05-01-2008 12:22 AM - edited 03-03-2019 09:46 PM
I've two 2800 series routers, one ADSL and one Leased Line. Two 515E Firewalls connected to each one. They are then connected to an L2 switch (2960G) for aggregation to two L3 Core switches (3750). I want all my traffic to use ADSL and all my mail (smtp) traffic to use LL. Do i need policy based routing here or just specifying the default gateway for the mail servers to be the firewall connected to the LL router.
Suggestion will be appreciated.
05-01-2008 12:39 AM
If the mail servers are on a different subnet than the internal interface of the firewall that connects to the LL router then you will need PBR. Where is the L3 interface for the mail servers.
I'm assuming from your explanation that the firewalls are independent of each other ie. they are not running as a pair ?
Jon
05-01-2008 01:47 AM
@jon
Thanks for the prompt reply.
The mail servers are on the same subnet (vlan) as the firewall (inside). The firewalls are independent of each other as both are on different vlans.
Browsing is perfect, had a small glitch with few sites but was restored when I played a little with the mtu size. Now the problem lies with the mail going through the LL. Email is not bounced back but never reaches the other party.
05-01-2008 02:03 AM
Presumably you are Natting the mail servers to the public addresses in use on the LL firewall. You need to make sure these are the DNS MX records.
Jon
05-01-2008 02:14 AM
@jon
I tried the following config and all I got was a mail to my gmail account, the rest of them never reached.
My config shows;
static (inside,outside) tcp 83.x.x.195 smtp 192.168.1.206 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 83.x.x.196 https 192.168.1.206 https netmask 255.255.255.255 0 0
and ACL shows;
access-list acl_out permit tcp any host 83.x.x.195 eq smtp
access-list acl_out permit tcp any host 83.x.x.195 eq https
access-list acl_out permit icmp any any
05-01-2008 02:38 AM
What is the DNS record for your mail server ie. if i looked up
83.x.x.195 on the Internet would it resolve to your mail server ?
Jon
05-01-2008 04:12 AM
@jon
No you can't resolve it as there is no DNS record for the mail servers. We need it only to send mails, not recieve (for the time being). We do have other servers to do the job in different locations.
By the way, the mail which arrived at gmail was through adsl as I traced it to the dynamic ip.
Still not clear what should be done.
05-01-2008 04:19 AM
Are you sure these are independant of each other. If the default-gateway of the mail server is the LL firewall and the leased line firewall only connects to the LL router then how is the mail server getting out via the ADSL link ?
Perhaps a diagram would help.
Jon
05-01-2008 04:41 AM
05-01-2008 04:52 AM
Saj:
Just to reiterate, correct me if Im wrong.
MBX 1 and 2 are the email servers?
What are their default gateways set to?
What are the IP addresses of BOTH FW inside interfaces?
The switch that both FWs are connected to is an L2 switch, correct?
Victor
05-01-2008 05:01 AM
@lamav
MBX1 & 2 are mail servers but are dependent on CAS/HOB which is 192.168.1.206.
The LL Fw is 192.168.1.254, which is also defined as gateway for CAS/HOB. The Adsl Fw is 192.168.101.2 (diff vlan) and is gateway to all other trafiic through Core SW1 (192.168.101.1).
The switch which aggregates the firewalls with Core SW1 is an L2 (2960G, lanbase) switch. Respective Vlans are defined on the port of switch for LL Fw & Adsl Fw.
05-01-2008 04:56 AM
Saj:
Just to reiterate, correct me if Im wrong.
MBX 1 and 2 are the email servers?
What are their default gateways set to?
What are the IP addresses of BOTH FW inside interfaces?
The switch that both FWs are connected to is an L2 switch, correct?
Victor
05-01-2008 05:06 AM
if the mail servers have their default-gateway on SW1 then you will need to use PBR but you said that the mail servers default-gateway was the LL Fw.
If the mail server default-gateway is on SW1 then you have to set up PBR. Do your internal clients need to talk to the mail servers ? Lets assume they do and lets say your internal vlans are
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
access-list 101 deny ip host
access-list 101 deny ip host
access-list 101 deny ip host
access-list 101 deny ip host
access-list 101 deny ip host
access-list 101 deny ip host
access-list 101 permit ip host
access-list 101 permit ip host
route map MAIL permit 10
match ip address 101
set ip next-hop
Then apply it to the mail server vlan interface eg
int vlan 10
ip policy route-map MAIL
Edit - you may also need to enable the SDM routing template on the 3750 for PBR.
Jon
05-01-2008 05:37 AM
Dear Jon
Although I can create a route map but unfortunately I can't apply it to the interface. There is no "ip policy" command available. Do it have to do something with my IOS as its ip base version.
05-01-2008 06:00 AM
Hey, Jon:
How are you, buddy?
Id like to ask a question about your route map. I dont want to hijack Saj's thread, though...I just want to understand your solution.
Can you please explain the logic of your route map? What's with the deny statements? I dont think Ive ever seen an ACL created for PBR that uses negative logic...what do those deny statements achieve?
Are you trying to say "dont policy route traffic between internal vlans and the mail servers"? And if so, doesnt the implicit deny at the end of the ACL take care of that? Anything that isnt PBR'd is routed normally...
Thanks
Victor
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: