01-18-2011 12:20 PM - edited 03-11-2019 12:36 PM
We have a network head end in the US where we have a Block of outside IP that we do NAT's with. I used one of these IP's to NAT an exchange server in germany. Our germany office connects via MPLS to the network head end. In germany we have a DSL for internet traffic with a ASA 5510 protecting it then all other traffic is sent back the MPLS line to the US and other location. The problem is the NAT I set up for the OWA part for the server in germany doesnt't work with the default route in the router pointing to the firewall, but when I direct all traffic to the MPLS cloud OWA works fine. I know I am missinf something stupid on this but I can't figure this out. Can anyone help point me in the correct direction? Again the DSL is just for Internet surfing becasuae of the German Language. The default route in the router points to the firewall and I have static routes pointing to the MPLS next hop router for all other traffic.
Thanks,
Dan
Solved! Go to Solution.
01-18-2011 02:06 PM
OK. If you have multiple next hops from that router, then you can do the following:
access-list 101 permit ip host "OWA Server IP" "Remote network 1" "mask"
access-list 102 permit ip host "OWA Server IP" any
route-map OWA deny 1
match ip address 101
route-map OWA permit 1
match ip address 102
set ip next-hop "next hop for MPLS Cloud"
For every remote network that gets routed by the router on a path other than MPLS next hop, configure an access-list entry. In that way, the router will bypass Policy for those destinations from the OWA server.
Or you can also configure one access-list with deny statements at the top with a permit at the bottom.
access-list 102 permit ip host "OWA Server IP" "Remote network 1" "mask"
access-list 102 permit ip host "OWA Server IP" any
route-map OWA permit 1
match ip address 102
set ip next-hop "next hop for MPLS Cloud"
Hope this helps.
Regards,
NT
01-18-2011 12:27 PM
You need to configure PBR on the router to route all traffic from OWA server to MPLS cloud. Please try the following:
access-list 1 permit host "OWA Server IP"
route-map OWA
match ip address 1
set ip next-hop "MPLS Cloud next hop"
exit
interface "LAN side interface id"
ip policy route-map OWA
exit
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml
Hope this helps.
Regards,
NT
01-18-2011 12:31 PM
so do this on the router not the firewall?
01-18-2011 12:37 PM
Yes.
01-18-2011 12:37 PM
Yes. The router supports policy based routing while the ASA does not.
Regards,
NT
01-18-2011 12:59 PM
Will this hurt the local exchange functionallity in the germany office or is just a help to get it flowing back to the MPLS cloud? Again if I set the default route to point to the MPLS cloud it works, but when I set it to point to the Firewall to allow to surf the net from the DSL to get all web sites in german it stops working. I just don't get why is is breaking because the static routes should tell it to head back to the MPLS cloud to get out.
01-18-2011 01:07 PM
The reason it is not working is because, when a client on the internet requests to connect to the OWA server, it will come to your main office ASA. The ASA will translate the destination IP to the actual IP of the OWA server and sends the request via MPLS cloud towards the server. Server will process the request, form a response and sends it towards the client. The router will look-up the destination IP and determines it to be on the internet. Since there is no specific route to the destination, it will use the default route and sends it to the ASA. Now the ASA will also lookup its default gateway and finds that the next hop is DSL. So, it will have to forward the response packet via its outside interface (connected to DSL). But before that, the ASA will lookup its connection table to see if the reply packet belongs to any open connection. Since there is no open connection related to that response, as a security measure, the firewall will drop the packet.
If you use the PBR on the router, it will not hurt the local LAN OWA access. I am assuming that nobody will be accessing the OWA server using the local ASA. If they do, then the PBR configuration should change accordingly.
Hope this helps.
Regards,
NT
01-18-2011 01:26 PM
One last question will this affect a connection in germany via standard outlook connection. I just want to verify that this will only affect OWA and not people connecting to exchange via outlok locally.
Thanks for all the information.
I will post whether this fixes it or not.
Dan
01-18-2011 01:33 PM
The clients who are accessing the server using standard outlook client are behind the router. Is that correct? As long as their traffic is not passing via the router where you are configuring PBR, there will not be any issues. But if any of those packets traverse through the router where you are configuring PBR, then it will not work.
Hope this helps.
Regards,
NT
01-18-2011 01:39 PM
If they are at other offices they will be running across the router. Or if they connect via the VPN in the US they will also be running across the VPN.
Dan
01-18-2011 02:06 PM
OK. If you have multiple next hops from that router, then you can do the following:
access-list 101 permit ip host "OWA Server IP" "Remote network 1" "mask"
access-list 102 permit ip host "OWA Server IP" any
route-map OWA deny 1
match ip address 101
route-map OWA permit 1
match ip address 102
set ip next-hop "next hop for MPLS Cloud"
For every remote network that gets routed by the router on a path other than MPLS next hop, configure an access-list entry. In that way, the router will bypass Policy for those destinations from the OWA server.
Or you can also configure one access-list with deny statements at the top with a permit at the bottom.
access-list 102 permit ip host "OWA Server IP" "Remote network 1" "mask"
access-list 102 permit ip host "OWA Server IP" any
route-map OWA permit 1
match ip address 102
set ip next-hop "next hop for MPLS Cloud"
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide