cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
15
Helpful
14
Replies

I have two outside interface and need to travel separate traffic to them

mohammad saeed
Level 5
Level 5

Hi Guys,

 

I have two Outside interfaces:

interface GigabitEthernet0/5
nameif GSNoutside
security-level 0
ip address 10.198.5.133 255.255.255.128

 

and 

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.241 255.255.255.0 standby 192.168.100.242
!

and this is the inside:
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.230.241 255.255.255.0 standby 10.10.230.242

 

the topology attached.

 

I have two outside interfaces, one is connected with ISR (nameif outside) and other connect with another network called GSN (GSNooutside).

 

I want to route those hosts (10.10.3.150, 10.10.3.151) and these network ( 10.178.0.0 255.255.0.0, 10.196.0.0 255.252.0.0 10.198.5.129) to GSNoutside interfaces and the rest of inside traffic want to send to outside interface.

because now have one default route is direct all traffic to ISR (outside) and cannot forward the two hosts to GSNoutside interface.

route outside 0.0.0.0 0.0.0.0 192.168.100.243 >> this default route to ISR 

 

and lastly need to make a NAT between (10.10.3.150 >>10.198.5.224) (10.10.3.151 >> 10.198.5.244)

 

I am thinking to be like this:

 

route GSNoutside 10.178.0.0 255.255.0.0 10.198.5.129 
route GSNoutside 10.196.0.0 255.252.0.0 10.198.5.129

object network NETWORK_10.10.3.150
 host 10.10.3.150
object network NETWORK_10.198.5.244
 host 10.198.5.244
 
object network NETWORK_10.10.3.151
 host 10.10.3.151
object network NETWORK_10.198.5.224
 host 10.198.5.224
 
access-list PBR_TESTSRVR extended permit ip host 10.10.3.151 any <– matches TEST SERVER
access-list PBR_PRODSRVR extended permit ip host 10.10.3.150 any <– matches PRODUCTION SERVER
access-list PBR_ISR extended permit ip any any <– matches Any network to ISR

route-map PBR permit 2  
match ip address PBR_TESTSRVR 
set ip next-hop 10.198.5.129 

route-map PBR permit 3  
match ip address PBR_PRODSRVR 
set ip next-hop 10.198.5.129 


route-map PBR permit 4 
match ip address PBR_ISR 
set ip next-hop 192.168.100.243

interface GigabitEthernet0/1
policy-route route-map PBR

nat (inside,GSNoutside) source static NETWORK_10.198.5.244 NETWORK_10.198.5.224 destination static NETWORK_10.10.3.150 NETWORK_10.10.3.151 no-proxy-arp route-lookup

Is it correct ?

 

 

Thanks,

 

Mohammad Saeed

 

14 Replies 14

Hi @mohammad saeed 

Your NAT rule seems incorrect, 10.10.3.x is inside your network?

If you want to NAT (10.10.3.150 >>10.198.5.224) (10.10.3.151 >> 10.198.5.244) then try this:-

 

 object network HOST1
host 10.10.3.150
nat (inside,GSNoutside) static 10.198.5.224
object network HOST2
host 10.10.3.151
nat (inside,GSNoutside) static 10.198.5.244

 HTH

Hi @Rob Ingram  many thanks for assist

 

yes 10.10.3.x are inside in ASA.

 

what about the routing issue is it correct?

 

 

@mohammad saeed 

It might be better to merge the PBR_TESTSRVR and PBR_PRODSRVR into one ACL and 1 route-map entry, as they route is to the same destination. Any amendments you just modify the ACL.

 

You don't necessarily need the 3rd route-map entry and associated ACL for all other traffic, just define a static route, any traffic that doesn't match the PBR for TEST/PROD would be routed out the default route.

balaji.bandi
Hall of Fame
Hall of Fame

i got with route below with weight and NAT interface based  ( along with your PBR)

 

route GSNoutside 0.0.0.0 0.0.0.0 ISP1GatewayIP 1
route outside 0.0.0.0 0.0.0.0 ISP2GatewayIP 2

nat (inside,outside) dynamic interface
nat (inside,GSNoutside) dynamic interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

but here ISP1Gateway is the first one? and the second is ISP2gateway? how can ASA know the network 10.10.3.x ? or network :( 10.178.0.0 255.255.0.0, 10.196.0.0 255.252.0.0 10.198.5.129) ?

mohammad saeed
Level 5
Level 5

So if I used this way will not work?:

access-list PBR_TESTSRVR extended permit ip host 10.10.3.151 any 
access-list PBR_PRODSRVR extended permit ip host 10.10.3.150 any 
access-list PBR_178 extended permit ip 10.178.0.0 255.255.0.0 any 
access-list PBR_196 extended permit ip 10.196.0.0 255.252.0.0 any 
access-list PBR_ISR extended permit ip any any 

route-map PBR permit 2  
match ip address PBR_TESTSRVR 
set ip next-hop 10.198.5.129 

route-map PBR permit 3  
match ip address PBR_PRODSRVR 
set ip next-hop 10.198.5.129 

route-map PBR permit 4  
match ip address PBR_178 
set ip next-hop 10.198.5.129

route-map PBR permit 5  
match ip address PBR_196 
set ip next-hop 10.198.5.129

route-map PBR permit 6 
match ip address PBR_ISR 
set ip next-hop 192.168.100.243

interface GigabitEthernet0/1
policy-route route-map PBR

Yes it will work. I was suggesting an alternate method, to reduce configuration and less overhead to process multiple PBR route-maps. This was what I was suggesting.

 

access-list PBR_ISP2 extended permit ip host 10.10.3.151 any 
access-list PBR_ISP2 extended permit ip host 10.10.3.150 any
access-list PBR_ISP2 extended permit ip 10.178.0.0 255.255.0.0 any
access-list PBR_ISP2 extended permit ip 10.196.0.0 255.252.0.0 any

route-map PBR permit 2
match ip address PBR_ISP2
set ip next-hop 10.198.5.129

 

@Rob Ingram Thanks for make it simple, but you forgot the : 

access-list PBR_ISR extended permit ip any any 

which I want any traffic except the specified to be directed to ISR. 

@mohammad saeed 

I left it out intentionally. If not specified in the PBR it will be routed via the default route (as mentioned in previous post above).

@Rob Ingram  you mean I have to use this Default gateway: 

 

route outside 0.0.0.0 0.0.0.0 ISP2GatewayIP 2

nat (inside,outside) dynamic interface

 

Use this default route:-

route outside 0.0.0.0 0.0.0.0 192.168.100.243 

Anything that doesn't match the PBR ACL above would be routed via the outside interface using the route above.

If you need to NAT then NAT rule above would work.

I got it..thank you  

mohammad saeed
Level 5
Level 5

@Rob Ingram  there is no set ip next-hop under 

route-map PBR permit 2 

shintlarel14222
Level 1
Level 1

If am seeking to get right of entry to phone offerings on jabber from cucm, connected to VPN, CuCM is LDAP integrated without a SSO , does it suggest i may not need to provide smartphone service credentials on jabber?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: