06-14-2014 04:14 PM - edited 03-07-2019 07:44 PM
Dears,
As you can see in the image i have two different setups.
ISP A setup is completely dedicated for Production & ISP B setup is dedicated for whole staff internet.
Below is the network information;
Firewall:
GigE0/0 - PUBLIC IP (PAT)
GigE0/1 - 192.168.0.1/24 no dhcp
ISP B Router:
ATM 0 - PUBLIC IP (PAT)
FaE0/0 - 192.168.0.2/24
FaE0/1 - 192.168.92.1/24 dhcp
Servers - 192.168.0.xxx/24
Clients - 192.168.92.xxx/24
All the clients have internet access through ISP B.
If a client wants to connect to any of the server, what kind of configuration is required on ISP B rotuer. I though of route-maps or doing a static routing between Firewall & ISP B Router but i am not sure which is the best practice to do so.
Kindly suggest with some suitable solutions.
Regards
06-14-2014 07:23 PM
Hi Mohammed,
I'm not a firewall guy but still trying to use my logic here.
Based on the assumption that clients have their default gateway configured as ISP B router, the servers have default gateway configured as firewall and connection between ISP B fas 0/0 and server switch is working you can add a single static entry on the firewall as below. Please be aware that syntax will be different based on what firewall you are using. There is no other configuration required on ISP B router. The logic here is when server try to reach clients the traffic will be send to the default gateway and default gateway should know where to send the traffic.
ip route 192.168.92.0 255.255.255.0 192.168.0.2
Hope that helps.
Regards
Najaf
06-15-2014 03:20 PM
Hi Najaf,
Thanks for your answer, yes i know by just adding a static route in my firewall the clients can reach the severs but i want more specific access. As an example, i want only some clients to reach the server network but not all, and the traffic should be one way only with only access to specific protocol like, 21,88,443,3306,3389 etc.
Regards
@Mohammed
06-15-2014 09:37 PM
Hi,
I'm sure that you are well aware that this can be easily achieved by putting ACL on the ISP B router. With an extended ACL you can control the IP address of clients which should have access to server on specific port numbers.
Hope that helps
Regards
Najag
06-15-2014 06:13 AM
Hi Shareef,
on ISP-B router, you can have the PBR created for diverting access to servers from clients. On Server side you can have the static route to reach the clients.
Hope this helps
Regards
Karthik
06-15-2014 03:23 PM
Hi Karthik,
Thanks for your answer, may i know how does PBR works (a basic example of config would be more helpful) and what are the benefits out of it ?
Regards
@Mohammed
06-15-2014 11:20 PM
Hi Shareef,
Below is the example of PBR.
ip access-list extended Redirect_PBR
permit tcp host 192.168.92.10 host 192.168.0.10 eq 443
permit tcp host 192.168.92.10 host 192.168.0.10 eq 21
.
.
.
etc
!
route-map Client_Server permit 10
match ip address Redirect_PBR
set ip next-hop 192.168.0.1 (Server LAN)
!
int Fa E 0/1
ip policy route-map Client_Server
!
You can have the required filtered rule created as an ACL... you can restrict how ever you wan't. Map that ACL to the route map and set a next hop to needed routing point. Then finally map that ACL to the interface of the router. In this case every traffic mentioned in route map and access-list will follow the PBR rule. All other traffic will route as usuall with the default route.
Hope this helps
Regards
Karthik
06-16-2014 03:49 AM
Hi Karthik,
Thanks for the example, it looks simple but i am afraid about the ACL's, i have multiple ACL's configured in the ISP B Router, and am also very much afraid of others clients having access to the servers so i will do this now in Packet Tracer and get back to you with the results shortly.
Regards
@Mohammed
06-16-2014 04:05 AM
Hi Shareef,
Yeah that would be a fair idea to test it through Packet tracer and then on to production environment. But it works, i have implemented for a couple of customers like this. Make sure that you filter as much as possible to give a exact benefit out of the result.
21,88,443,3306,3389 these ports alone you can make it in acl and try it out.
All the best.
Hope this helps
Regards
Karthik
06-16-2014 04:42 AM
Hi Karthik,
PBR not support on Packet Tracer .
I think i have to test it on GNS now else i have an extra piece of hardware, let me see and get back to you.
Regards
@Mohammed
06-23-2014 04:52 AM
Hi Shareef,
did you managed to get this tested??
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide