Routing Question Confusion

micklacey · ‎06-10-2011

hey all you Cisco experts!!

i have a question.

I want to route all traffic to 1 website we use a lot for streaming to a particular interface on my router.

this interface is directly connected to my ASA which we use for VPN termination and i want to push the http traffic for this site out over that line as it has less contention

so i put in the following commands on router:

ip route 89.207.56.140 255.255.255.255 10.254.0.5

10.254.0.5 is the ip on the interface connected to the ASA

on the ASA i configured the following:

route INTERFACENAME 89.207.56.140 255.255.255.255 defaultgatewayip 1

so this basically didnt work. i couldnt get on to the website we stream from. so obviously the commands had an affect. but i must be missing something here.

anyone any ideas> thanks

Jon Marshall · ‎06-10-2011

Michael

Can you draw a quick diagram, nothing fancy, to show the connections and what you are trying to do.

Jon

micklacey · ‎06-10-2011

i want to redirect all http traffic to eg www.cisco.com over our leasedline but still have all other internet traffic using the DSL line

fgasimzade · ‎06-10-2011

Can you give more details, like from which subnet are you trying to connect to the webserver, etc

micklacey · ‎06-10-2011

it will be any traffic from our LAN.

fgasimzade · ‎06-10-2011

Are there routes on ASA back to your lan?

micklacey · ‎06-10-2011

i presume so.

our site to site VPNS back to the ASA can RDP to pc/s on the LAN once connected

micklacey · ‎06-10-2011

yes there is i just checked to our LAN subnet via 10.254.0.6 which is the ip of the interface of the router that is directly connected to the ASA

Jon Marshall · ‎06-10-2011

Couple of things to check -

1) routes back to LAN from ASA as already suggested

2) do you have NAT setup on the ASA to NAT your LAN addresses (assuming LAN addresses are private)

3) do you have an acl applied on the interface of the ASA that connects to the router

4) how far do you get when tracerouting from a LAN client to web address ie. does it go from router to ASA

Jon

micklacey · ‎06-10-2011

1) routes back to LAN from ASA as already suggested

YES

2) do you have NAT setup on the ASA to NAT your LAN addresses (assuming LAN addresses are private)

NO - as the line is only used for VPN connectivity before now

3) do you have an acl applied on the interface of the ASA that connects to the router

NO - not that i can see. there are some ACLs but not applied to that interface

4) how far do you get when tracerouting from a LAN client to web address ie. does it go from router to ASA

nowehre. it just timed out

Jon Marshall · ‎06-10-2011

If you LAN addresses are private addresses eg. 192.168/172.16/10 addresses then you will have to setup NAT or else the packets cannot be routed across the internet.

Does your ASA outside interface have a public IP address ?

In addition, if you traceroute from a client you should at least see one hop ie. the router, if nothing else.

Jon

micklacey · ‎06-10-2011

ok sorry i misunderstood. yes the ASA has public ip alright.

i thought you meant a NAT between router and ASA

is the subnet mask in the ip route command ok/?

i cant find any info on that at all.

ok i will try again. step by step. i will enter the route on the router to force it to the ASA and see do i get a hop

also should the route i enter on the router have the ip of the next hop i.e. 10.254.0.5 or the ip of the interface i want it to go out on i.e. 10.254.0.6 which is the ip of the interface ont he router

fgasimzade · ‎06-10-2011

Routing statements are correct, check your NAT settings on ASA

Jon Marshall · ‎06-10-2011

subnet mask is fine. next-hop from router is ASA interface to which router connects to.

What i meant about NAT is that you must NAT LAN addresses on ASA ie. you would have something like this on ASA -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

if it's not there though you need to be careful before you simply add that because it could mess up your VPN connections ie. you would probably need to do a NAT exemption for your VPN connections so don't just add the above. You could be more specific in the NAT statement and only add the specific LAN subnet(s) eg.

nat (inside) 1 10.5.1.0 255.255.255.0

nat (inside) 1 10.6.1.0 255.255.255.0

global (outside) 1 interface

but again you would need to make sure none of the addresses specified in the nat (inside) .... statement included your VPN client addresses.

Jon

micklacey · ‎06-23-2011

ok so i am back to this problem now.

at moment i have a route out on the ASA. i can ping and tracert from the ASa to the ip 89.207.56.140.

i cant get to the address from the router. when i do a trace it fails also.

so i think before i even get to natting i have a problem with the route somewhere.

Router Config:

ip route 89.207.56.140 255.255.255.255 10.254.0.5 - 0.5 is the ip of ASA interface connected to router

on the interface connected to asa config below also exists on router:

interface FastEthernet0/0/3

switchport access vlan 40

duplex full

speed 100

vlan 40 config:

interface Vlan40

ip address 10.254.0.6 255.255.255.252

ip nat outside

ip virtual-reassembly

ASA config

route INTERFACENAME 89.207.56.140 255.255.255.255 nexthop 1

interface config on ASA interface directly connected to router:

interface GigabitEthernet0/3

speed 100

duplex full

nameif inside

security-level 100

ip address 10.254.0.5 255.255.255.252

ospf cost 10