Forcing traffic through specific interfaces

ermcitdept · ‎03-07-2012

All,

I have banged my head against the wall for too long trying to figure out how to force traffic back out the same interface from whence it entered. Review the following topology. Any suggestions are welcome and appreciated.

Internet ---> ASA 5510 ---> Static IP1 ---> F3.1 ---> 1811 F0

|-------> Static IP2 ---> F3.2 ---> 1811 F5 ---> VLAN Int

ASA F3.1 10.1.254.9/30

ASA F3.2 10.1.254.13/30

1811 F0 10.1.254.10/30

1811 F5 10.254.1.14/30

When pinging the public IP of ASA F3.2 from the internet a reply is never received because the default route on the 1811 points to ASA F3.1. This is expected, but he question is...

How do I get the replies from the 1811 to go back out the same interface from whence it entered?

I am sure the answer is policy-based routing, but not sure how to write the config.

Thanks in advance!

Neeraj Arora · ‎03-07-2012

you'd have to provide more information regarding your requirement:

- why have you NATed the ip address of Router's or ASA interface to be accessed from outside?

- If you have some server/PC behind 1811 that you want to be accessible from internet, then this behaviour of the router should not affect the response

But if you specifically want to access the router from Internet, then yes PBR would configured and instead of applying it on the interface, you would have to configure "ip default policy route-map" on the config mode because here we have to manipulate the traffic GENERATED by the router itself

Moreover there is one more catch, if you want to configure PBR on the router, you would have to know the ip address from where the ping/telnet/tcp session was initiated in the internet otherwise if we use "any" in the PBR ACL then whenever the router generate a packet it will send it based on the PBR rule, which can break more things than fix

Hope it helps

Neeraj