09-07-2010 07:25 PM - edited 03-04-2019 09:41 AM
WAN1 WAN2
1.1 2.1
| |
1.2 2.2
------|------
2900
|
ASA
|
LAN
I have WAN1 (1.1.1.1) and WAN2 (2.2.2.1) coming into a 2900, which is then connected to an ASA and to our LAN. The LAN has an Exchange server, and we want all Exchange related traffic to go out WAN2, while having all other user traffic going out WAN1.
I understand this can be done via PBR, and I've been reading up on it. My question comes in with the ASA. Will the ASA know anything about the PBR that's taking place? Or will all traffic just be routed through to the Router and the PBR be applied to the incoming interface on the LAN side?
access-list 101 permit ip any any
route-map GENERAL permit 10
match ip address 101
set ip next-hop 1.1.1.2
access-list 102 permit ip any any eq 25
access-list 102 permit ip any any eq 110
route-map EXCH permit 12
match ip address 102
set ip next-hop 2.2.2.2
Is this anything like how it should look?
I guess I should put the EXCH pbr first, else there will be no traffic left for the 102 ACL to tag?
Thanks for any time given!
09-08-2010 06:40 AM
scott.bridges wrote:
WAN1 WAN2
1.1 2.1
| |
1.2 2.2
------|------
2900
|
ASA
|
LAN
I have WAN1 (1.1.1.1) and WAN2 (2.2.2.1) coming into a 2900, which is then connected to an ASA and to our LAN. The LAN has an Exchange server, and we want all Exchange related traffic to go out WAN2, while having all other user traffic going out WAN1.
I understand this can be done via PBR, and I've been reading up on it. My question comes in with the ASA. Will the ASA know anything about the PBR that's taking place? Or will all traffic just be routed through to the Router and the PBR be applied to the incoming interface on the LAN side?
access-list 101 permit ip any any
route-map GENERAL permit 10
match ip address 101
set ip next-hop 1.1.1.2
access-list 102 permit ip any any eq 25
access-list 102 permit ip any any eq 110
route-map EXCH permit 12
match ip address 102
set ip next-hop 2.2.2.2
Is this anything like how it should look?
I guess I should put the EXCH pbr first, else there will be no traffic left for the 102 ACL to tag?
Thanks for any time given!
Scott
You don't apply the PBR on the LAN side. You need to apply it on the interface of the 2900 that connects to the outside of the ASA. Obviously you need to change the next-hops to be 1.1.1.1 and 2.2.2.2. This way the ASA doesn't even get in the way of the PBR and yoir access-lists will still work.
One last point. Your PBR config could be simpler ie.
on the 2900 set the default-route to be 1.1.1.1 so all traffic is routed normally via WAN1 then just have a route-map for the non default-route traffic. So you don't need access-list 101 in your above example.
Jon
09-09-2010 08:15 PM
Thanks for the reply, Jon. Very helpful.
I just threw up a mock config in notepad with the changes you suggested. Does it look like it'll work? (attached)
I'm hoping the ASA inside and Router fe0 is how to do it correctly.
If so, then I can just do:
access-list incoming extended permit tcp any host 1.1.1.2 eq 25
access-list incoming extended permit tcp any host 2.2.2.2 eq 25
access-group incoming in interface outside
static (inside,outside) tcp 2.2.2.2 25 192.168.1.5 25 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 25 192.168.1.5 25 netmask 255.255.255.255
I know I'm pointing both Static IP's to the same internal, but I'm hoping to implement failover once I get the PBR config figured out.
Thanks again, Jon!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide