09-14-2014 07:34 PM - last edited on 03-25-2019 03:42 PM by ciscomoderator
A/ Description:
In our system environment, we have 03 FTTH internet lines
( internet load balancing in one router 2921
This router have intergrated card EHWVIC-4ESG inside this router)
G0/0 ppoe: line 1
G0/1 ppoe: line 2
G0/2 ppoe: line 3
EHWVIC-4ESG connected to Inside Network
B/ Main purpose we want to do
Now we want to define in this router as below:
step 1- define NAT rule for webmail service, IPSEC VPN, must run only on line 01.
step 2- define all of 03 internet lines to run internet service.
C/ Current Situation which we face now:
After we configured, above step 1 ( in B section) didn't run properly such as:
from outside, we access this webmail service(http://webmail@abc.com), after server authourize and reply this session, we have 02 scenarios:
1/ the reply to users' session on sometimes right public IP we want on line 1, so user can access the webmail server => OK
2/ Sometimes, the reply to users' session on the left 02 lines, so User can not access the webmail server => not OK
note: please see more details in below attached configuration file
we hope to receive your feedback asap.
Solved! Go to Solution.
09-17-2014 01:27 AM
Hello,
ok that is a bit weird. Check if the IP addresses in WAN-ACL matches the source IP from which you expect the packets.
Is there maybe another NAT operation in the path between ISR 2921 and the Server so that the source ip addresses from the server are modified? I can't see any NAT Rule for 10.222.222.45 in your last attachment for example. I assume one of your internal Router (10.222.226.33) perform the NAT to the webmail service. ) If 10.222.226.33 does a NAT operation to 10.222.222.45 you have to use the ip address 10.222.226.33 in the WAN-ACL.
With which service did you try to verify the route-map?
Best Regards
Lukasz
09-14-2014 10:34 PM
Hello,
the router does equal cost load balancing using the three default gateways. To ensure the backward traffic goes over the correct wan line I suggest to create a route-map and attach it to the vlan1 interface.
The last line of the route-map should be an empty permit statement to ensure all other traffic, which doesn't match an ACL using by the route-map is handled by the default routing table.
kind regards
Lukasz
09-16-2014 08:16 PM
Hi Lukasz,
Thanks for your response!
I configured as you suggested. But the issue still remains. The backward traffic doesn't go over the correct wan line.
Please see my config in the attachment.
I post report:
CMC_UC_INTERNET_GATEWAY#show access-lists
Extended IP access list 100
10 permit ip any any (246325 matches)
Extended IP access list WAN-ACL
10 permit tcp host 10.222.222.45 eq www any
20 permit tcp host 10.222.222.45 eq 443 any
30 permit udp host 10.222.222.33 eq isakmp any
40 permit udp host 10.222.222.33 eq non500-isakmp any
50 permit tcp host 10.222.222.33 eq 4500 any
60 permit udp host 10.222.226.33 eq 10000 any
70 permit tcp host 10.222.226.33 eq 10000 any
CMC_UC_INTERNET_GATEWAY#show rou
CMC_UC_INTERNET_GATEWAY#show route-map
route-map VNPT-01, permit, sequence 10
Match clauses:
ip address (access-lists): 100
interface Dialer0
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map CTI-03, permit, sequence 10
Match clauses:
ip address (access-lists): 100
interface Dialer2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map CTI-02, permit, sequence 10
Match clauses:
ip address (access-lists): 100
interface Dialer1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map WAN-RMAP, permit, sequence 10
Match clauses:
ip address (access-lists): WAN-ACL
Set clauses:
interface Dialer2
Policy routing matches: 0 packets, 0 bytes
CMC_UC_INTERNET_GATEWAY#
The route-map WAN-ACL don't count any packet, it just map with access-list. Please check again ...
Thanks & Best Regards,
09-17-2014 01:27 AM
Hello,
ok that is a bit weird. Check if the IP addresses in WAN-ACL matches the source IP from which you expect the packets.
Is there maybe another NAT operation in the path between ISR 2921 and the Server so that the source ip addresses from the server are modified? I can't see any NAT Rule for 10.222.222.45 in your last attachment for example. I assume one of your internal Router (10.222.226.33) perform the NAT to the webmail service. ) If 10.222.226.33 does a NAT operation to 10.222.222.45 you have to use the ip address 10.222.226.33 in the WAN-ACL.
With which service did you try to verify the route-map?
Best Regards
Lukasz
09-17-2014 09:06 PM
Dear Lukasz,
Your first answer was right. The reason is that ASDM was using port 443 while my webmail was also using the same port. So there was a conflict.
Now i have changed ASDM port on ASA to other port and the backward traffic goes over correct wan line.
Thank you.
Best Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide