Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2855
Views
0
Helpful
3
Replies

Policy Based Routing for SMTP traffic via Second ISP

AdmShatan
Level 1
Level 1

‎06-15-2011 10:17 AM - edited ‎03-04-2019 12:43 PM

Hi All,

     I've been lurking these boards for a while grabbing tips to use while I work; now I need to ask for some help.  I have been trying to set up thr router to send SMTP traffic over a specific interface, NAT'd appropriately, and have all other traffic sent over a different interface.  The interfaces were intially set up as a failover from one to another using ip sla's.

What  have right now is a cable isp (ISP1), and a T1 (ISP2).  Currently, when we turn up fe04, all traffic goes out the interface, and when we turn it down, all traffic goes out the T1

Here's the relevant config(IP addresses removed, hopefully):

interface FastEthernet4

description $FW_OUTSIDE$$ETH-WAN$

ip address 1.1.1.1 255.255.255.252

ip nat outside

ip virtual-reassembly

zone-member security out-zone

shutdown

duplex auto

speed auto

crypto map VPN

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.x.x 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

!

interface Vlan10

description $FW_OUTSIDE$

ip address 2.2.2.2 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security out-zone

crypto map VPN

ip nat inside source static tcp 192.168.x.y 80 interface Vlan10 80

ip nat inside source static tcp 192.168.x.y 443 interface Vlan10 443

ip nat inside source static tcp 192.168.x.y 1723 interface Vlan10 1723

ip nat inside source static tcp 192.168.x.y 4125 interface Vlan10 4125

ip nat inside source static tcp 192.168.x.y 25 interface Vlan10 25

ip nat inside source route-map ISP-primary interface FastEthernet4 overload

ip nat inside source route-map ISP-secondary interface Vlan10 overload

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 1.1.1.2 10 track 2

ip route 0.0.0.0 0.0.0.0 2.2.2.3 track 4

ip sla 12

icmp-echo 1.1.1.2 source-interface FastEthernet4

timeout 500

threshold 500

frequency 1

ip sla schedule 12 life forever start-time now

ip sla 22

icmp-echo 2.2.2.3 source-interface Vlan10

timeout 500

threshold 500

frequency 1

ip sla schedule 22 life forever start-time now

access-list 1 permit 192.168.x.y 0.0.0.255

access-list 100 deny   tcp host 192.168.x.y eq smtp any

access-list 100 deny   tcp host 192.168.x.y any eq smtp

access-list 100 permit ip 192.168.x.y 0.0.0.255 any

route-map ISP-primary permit 10

match ip address 100

match interface FastEthernet4

!

route-map ISP-secondary permit 10

match ip address 101

match interface Vlan10

!

route-map SDM_RMAP_1 permit 1

match ip address 107

From My understanding, This should allow me to have traffic travel over the cable link, and have SMTP travel over the T1.  That's not the case though? 

Would something like this work:

access-list 151 permit   tcp host 192.168.x.y eq smtp any

access-list 151 permit   tcp host 192.168.x.y any eq smtp

route-map smtprule permit 20

match ip address 151

match interface vlan10

interface vlan10

     ip policy smtprule

Labels:
0 Helpful
3 Replies 3

fgasimzade
Level 4
Level 4

‎06-15-2011 11:03 AM

I have little experience with route maps but to route trafic from specific interface you need to add a command

route-map smtprule permit 20

match ip address 151

set interface vlan10

not match interface vlan10 - this command matches trafic on interface 10, not directing trafic to exit through this interface

0 Helpful

AdmShatan
Level 1
Level 1
In response to fgasimzade

‎06-16-2011 07:56 AM

fgasimzade,

     I appreciate the reply.  I will attempt this today, and will reply back with the outcome.

0 Helpful

AdmShatan
Level 1
Level 1
In response to AdmShatan

‎06-17-2011 06:57 AM

Unfortunately, that didn't seem to take.  I also applied the ip policy to the internal interface, which seemed to take down just the server. Here's what I put into the config:

access-list 151 permit tcp host 192.168.x.y eq smtp any

access-list 151 permit tcp host 192.168.x.y any eq smtp

access-list 151 permit ip host 192.168.x.y any

route-map smtprul permit 5                 *****Yes, I mispelled it, but kept it consistent through the config.

match ip address 151

set interface Vlan10

interface Vlan10

description $FW_OUTSIDE$

ip address  2.2.2.2 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip policy route-map smtprul

crypto map VPN

ip nat inside source route-map smtprul interface Vlan10 overload

When I placed this into the config, all other machines and servers correctly exited the fe4 cable interface.  Ther server dropped off though, and wouldn't route out.   I believe this may be a NAT issue?  Or am I missing something more basic?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card