Greetings,
I am currently working with a customer that is a ISP for the South East corner of their state, currently they are using a Cisco 2911 Router as their Core and connecting to their customers via sub-interfaces on this device. They have purchase two Aruba 5406 chassis' (one for backup) and required cards to replace the Cisco. The issue I am having is converting an ACL that is being reference by a route map. However the ACL is using source/destination addresses that are all deny statements to keep customer incoming traffic from traversing their internal firewall. This customer has purchased their equipment via HPE Renew, so TAC will not support me on this one. I have learned that Aruba uses prefix-list, but they will not reference a deny statement, so PBR is required in this case, but there is a lot of confusion with the use of the deny statements. Below is a snip it of the ACL and the Route Map in question. Please any an all help will be greatly appreciated.
route-map PIX permit 100
match ip address 100
set ip next-hop 172.16.10.254
access-list 100 remark This access list is in so that traffic originating from our office
access-list 100 remark network that would normally go to the FortiGate actually gets routed by the
access-list 100 remark router's normal routing mechanism.
access-list 100 remark Traffic will go between our office and Heartland management networks, not our FortiGate
access-list 100 deny ip 172.16.224.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 172.16.224.0 0.0.0.255
access-list 100 remark Sioux Center office traffic that will go to the Hospers management networks, not
our FortiGate
access-list 100 deny ip 192.168.0.0 0.0.1.255 172.16.1.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.1.255 172.16.4.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.1.255 10.49.49.0 0.0.0.3
access-list 100 deny ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.49.49.0 0.0.0.3
access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 10.49.49.0 0.0.0.3
access-list 100 deny ip 192.168.4.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 deny ip 192.168.4.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 deny ip 192.168.4.0 0.0.0.255 10.49.49.0 0.0.0.3
access-list 100 remark SSL VPN traffic that will go to the Hospers management networks, not our FortiGate
access-list 100 deny ip 10.212.134.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 deny ip 10.212.134.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 deny ip 10.212.134.0 0.0.0.255 10.49.49.0 0.0.0.3
access-list 100 remark Hospers and Sheldon office traffic that will go to the Hospers management networks, not our FortiGate
!
!
!
!
access-list 100 remark Sioux Center office traffic will go to CFE management network, not our FortiGate
access-list 100 deny ip 192.168.0.0 0.0.1.255 10.1.0.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 deny ip 192.168.4.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 deny ip 192.168.152.0 0.0.0.255 10.6.0.0 0.0.0.255
access-list 100 permit ip any any
------------------------------
Christopher Leach
------------------------------