Re: cisco 2811 router with two wan ports

abraham.varghese · ‎04-17-2009

Hi,

I have a scenario as below. I have one cisco 2811 router with two Ethernet ports(one WAN(A) and one LAN(B)) and one ADSL interface(C).

Behind the router there is a cisco ASA 5500 firewall with three VLAN's(Internal (D) , External(E) and DMZ (F)).

I want all incoming traffic on certain ports arriving at the WAN(A) port to be directed to a server inside the DMZ(F) which will server the responds through the WAN port(A) only. Also any request for internet from the internal vlan(D) should be going out through the ADSL line(C).

Is it possible to such a configuration with the 2800 series router and ASA 5500 firewall? Is it possible someone can show me a sample configuration.

Joseph W. Doherty · ‎04-17-2009

PBR on the 2811 would allow you to direct inbound traffic from the LAN(B) interface to either WAN(A) interface or ADSL interface(C) based on some criterial where it can distinguish outgoing traffic. However, if the firewall is doing some kind of NAT, you may not be able to easily distinguish outgoing traffic. (I'm not familar with ASA capabilities, but one possible method to distinguish traffic might be to use an DSCP marking.)

"I want all incoming traffic on certain ports arriving at the WAN(A) port to be directed to a server inside the DMZ(F)".

The 2811 should be able to match against incoming ports and interface, but it might be somewhat difficult to direct to a particular server since routers usually direct to a "next hop". How this might be done will likely depend much on whether you might have "server" on a dedicated network or whether the ASA might use an inbound DSCP marking to make a decision.