Hello everyone, I really need a hint here!
I have configured a simple two ISPs load balancing using two default routes and two NAT overload. Load balancing is working fine. (See NAT configuration at bottom). This way, any NAT INSIDE host, is able to reach internet using both ISPs randomly.
I need some specific hosts to access internet using a Single specific ISP. Think of it as "load balancing" exceptions, if you will.
In other words, I need to disable load balancing and stick with a single ISP for certain hosts within NAT INSIDE that access HTTPS sites. This is because many SSL sites are unusable with load balancing and should be accessed using a single external IP address.
I've tried to create roadmaps and also I've tried to modify given roadmaps without success. Please see config below:
(part of current running-config.)
object-group service PuertosNavegacion
description Puerto 80 y 443
tcp source eq www
tcp source eq 443
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address xxx.xxx.29.170 255.255.255.248
ip nat outside
ip virtual-reassembly in
ip policy route-map forceTelmex
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip dhcp client route track 345
ip address dhcp
ip nat outside
ip virtual-reassembly in
ip policy route-map forceTelmex
duplex auto
speed auto
!
interface Vlan3
description puertos LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip dns server
ip nat inside source route-map fiberNat interface GigabitEthernet0/1 overload
ip nat inside source route-map telmexNat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.29.169
ip route 192.168.3.0 255.255.255.0 192.168.1.10 2
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 remark acepta nat deniega http y https
access-list 111 remark CCP_ACL Category=1
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 deny object-group PuertosNavegacion 192.168.1.0 0.0.0.255 any
!
route-map fiberNat permit 10
match ip address 111
match interface GigabitEthernet0/1
!
route-map telmexNat permit 10
match ip address 110
match interface GigabitEthernet0/0
!
Thanks in advance,
Agustin.