I believe the problem is with return traffic.  When I go out to see how others see my ip address the ISP 2 address shows which is correct.  When going to speedtest.Com it's not showing the correct speed.  I think the issue is with return traffic.  The PBR is matching packets and NAT is working just the return traffic seems to be coming in the ISP 1 Interface.  Previously I had it working and it showed the correct IP with correct speed.  I believe one of my employees removed an "in" statement on one of the interfaces but my sys log was offline and my Orion NCM was offline as well.  Maybe a deny for www on the ISP 1 in interface?

Hi Robert,

>Are you running any routing protocol with ISP1 and ISP2?

>If yes, are you advertising the public ip into that routing protocol?

>If yes then there is a chance that public ip of ISP2 is being advertised via ISP1 which is being preferred for return traffic.

>If above is not the case then i do not see any reason of return traffic to come via ISP1. It can still be checked with ISP1.

>You can add below statement with least sequence number in ACL 110

ip access-list ext 110

<seq> permit tcp any any eq www

check the output of "show ip access-list 110"

HTH

-Amit

Thank you for your prompt replies.  I do not have any routing between the two as they are two different providers.  I will place the www on my 110 acl and see if I get any hits.

I would like to add to further clarify my situation.  I really do not need to NAT anything on ISP2 as all of my critical servers are accessed by NAT ISP1 mostly to 65.216.XX.XX:3024 which goes internally to 10.0.0.X:3024.  

>i see you have public ip on LAN facing interface so you dont need NAT on the router.

>I believe all NAT rules are applied on Firewall.

>SO you just need to check if the traffic for critical application is hitting to your router to correct ip address (65.216.XX.XX) or not. If yes then it will be forwarded to right interface by router.

>If the traffic is not hitting then it needs to be check with ISP1. (could be some routing issue at their end)

>You can check the traffic hits with the help of ACL on ISP1 interface. Same test has been explained in earlier communication.

Oh wow.  So if I were to change my default route to a lower metric and remove all NAT statements I should be fine?  You are correct to say that my NAT is handled by my firewall and my public IP space is on the F0/0 interface which has a public IP from ISP 1 as well.  Which then translates into my vlan 10.0.0.0.  I will try taking all NAT statements off.  But should I still have a pbr that sends my 8421 and vpn traffic to my mfr1.500 interface?

>Yeah no NAT statement required on Router if it is done on ASA.

>Since you have default route pointing to ISP2, you must have PBR to redirect traffic (Special traffic) to ISP1.

>But return traffic may hit to ISP2 based on the routing in internet cloud. It will cause Asymmetric routing. if there is no NAT applied on router, Asymmetric routing should not cause any issue.

That's exactly what I'm seeing.  The return traffic isn't coming in from ISP1.  I'll try this again when I take the nat statements off.  Thanks I have learned so much from you

Hi Robert,

If the communication on this thread helped you in anyway, then please rate it so that it help others.

HTH

-Amit

it has helped but unfortunately i still am unable to split my traffic without sacrificing something.  I removed all NAT statements and left my default route to ISP2 and my internet connections dropped as well as my clients accessing servers via ISP1.  When placing Nat back on

F0/0

ip nat inside

F0/1

ip nat outside

ip nat inside source route-map cable-nat interface f0/1 overload

this restores internet but clients cannot connect in.

when i change my default route to ISP1 and PBR that sends www and 443 traffic to my ISP2 modem, clients can connect in but my internet speeds reflect that of ISP1 yet the IP address shows that of ISP2 when going to speedtest.com.  I am really at a loss here for a solution.

in a fit of desperation my configs to my dual isp router (2811) and my ASA are attached (5520)

                 ISP1---(VPN/3024)------2811------(www/443)----ISP2

                                                             I

                                                             I

                                                        ASA5520 (Default route to F0/0 of 2811)

                                                                I

                                                       2600 LAN (default route to ASA5520)

I added a permit of www to my acl 110.  It does not show any hits.  I am really confused now.  I have considered changing how my traffic routes now.  If i change the default route to my ISP2 address, and change my PBR.  I need to have my external clients connect via ISP1 over ports 8421, 500, 4500, and 3024.  So if i create another ACL that permits any any eq those ports and apply it to my MFR1.500 interface will that bring them in correctly?  I did a test of changing the default route to 0.0.0.0 0.0.0.0 23.31.XX.XX which is my ISP2 modem and I saw the ISP2 IP address as well as the speed of 84Mb/s.  But after that change my clients could not connect to my 65.216.XX.XX addresses over the ports specified.  On my ISP2 address space I do not have any critical services coming in, it is only used for internet outgoing from my corporate office.  I believe changing the default route to my ISP2 is the way I should go.  Can you advise on how my PBR should look to bring in my external clients over ports 500,4500,8421 and 3024?

Hi Robert,

>if ACL doesn't show any hits that means return traffic of www is not coming via ISP1.

As per latest requirement you can do below.

>Have a default route to ISP2. (i believe you have already configured it)

>For traffic via ISP1 have a PBR as per below.

ip access-list extended TEST

permit statements for ports 8421, 500, 4500, and 3024

route-map PBR

match ip address TEST

set ip next-hop <ISP1>

>Please make sure to tweak your NAT statements accordingly.

HTH

-Amit