Thanks for your response Rick. Let me see if I can explain my situation a little better.

We have two physical segments segment A=192.168.4.0 and SegmentB=192.168.8.0. We have two routers, gateway e0=192.168.4.253 e1=192.168.8.253, WAN router e0 192.168.4.254 e1=192.168.8.0, S0=WAN. The wan router is managed by our parent company and we have no access to it. We are running EIGRP. For a while all our internet traffic got routed to the WAN and our parent company?s internet connection. We just got two separate internet connections for ourselves one MCI the other L3, we also have two firewalls one for each connection, Firewall1= 192.168.4.250 Firewall2=192.168.8.250. We had to change the default gateway on all our client pc's to match the ip of their perspective Firewall instead of the 253 address. But now when ever we need to get to an internal WAN site we had to add a static route to the firewall to point back to the 253 routers to go out to the WAN. What I was wondering was if we could set the 253 router to forward internet traffic form segment A to 192.168.4.250 and Segment B to 192.168.8.250, and Wan Traffic to WAN interface.

Hope I explained it a little better.

Thanks

Oops, I was too slow in replying in my other post. So with the extra information, PBR is probably your best bet. What you can do is something like this:

ip access-list extended internal_routes

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.0.0.0 0.240.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any

route-map groupa permit 10

match ip address internal_routes

set ip next-hop 192.168.4.250

route-map groupb permit 10

match ip address internal_routes

set ip next-hop 192.168.8.250

int e0

ip policy route-map groupa

int e1

ip policy route-map groupb

The thing that concerns me is that I have not tried this type of scenario where the router has to hairpin the traffic back out the same interface. I do no think it will be a problem, but I would test this out before implementing. Basically what it does is checks packets against the ACL, and if they are permitted, it sets the next hope to the firewall. All other traffic will be routed as usual. So my ACL includes all traffic not destined to reserved addresses, but for testing you may want to only ?permit ip host youripaddress any? at the end. If that works ok, you can tack the any any on after your IP.

This is a fairly simple example. PBR is very robust, but to describe all of your options would take a LONG time.

-Eric

Please remember to rate all helpful posts.

thank you guys for pointing me in the right direction.

I will try PBR.

Eric,

will this configuration affect wan traffic such as internal websites. will internal website request be sent to the firewalls? or just sites that are not know. i guess im a little confused becase of the deny internal routes. some of our wan address use the 10.0.0.0 addresses. what we want to do is only send http request to the internet to the firewall and http request for internal sites to the wan router?

thanks

The way the config I posted works is this:

-When a packet arrives on e0, it sees that policy-route groupa is applied.

-The router runs the packet through policy-route groupa.

-The policy route says if the packet matches the ACL internal_routes, then send the traffic to the firewall. If it does not, proceed to the next line of the policy route. In this case, there is only one, so if it does not match, it gets routed as it normally would based on the router's routing table.

-In this case, if the packet is destined to 10.x, 172.16-31, or 192.168, it will _not_ match the ACL.

- Since the traffic does not match the ACL, it will not have its next hop set to the firewall IP, but will be routed normally by the router.

The nice thing about this setup is you could make certain users go to the corporate firewall across the wan simply by inserting a "deny host their-ip any" above the permits in the ACL. Assuming your router has a default route on the WAN somewhere, it would send packets from their-ip to the default route since it does not match the ACL.

Similarly, that is why I suggested testing with only 1 source IP permitted to begin with to make sure it works as expected.

Hope this clears it up some.

-Eric

Please remember to rate all helpful posts.

Thanks Eric for your explanation, it totally makes sense now. I will be hopefully be trying it this weekend. thanks for everyones help.

-luis

Hi Ethiel,

I implemented your suggestion this past weekend and it worked like a charm. but my next question is, is there away this two links can be set to failover. say if link 1 goes down then link 2 takes over and if link 2 goes down then link 1 takes over?

thanks again.

Luis

Ethiel made 2 suggestions (Policy Based Routing and VRF Lite) and I can not tell from your message which of them you implemented. If you implemented Policy Based Routing then it should be possible to configure the router so that they links back each other up and fail over. If you implemented VRF Lite then each environment is separate and I believe that they can not back each other up.

If you are doing PBR there are several alternatives that could work including 2 equal static routes, a static route and a floating static route, including the links in your dynamic routing protocol. If we knew more about your environment then we might be able to give better advice about which alternative to prefer. In general I like the alternative of including both links in a dynamic routing protocol.

HTH

Rick

Rick,

I implemented PBR on our router so that segment 1 internet traffic goes out Firewall 1, Segment 2 traffic goes out Firewall 2 and non internet traffic from both segment goes out the WAN router.

i attached a jpg of our environment and i use the config provided by ethiel.

thanks

Luis

One aspect of the way that Policy Based Routing works is that if PBR is setting the next hop and if the next hop becomes unavailable, then PBR does not change anything and normal routing is used. So if you have set up your routing environment so that routes are available over both links then both links should be able to back each other up.

HTH

Rick

Hi erick,

Just want to verify from the config that you posted.

ip access-list extended internal_routes

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.0.0.0 0.240.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any

route-map groupa permit 10

match ip address internal_routes

set ip next-hop 192.168.4.250

route-map groupb permit 10

match ip address internal_routes

set ip next-hop 192.168.8.250

int e0

ip policy route-map groupa

int e1

ip policy route-map groupb

-------------------------------------------

does the config will load balance the internet traffic from the lan segment going to the 2 firewall, when the ACL are meet? and could you also enlighten me on how it works during load balancing the inernet traffic?

Just want to verify.... thanks so much i really appreciate your response.