existing network with multiple locations connected over DMVPN and that you run EIGRP as the routing protocol for that network. I believe you are also saying that there is one network segment which needs access to the Internet but should not be able to access the other parts of your network.
You say that the address of this other segment is NATed but are not clear whether the translation is ont the router where the segment is located or is on the Internet gateway router.
Probably the traditional solution for this would be to provide a default route for this segment pointing toward the Internet gateway router, to have a route on the Internet gateway router (and other routers along the path toward where the network is located), and a series of access lists on each router along the way which allows passage to the Internet and denies access to local resources.
I would propose a somewhat different solution. I believe that it would work if you configure a GRE tunnel between the router where the segment is located and the Internet Gateway router. On the router where the segment is located you could do Policy Based Routing to send traffic from the private segment to the Internet over the GRE tunnel (which effectively isolates it from your other resources). You might want Policy Based Routing on the Internet gateway router to be sure that traffic from the private segment was forwarded only to the Internet (though you might not need that). The Internet gateway router could have a route (probably a static route) which sends traffic to the private segment over the GRE tunnel.
Let us know what you think of this. And if it is off the mark perhaps you could clarify a bit.
HTH
Rick

Seeking static route help

Similar Messages

Maybe you are looking for