Link to home
Start Free TrialLog in
Avatar of redcell5
redcell5Flag for United States of America

asked on

Need to route an external address to another site

All,
I have a site with an external address of 65.207.97.178 the exists in a site that has a subnet of 128.5.0.0.  I have this external address mapped in my PIX firewall to my corporate OWA server whose address is 128.1.0.16.  It is not reaching my OWA server.  Is the problem with my PIX or my Router?
PIX Version 7.1(2)
!
hostname CPFPix
domain-name MDVNF.COM
enable password XXXXXXX encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 65.207.97.162 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 128.5.0.13 255.255.0.0
!
passwd XXXXXXXXXXXXencrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name MDVNF.COM
access-list 101 extended permit tcp any host 65.207.97.174 eq www
access-list 101 extended permit tcp any host 65.207.97.174 eq https
access-list 101 extended permit tcp any host 65.207.97.175 eq www
access-list 101 extended permit tcp any host 65.207.97.175 eq https
access-list 101 extended permit tcp any host 65.207.97.176 eq 4080
access-list 101 extended permit tcp any host 65.207.97.176 eq https
access-list 101 extended permit tcp any host 65.207.97.177 eq www
access-list 101 extended permit tcp any host 65.207.97.177 eq 2024
access-list 101 extended permit tcp any host 65.207.97.177 eq 2044
access-list 101 extended permit tcp any host 65.207.97.177 eq 2048
access-list 101 extended permit tcp any host 65.207.97.174 eq 2024
access-list 101 extended permit tcp any host 65.207.97.174 eq 2044
access-list 101 extended permit tcp any host 65.207.97.174 eq 2048
access-list 101 extended permit tcp any host 65.207.97.178 eq www
access-list 101 extended permit tcp any host 65.207.97.178 eq smtp
access-list 101 extended permit tcp any host 65.207.97.178 eq pop3
access-list 101 extended permit tcp any host 65.207.97.178 eq https
access-list 101 extended permit tcp any host 65.207.97.179 eq 4080
access-list 101 extended permit tcp any host 65.207.97.179 eq https
access-list 101 extended permit tcp any host 65.207.97.180 eq https
access-list acl_outbound extended permit tcp 128.1.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.2.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.3.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.4.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.5.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.6.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.7.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.8.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.9.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit ip any any
access-list acl_outbound extended deny tcp any any eq www
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list 100 extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list split_t extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list VPN3000_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging device-id ipaddress inside
logging host inside 128.1.0.96
mtu outside 1500
mtu inside 1500
ip local pool vnp3000clients 128.50.200.1-128.50.200.50
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 65.207.97.163-65.207.97.173
global (outside) 1 interface
nat (inside) 1 128.1.0.0 255.255.0.0
nat (inside) 1 128.2.0.0 255.255.0.0
nat (inside) 1 128.3.0.0 255.255.0.0
nat (inside) 1 128.4.0.0 255.255.0.0
nat (inside) 1 128.5.0.0 255.255.0.0
nat (inside) 1 128.6.0.0 255.255.0.0
nat (inside) 1 128.7.0.0 255.255.0.0
nat (inside) 1 128.8.0.0 255.255.0.0
nat (inside) 1 128.9.0.0 255.255.0.0
static (inside,outside) 65.207.97.174 128.5.0.14 netmask 255.255.255.255
static (inside,outside) 65.207.97.175 128.5.0.15 netmask 255.255.255.255
static (inside,outside) 65.207.97.176 128.5.0.5 netmask 255.255.255.255
static (inside,outside) 65.207.97.177 128.1.0.27 netmask 255.255.255.255
static (inside,outside) 65.207.97.179 128.5.0.7 netmask 255.255.255.255
static (inside,outside) 65.207.97.180 128.1.0.9 netmask 255.255.255.255
static (inside,outside) 65.207.97.178 128.1.0.16 netmask 255.255.255.255
access-group 101 in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 65.207.97.161 1
route inside 128.1.0.0 255.255.0.0 128.5.250.0 1
route inside 128.2.0.0 255.255.0.0 128.5.250.0 1
route inside 128.3.0.0 255.255.0.0 128.5.250.0 1
route inside 128.4.0.0 255.255.0.0 128.5.250.0 1
route inside 128.6.0.0 255.255.0.0 128.5.250.0 1
route inside 128.7.0.0 255.255.0.0 128.5.250.0 1
route inside 128.8.0.0 255.255.0.0 128.5.250.0 1
route inside 128.9.0.0 255.255.0.0 128.5.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 128.1.0.11
 dns-server value 128.5.0.11
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_t
 default-domain value mdvnf.com
http server enable
http 128.5.0.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MDVTRANS esp-des esp-md5-hmac
crypto dynamic-map MDVMAP 10 set transform-set MDVTRANS
crypto dynamic-map MDVMAP 20 set transform-set MDVTRANS
crypto map MDVMAP1 10 ipsec-isakmp dynamic MDVMAP
crypto map MDVMAP1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool (outside) vnp3000clients
 authentication-server-group none
 authorization-server-group LOCAL
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
telnet 128.1.0.16 255.255.255.255 inside
telnet 128.1.50.1 255.255.255.255 inside
telnet 128.1.50.2 255.255.255.255 inside
telnet 128.5.0.6 255.255.255.255 inside
telnet 128.5.50.3 255.255.255.255 inside
telnet 128.1.0.96 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 128.5.0.11
dhcpd wins 128.5.0.11
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end


Router config......

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Chester_R1
!
logging buffered 100000 debugging
no logging console
enable secret 5
enable password!
ip subnet-zero
no ip domain-lookup
!
ipx routing 0000.0c58.c289
!
!
!
interface Multilink1
 ip address 128.105.0.2 255.255.0.0
 delay 2000
 ipx network 105
 no cdp enable
 ppp multilink
 ppp multilink interleave
 multilink-group 1
!
interface Ethernet0
 ip address 128.5.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 no ip redirects
 no ip mroute-cache
 media-type 10BaseT
 ipx network 5
 ipx type-20-propagation
 no mop enabled
!
interface Ethernet1
 no ip address
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Serial0
 description WAN Link To Kingwood - Verizon 797482
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!
interface Serial1
 description WAN to JESSUP
 ip address 128.209.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 209
 ipx type-20-propagation
!
interface Serial2
 description WAN to Azalea - Cox 798144
 ip address 128.204.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 204
 ipx type-20-propagation
!
interface Serial3
 description CPF Interface to DeCA
 ip address 172.23.2.14 255.255.255.252
!
interface Serial4
 description WAN Link to Kingwood - COX 797554
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!
interface Serial5
 description MDV-CPF Frame Relay ZABHX7BX0001 DLCI 225
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
!
interface Serial5.1 point-to-point
 description wan link to Ontario MCI ZABHNPG70001 DLCI 205
 ip address 128.108.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 208
 ipx type-20-propagation
 frame-relay interface-dlci 205  
!
interface Serial5.2 point-to-point
 description wan link to Stockton MCI ZABHTJRV0001 DLCI 220
 ip address 128.107.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 207
 ipx type-20-propagation
 frame-relay interface-dlci 220  
!
interface Serial5.3 point-to-point
 description wan link to Fife MCI ZABHNPG80001 DLCI 215
 ip address 128.103.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 203
 ipx type-20-propagation
 frame-relay interface-dlci 215  
!
interface Serial6
 description WAN Link To Kingwood - COX 797555
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!
interface Serial7
 no ip address
 no ip mroute-cache
 shutdown
!
router eigrp 500
 redistribute static
 passive-interface Serial3
 network 128.5.0.0
 network 128.103.0.0
 network 128.105.0.0
 network 128.106.0.0
 network 128.107.0.0
 network 128.108.0.0
 network 128.204.0.0
 network 128.209.0.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 128.5.0.13
ip route 172.16.0.0 255.255.0.0 172.23.2.13
ip route 172.23.0.0 255.255.0.0 172.23.2.13
no ip http server
!
logging source-interface Serial1
logging 128.1.50.2
access-list 60 permit 128.1.50.2
snmp-server engineID local 00000009020000000C58C289
snmp-server community public RO
snmp-server community miami-1-vice RW 60
snmp-server enable traps tty
!
!
ipx router eigrp 500
 network 204
 network 5
 network 209
 network 203
 network 207
 network 208
 network 105
 log-neighbor-changes
!
!
!



 
Avatar of batry_boy
batry_boy
Flag of United States of America image
Your ASA config looks OK regarding the static NAT for the OWA server and the ACL to let the traffic inbound to it.  From the ASA, can you ping 128.1.0.16?
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

I can ping 128.1.0.16 from int inside 5 times with 100% success....cannot do that from the vpn client....
Avatar of batry_boy
batry_boy
Flag of United States of America image
Is the problem you're wanting to solve the issue with not being able to see that server from a VPN client or is it that traffic isn't making it from the public IP address of the OWA server inbound to the OWA server itself?

Since you mentioned that the VPN client cannot ping the server, I started looking in your config for reasons why not.  You need to add a few statements to your config:

isakmp nat-traversal
access-list nonat permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
nat (inside) 0 access-list nonat

See if those help with the VPN clients being able to see internal hosts...
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

no joy......
I can connect to the internet when I am on VPN, but no ping and I still cannot get the external mapping to the internal address on the other subnet weather I am VPN'd or not.....

here is the latest config file......
show run
: Saved
:
PIX Version 7.1(2)
!
hostname CPFPix
domain-name MDVNF.COM
enable password XXXXXXX encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 65.207.97.162 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 128.5.0.13 255.255.0.0
!
passwd XXXXXXXXXencrypted
ftp mode passive
dns server-group DefaultDNS
domain-name MDVNF.COM
access-list 101 extended permit tcp any host 65.207.97.174 eq www
access-list 101 extended permit tcp any host 65.207.97.174 eq https
access-list 101 extended permit tcp any host 65.207.97.175 eq www
access-list 101 extended permit tcp any host 65.207.97.175 eq https
access-list 101 extended permit tcp any host 65.207.97.176 eq 4080
access-list 101 extended permit tcp any host 65.207.97.176 eq https
access-list 101 extended permit tcp any host 65.207.97.177 eq www
access-list 101 extended permit tcp any host 65.207.97.177 eq 2024
access-list 101 extended permit tcp any host 65.207.97.177 eq 2044
access-list 101 extended permit tcp any host 65.207.97.177 eq 2048
access-list 101 extended permit tcp any host 65.207.97.174 eq 2024
access-list 101 extended permit tcp any host 65.207.97.174 eq 2044
access-list 101 extended permit tcp any host 65.207.97.174 eq 2048
access-list 101 extended permit tcp any host 65.207.97.178 eq www
access-list 101 extended permit tcp any host 65.207.97.178 eq smtp
access-list 101 extended permit tcp any host 65.207.97.178 eq pop3
access-list 101 extended permit tcp any host 65.207.97.178 eq https
access-list 101 extended permit tcp any host 65.207.97.179 eq 4080
access-list 101 extended permit tcp any host 65.207.97.179 eq https
access-list 101 extended permit tcp any host 65.207.97.180 eq https
access-list acl_outbound extended permit tcp 128.1.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.2.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.3.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.4.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.5.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.6.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.7.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.8.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.9.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit ip any any
access-list acl_outbound extended deny tcp any any eq www
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list 100 extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list split_t extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list VPN3000_splitTunnelAcl standard permit any
access-list nonat extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging device-id ipaddress inside
logging host inside 128.1.0.96
mtu outside 1500
mtu inside 1500
ip local pool vnp3000clients 128.50.200.1-128.50.200.50
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 65.207.97.163-65.207.97.173
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
nat (inside) 1 128.2.0.0 255.255.0.0
nat (inside) 1 128.3.0.0 255.255.0.0
nat (inside) 1 128.4.0.0 255.255.0.0
nat (inside) 1 128.5.0.0 255.255.0.0
nat (inside) 1 128.6.0.0 255.255.0.0
nat (inside) 1 128.7.0.0 255.255.0.0
nat (inside) 1 128.8.0.0 255.255.0.0
nat (inside) 1 128.9.0.0 255.255.0.0
static (inside,outside) 65.207.97.174 128.5.0.14 netmask 255.255.255.255
static (inside,outside) 65.207.97.175 128.5.0.15 netmask 255.255.255.255
static (inside,outside) 65.207.97.176 128.5.0.5 netmask 255.255.255.255
static (inside,outside) 65.207.97.177 128.1.0.27 netmask 255.255.255.255
static (inside,outside) 65.207.97.179 128.5.0.7 netmask 255.255.255.255
static (inside,outside) 65.207.97.180 128.1.0.9 netmask 255.255.255.255
static (inside,outside) 65.207.97.178 128.1.0.16 netmask 255.255.255.255
access-group 101 in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 65.207.97.161 1
route inside 128.1.0.0 255.255.0.0 128.5.250.0 1
route inside 128.2.0.0 255.255.0.0 128.5.250.0 1
route inside 128.3.0.0 255.255.0.0 128.5.250.0 1
route inside 128.4.0.0 255.255.0.0 128.5.250.0 1
route inside 128.6.0.0 255.255.0.0 128.5.250.0 1
route inside 128.7.0.0 255.255.0.0 128.5.250.0 1
route inside 128.8.0.0 255.255.0.0 128.5.250.0 1
route inside 128.9.0.0 255.255.0.0 128.5.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 128.1.0.11
 dns-server value 128.5.0.11
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_t
 default-domain value mdvnf.com
http server enable
http 128.5.0.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MDVTRANS esp-des esp-md5-hmac
crypto dynamic-map MDVMAP 10 set transform-set MDVTRANS
crypto dynamic-map MDVMAP 20 set transform-set MDVTRANS
crypto map MDVMAP1 10 ipsec-isakmp dynamic MDVMAP
crypto map MDVMAP1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal  20
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool (outside) vnp3000clients
 authentication-server-group none
 authorization-server-group LOCAL
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 128.5.0.11
dhcpd wins 128.5.0.11
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end

 
Avatar of batry_boy
batry_boy
Flag of United States of America image
Just noticed that you have split tunneling that is sending only traffic for 128.5.0.0/16 hosts down the tunnel and you're trying to ping 128.1.0.16.  Add these commands and try to ping that host again:

access-list split_t extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

done....going to test in a few and advise...
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

No joy....another post I have out there concerning a similar topic is that the route statement should not look like this:
route inside 128.1.0.0 255.255.0.0 128.5.250.0 1
route inside 128.2.0.0 255.255.0.0 128.5.250.0 1
route inside 128.3.0.0 255.255.0.0 128.5.250.0 1
route inside 128.4.0.0 255.255.0.0 128.5.250.0 1
route inside 128.6.0.0 255.255.0.0 128.5.250.0 1
route inside 128.7.0.0 255.255.0.0 128.5.250.0 1
route inside 128.8.0.0 255.255.0.0 128.5.250.0 1
route inside 128.9.0.0 255.255.0.0 128.5.250.0 1

The 128.5.250.0 is the Eth0 connection on my router.  Our subnet mask is 255.255.0.0.....could this be a problem or is the 128.5.250.0 address valid thus making the route statement valid?
Avatar of batry_boy
batry_boy
Flag of United States of America image
With the netmask 255.255.0.0, it is entirely possible that 128.5.250.0 is a valid router IP address.  I assumed that this was correct, but we can verify if you post the router config.

Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

It is correct....here is the router configs for the source and the destination (corporate)
Source to be routed....
!* Chester_R1.CiscoConfig
!* IP Address : 128.5.250.0
!*!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Chester_R1
!
logging buffered 100000 debugging
no logging console
enable secret 5
enable password 7
ip subnet-zero
no ip domain-lookup
!
ipx routing 0000.0c58.c289
!
!
!
interface Multilink1
 ip address 128.105.0.2 255.255.0.0
 delay 2000
 ipx network 105
 no cdp enable
 ppp multilink
 ppp multilink interleave
 multilink-group 1
!
interface Ethernet0
 ip address 128.5.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 no ip redirects
 no ip mroute-cache
 media-type 10BaseT
 ipx network 5
 ipx type-20-propagation
 no mop enabled
!
interface Ethernet1
 no ip address
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Serial0
 description WAN Link To Kingwood - Verizon 797482
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!
interface Serial1
 description WAN to JESSUP
 ip address 128.209.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 209
 ipx type-20-propagation
!
interface Serial2
 description WAN to Azalea - Cox 798144
 ip address 128.204.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 204
 ipx type-20-propagation
!
interface Serial3
 description CPF Interface to DeCA
 ip address 172.23.2.14 255.255.255.252
!
interface Serial4
 description WAN Link to Kingwood - COX 797554
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!
interface Serial5
 description MDV-CPF Frame Relay ZABHX7BX0001 DLCI 225
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
!
interface Serial5.1 point-to-point
 description wan link to Ontario MCI ZABHNPG70001 DLCI 205
 ip address 128.108.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 208
 ipx type-20-propagation
 frame-relay interface-dlci 205  
!
interface Serial5.2 point-to-point
 description wan link to Stockton MCI ZABHTJRV0001 DLCI 220
 ip address 128.107.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 207
 ipx type-20-propagation
 frame-relay interface-dlci 220  
!
interface Serial5.3 point-to-point
 description wan link to Fife MCI ZABHNPG80001 DLCI 215
 ip address 128.103.0.1 255.255.0.0
 no ip mroute-cache
 ipx network 203
 ipx type-20-propagation
 frame-relay interface-dlci 215  
!
interface Serial6
 description WAN Link To Kingwood - COX 797555
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!
interface Serial7
 no ip address
 no ip mroute-cache
 shutdown
!
router eigrp 500
 redistribute static
 passive-interface Serial3
 network 128.5.0.0
 network 128.103.0.0
 network 128.105.0.0
 network 128.106.0.0
 network 128.107.0.0
 network 128.108.0.0
 network 128.204.0.0
 network 128.209.0.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 128.5.0.13
ip route 172.16.0.0 255.255.0.0 172.23.2.13
ip route 172.23.0.0 255.255.0.0 172.23.2.13
no ip http server
!
logging source-interface Serial1
logging 128.1.50.2
access-list 60 permit 128.1.50.2
snmp-server engineID local 00000009020000000C58C289
snmp-server community public RO
snmp-server community miami-1-vice RW 60
snmp-server enable traps tty
!
!
ipx router eigrp 500
 network 204
 network 5
 network 209
 network 203
 network 207
 network 208
 network 105
 log-neighbor-changes
!
!
!
.


_
!
line con 0
 password 7 124857443B253F2703
line aux 0
 password 7 124857443B253F2703
line vty 0 4
 password 7 055A545C08627D2A30
 login
!
end


Destination containinge OWA server

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname norfolk3800
!
boot-start-marker
boot system flash c3825-entbasek9-mz.124-2.T1.bin
boot-end-marker
!
no logging buffered
enable secret 5
enable password 7!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name MDVNF.COM
ipx routing 0000.0c58.c289
!
!
!
username cisco privilege 15 secret 5 $1$U6PE$3qj4.9.znW8TM2IwG5m9n.
username MDV privilege 15 secret 5 $1$3/CS$Xnju9hspWBbHTWJCM3c3e0
!
!
!
interface Multilink1
 ip address 128.105.0.1 255.255.0.0
 delay 2000
 ipx network 105
 ppp multilink
 ppp multilink interleave
 ppp multilink group 1
!
interface GigabitEthernet0/0
 description MDVADMIN
 ip address 128.1.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 no ip redirects
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 ipx network 541001
 ipx type-20-propagation
!
interface GigabitEthernet0/1
 description Wharehouse
 ip address 128.2.250.0 255.255.0.0
 ip helper-address 128.1.0.29
 ip helper-address 128.1.0.26
 ip helper-address 128.1.0.96
 duplex half
 speed auto
 media-type rj45
 negotiation auto
 ipx network 2
 ipx type-20-propagation
!
interface Serial0/0/0
 description Interface to DeCA
 ip address 172.16.253.34 255.255.255.252
!
interface Serial0/0/1
 description WAN to JESSUP
 ip address 128.109.0.1 255.255.0.0
 ipx network 109
 ipx type-20-propagation
!
interface Serial0/1/0
 description WAN to Azalea
 ip address 128.104.0.1 255.255.0.0
 ipx network 104
 ipx type-20-propagation
!
interface Serial0/1/1
 description MDV-CPF MCI Frame Relay ZABHNPG40001 DLCI 100
 no ip address
 encapsulation frame-relay
!
interface Serial0/1/1.1 point-to-point
 description wan link to Ontario MCI ZABHNPG70001 DLCI 105
 ip address 128.208.0.1 255.255.0.0
 ipx network 108
 ipx type-20-propagation
 frame-relay class vcmdv
 frame-relay interface-dlci 105  
!
interface Serial0/1/1.2 point-to-point
 shutdown
!
interface Serial0/1/1.3 point-to-point
 description wan link to Fife MCI ZABHNPG80001 DLCI 115
 ip address 128.203.0.1 255.255.0.0
 ipx network 103
 ipx type-20-propagation
 frame-relay class vcmdv
 frame-relay interface-dlci 115  
!
interface Serial0/1/1.4 point-to-point
 description wan link to Stk Perf Drive MCI ZABHTJRV0001 DLCI 120
 ip address 128.207.0.1 255.255.0.0
 ipx network 107
 frame-relay class vcmdv
 frame-relay interface-dlci 120  
!
interface Serial0/2/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/2/1
 description WAN Link To Chester - Verizon 793487
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink group 1
!
interface Serial0/3/0
 description WAN Link To Chester - COX 007131
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink group 1
!
interface Serial0/3/1
 description WAN Link To Chester - COX 007132
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink group 1
!
router eigrp 500
 passive-interface Serial0/0/0
 network 128.1.0.0
 network 128.2.0.0
 network 128.104.0.0
 network 128.105.0.0
 network 128.109.0.0
 network 128.203.0.0
 network 128.207.0.0
 network 128.208.0.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 128.1.0.13
ip route 128.11.0.0 255.255.0.0 128.1.0.13
ip route 128.11.62.0 255.255.255.0 128.1.0.13
ip route 128.11.68.0 255.255.255.0 128.1.0.13
ip route 128.111.24.0 255.255.255.0 128.1.0.13
ip route 172.16.0.0 255.255.0.0 172.16.253.33
ip route 207.42.153.4 255.255.255.255 128.1.0.13
ip route 208.249.152.0 255.255.255.0 128.1.0.13
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
map-class frame-relay vcmdv
 frame-relay end-to-end keepalive mode passive-reply
access-list 60 permit 128.1.50.2
snmp-server engineID local 00000009020000000C58C289
snmp-server community public RO
snmp-server community miami-1-vice RW 60
!
!
!
ipx router eigrp 500
 network 541001
 network 2
 network 103
 network 104
 network 105
 network 107
 network 108
 network 109
 log-neighbor-changes
!
!
!
!
!
control-plane
!
banner login _C


_
!
line con 0
 password 7 124857443B253F2703
 login local
 stopbits 1
line aux 0
 password 7 124857443B253F2703
 stopbits 1
line vty 0 4
 privilege level 15
 password 7 055A545C08627D2A30
 login
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end


Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

O.K.  I have all the traffic flowing I need from my VPN clients, but my route from the external 65.207.97.178 to my internal on a different subnet 128.1.0.16 is not working.  This is an OWA address, I get page cannot be displayed.  Thoughts?
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

This is an error on my FW log
%PIX-4-106023: Deny tcp src outside:65.37.92.122/3195 dst inside:65.207.97.178/2967 by access-group "101"
Avatar of batry_boy
batry_boy
Flag of United States of America image
That error is reporting that traffic is trying to be sent to TCP port 2967, which is not allowed by your ACL 101 applied to your outside interface, so this should be expected behavior.

>>but my route from the external 65.207.97.178 to my internal on a different subnet 128.1.0.16 is not working.  This is an OWA address, I get page cannot be displayed.  Thoughts?

Do you see any FW logs that talk about denying TCP 443 traffic inbound to 65.207.97.178?  Your FW should be allowing that traffic for your OWA access...
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

%PIX-6-106015: Deny TCP (no connection) from 216.54.82.5/44555 to 65.207.97.178/443 flags RST ACK on interface outside
%PIX-6-106015: Deny TCP (no connection) from 216.54.82.5/46626 to 65.207.97.178/80 flags RST ACK on interface outside
%PIX-6-106015: Deny TCP (no connection) from 216.54.82.5/48125 to 65.207.97.178/443 flags RST ACK on interface outside
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

OK,
Here is the latest....
I changed the statice mapping to a web server I know is working externally at throuogh the corporate firwall and router.
new static maps 65.207.97.178 128.1.0.15 netmask 255.255.255.255
now this has to travel some distance through 3 bundled multi-link t1 point to points.  I get "web page cannot be displayed" from an external browser.
When I try the 65.207.97.175 in the browser, everything comes up.  That web server is local to where this firwall is...here are the logs I'm getting when attempting to access 65.207.97.178:

%PIX-2-106001: Inbound TCP connection denied from 216.54.82.5/9687 to 65.207.97.178/80 flags RST ACK on interface outside

%PIX-6-106015: Deny TCP (no connection) from 216.54.82.5/60152 to 65.207.97.178/443 flags RST ACK on interface outside (from previoous config)

Could it be latency?  I'm at a loss.....help.

Here is the current config....

:
PIX Version 7.1(2)
!
hostname CPFPix
domain-name MDVNF.COM
enable password  encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 65.207.97.162 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 128.5.0.13 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name MDVNF.COM
access-list 101 extended permit tcp any host 65.207.97.174 eq www
access-list 101 extended permit tcp any host 65.207.97.174 eq https
access-list 101 extended permit tcp any host 65.207.97.175 eq www
access-list 101 extended permit tcp any host 65.207.97.175 eq https
access-list 101 extended permit tcp any host 65.207.97.176 eq 4080
access-list 101 extended permit tcp any host 65.207.97.176 eq https
access-list 101 extended permit tcp any host 65.207.97.177 eq www
access-list 101 extended permit tcp any host 65.207.97.177 eq 2024
access-list 101 extended permit tcp any host 65.207.97.177 eq 2044
access-list 101 extended permit tcp any host 65.207.97.177 eq 2048
access-list 101 extended permit tcp any host 65.207.97.174 eq 2024
access-list 101 extended permit tcp any host 65.207.97.174 eq 2044
access-list 101 extended permit tcp any host 65.207.97.174 eq 2048
access-list 101 extended permit tcp any host 65.207.97.178 eq www
access-list 101 extended permit tcp any host 65.207.97.178 eq smtp
access-list 101 extended permit tcp any host 65.207.97.178 eq pop3
access-list 101 extended permit tcp any host 65.207.97.178 eq https
access-list 101 extended permit tcp any host 65.207.97.179 eq 4080
access-list 101 extended permit tcp any host 65.207.97.179 eq https
access-list 101 extended permit tcp any host 65.207.97.180 eq https
access-list acl_outbound extended permit tcp 128.1.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.2.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.3.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.4.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.5.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.6.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.7.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.8.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit tcp 128.9.0.0 255.255.0.0 any eq www
access-list acl_outbound extended permit ip any any
access-list acl_outbound extended deny tcp any any eq www
access-list acl_outbound extended permit tcp 128.1.0.0 255.255.0.0 any eq https
access-list acl_outbound extended permit tcp 128.5.0.0 255.255.0.0 any eq https
access-list split_t extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list split_t extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list nonat extended permit ip 128.5.0.0 255.255.0.0 128.50.200.0 255.255.255.0
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 128.50.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging device-id ipaddress inside
logging host inside 128.1.0.96
mtu outside 1500
mtu inside 1500
ip local pool vnp3000clients 128.50.200.1-128.50.200.50
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 65.207.97.163-65.207.97.173
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
nat (inside) 1 128.2.0.0 255.255.0.0
nat (inside) 1 128.3.0.0 255.255.0.0
nat (inside) 1 128.4.0.0 255.255.0.0
nat (inside) 1 128.5.0.0 255.255.0.0
nat (inside) 1 128.6.0.0 255.255.0.0
nat (inside) 1 128.7.0.0 255.255.0.0
nat (inside) 1 128.8.0.0 255.255.0.0
nat (inside) 1 128.9.0.0 255.255.0.0
static (inside,outside) 65.207.97.174 128.5.0.14 netmask 255.255.255.255
static (inside,outside) 65.207.97.175 128.5.0.15 netmask 255.255.255.255
static (inside,outside) 65.207.97.176 128.5.0.5 netmask 255.255.255.255
static (inside,outside) 65.207.97.177 128.1.0.27 netmask 255.255.255.255
static (inside,outside) 65.207.97.179 128.5.0.7 netmask 255.255.255.255
static (inside,outside) 65.207.97.180 128.1.0.9 netmask 255.255.255.255
static (inside,outside) 65.207.97.178 128.1.0.15 netmask 255.255.255.255
access-group 101 in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 65.207.97.161 1
route inside 128.1.0.0 255.255.0.0 128.5.250.0 1
route inside 128.2.0.0 255.255.0.0 128.5.250.0 1
route inside 128.3.0.0 255.255.0.0 128.5.250.0 1
route inside 128.4.0.0 255.255.0.0 128.5.250.0 1
route inside 128.6.0.0 255.255.0.0 128.5.250.0 1
route inside 128.7.0.0 255.255.0.0 128.5.250.0 1
route inside 128.8.0.0 255.255.0.0 128.5.250.0 1
route inside 128.9.0.0 255.255.0.0 128.5.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 128.1.0.11
 dns-server value 128.5.0.11
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_t
 default-domain value mdvnf.com
http server enable
http 128.5.0.13 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MDVTRANS esp-des esp-md5-hmac
crypto dynamic-map MDVMAP 10 set transform-set MDVTRANS
crypto dynamic-map MDVMAP 20 set transform-set MDVTRANS
crypto map MDVMAP1 10 ipsec-isakmp dynamic MDVMAP
crypto map MDVMAP1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal  20
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool (outside) vnp3000clients
 authentication-server-group none
authorization-server-group LOCAL
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
telnet 128.1.0.16 255.255.255.255 inside
telnet 128.1.50.1 255.255.255.255 inside
telnet 128.1.50.2 255.255.255.255 inside
telnet 128.5.0.6 255.255.255.255 inside
telnet 128.5.50.3 255.255.255.255 inside
telnet 128.1.0.96 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 128.5.0.11
dhcpd wins 128.5.0.11
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

This looks as though it is getting tougher.
Avatar of batry_boy
batry_boy
Flag of United States of America image
Hey redcell5,

If you do a traceroute from 128.1.0.15 to 216.54.82.5, what does the path look like?

Can you post a network topology diagram that we can take a look at?  I think that will help tremendously in a case like this...:)
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

Batry_boy:
I cannot Trace outside of my network.
I have attached a JPG of the path that this should take.

path-for-OWA.jpg
Avatar of batry_boy
batry_boy
Flag of United States of America image
Hey redcell5,

From the 128.5.250.0 router (router at site with the firewall), can you ping 128.1.0.16?  I just looked at that config again and I don't see how it routes traffic to the 128.1.0.0/16 network.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

I have uploaded the ping and trace from 128.5.250.0 to 128.1.0.16

ping-to-16.JPG
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

trace to 16

trace-to-16.bmp
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image
The only test standing out to me was testing from OWA to a public address; which batry_boy already talked about.  Just to ensure that the return OWA traffic isn't being routed a different way than the incoming OWA traffic.

add the following to allow traceroutes to work:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded

then do the traceroute from the OWA server to your client. You may want to try to run wireshark on the client as well.  If my theory is correct, your computer is sending SYN packets, but not receiving any SYN/ACK packets.  The firewall proxy sends the RST packets.

Also, you really don't need to apply the acl_outbound acl due to the permit ip any any in the list permitting traffic before any deny (which I'm willing to be has a hitcount of 0).
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

It looks like the exchange server is trying to go out at its site rather than the remote site....
How Can this be fixed?
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image
Unfortunately I'm not very good at routers (if it was a L2L vpn I could help), but one way or another you need to reconfigure the routers that connect those sites to ensure OWA traffic initiated from any source IP and coming from the 128.5.x.y network will properly traverse those lines and return to where its suppose to.

Avatar of batry_boy
batry_boy
Flag of United States of America image
>>It looks like the exchange server is trying to go out at its site rather than the remote site....

You have another Internet connection at the remote site that isn't shown in your diagram?  If so, then the asymmetric routing scenario described above could be happening.  How is the default route setup at the remote site, both for the remote site router and the remote clients?  Also, what is 128.1.0.13?
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

duh....stooopid me...  128.1.0.13 is the inside firewall connection at my corporate site.

I have the picture, but cannot get it to upload......basically 128.1.0.13 is my corporate firewall and all of my internet traffic here goes our of it.  Both of my routers are behind my firewalls and are connected as illustrated above...
Avatar of batry_boy
batry_boy
Flag of United States of America image
Then I guess the question becomes, why don't you map the 128.1.0.16 address to a public address on the firewall that is on the same network as the OWA server?  Makes the routing easy and the response time should be better since it doesn't have to travel as far to get to the server from the Internet.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

That's a good question and here's the answer:
We need to have the solution in question for failover in case our internet connection goes down at our coporate site.  This enables our sales force to still be able to perform their functions in that event.  We do have an external mapping to 128.1.0.16 externally at our corporate site.
So should I look into policy routing?
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

here is the updated dwg file
path-for-OWA.jpg
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image
Which is your default gateway?

If its for failover, I'd look at using the gateway with a route that has a lower priority and points the OWA to the multilink path.  Or am I over simplifying this.  Does depend on the gateway being able to truly determine if the higher priority route can be determined as down though; which would potentially be the difficult part.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

default gateway for the owa server is 128.1.250.0
So is there a way to tell the router 128.1.250.0 router that any traffic origionating from the 128.5.250.0 router should be returned through the same path?
Avatar of batry_boy
batry_boy
Flag of United States of America image
I thnk you should look at PBR (Policy Based Routing)...check it out here:

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

Here's an excerpt from the above URL:

The Benefits of Policy-Based Routing
The benefits that can be achieved by implementing policy-based routing in the networks include:

"Source-Based Transit Provider SelectionInternet service providers and other organizations can use policy-based routing to route traffic originating from different sets of users through different Internet connections across the policy routers.

"Quality of Service (QOS)Organizations can provide QOS to differentiated traffic by setting the precedence or type of service (TOS) values in the IP packet headers at the periphery of the network and leveraging queuing mechanisms to prioritize traffic in the core or backbone of the network.

"Cost SavingsOrganizations can achieve cost savings by distributing interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost, switched paths.

"Load SharingIn addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS software has always supported, network managers can now implement policies to distribute traffic among multiple paths based on the traffic characteristics.

I don't know if this will give you the failover you're looking for, but it may give you the answer for this particular question.
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image
that would make it so all the OWA traffic (or at least that specified by the PBR) would go thru the multilink connection rather than the local public connection.   So in and of itself it wouldn't give the necessary failover; HOWEVER...

If you do a source NAT on the firewall at the 128.5.x.y network, it would work perfectly.  This is because when the packet comes in now, it NATs the dst IP but not the source.  So if you use PBR only, you are forced to use an any for the source since it could originate from wherever.  But if you force translation on the source to a 128.5.254.0 (for example only) then the OWA server thinks that is where the request originated.  Then you just do the PBR to do only the specific traffic of 128.5.254.0 and OWA for port 443.

Keep in mind I've never done a double NAT on the same device before.  I have done it where destination was done on a router, then source was handled on firewall before, so if double NAT on PIX doesn't work, you can configure the source NAT on the local 128.1.x.y router to do that part of it as well and you should get the same results.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

cannot find literature on the commande to enable source nat.  Ideas?
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image
I only know how to do it on pixes, so its like this:

access-list outside-nonat deny ip any host <IP of OWA>
access-list outside-nonat permit ip any any
access-list outside-policynat permit ip any host <IP of OWA>
nat (outside) 0 access-list outside-nonat
nat (outside) 5 access-list outside-policynat
global (inside) 5 <int IP to source nat to> source

I can't guarantee that will work because its been a while since I've done this and I unfortunately don't have all the necessary hardware to effectively test out your environment setup.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

sorry....been out sick for a while....
Will chack this and advise.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

put the statement in the remote FW....I haven't applier PBR yet....a little nervous because of the literature I have read says it could bring down my network....thoughts?
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image
true, if misapplied, a lot of things can bring down your network.  The key is to never do a 'wr mem' when testing config changes.  Have defined test cases to make sure the config change is making things work as expected.  If good, let go for a little longer before doing a 'wr mem' to be sure.  If it doesn't work, you can always go back fairly quickly by doing a 'reload'.  PIX's restart fairly fast so it'd only be down for maybe 30 seconds; most likely less.
Avatar of redcell5
redcell5
Flag of United States of America image

ASKER

I am going to accept because I am reluctant to test the PBR....do you know of any cisco design software that will glean my topology and allow testing for this type of thing?
ASKER CERTIFIED SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial