Solved

Cisco router PBR not working

Posted on 2009-06-27
2
1,094 Views
Last Modified: 2013-11-16
Hi friends
                 I have a situation here that i have two internet connections one is Internet leased line and the other is ADSL. I want to route all my web traffic through ADSL line and all other mail traffic and vpn L2L and Remote access traffic over Leased line. I have a cisco 1721 router at the edge and an ASA 5510 behind router. There are three L2L tunnels created to different locations and remote access vpn as well same time we have hosted our mail server outside with a third party service provider. I have tried configure router with PBR but it stoped all my l2l vpn and remote access vpn users also internet connectivity. I am attaching the network diagram , ASA config and router config as well. Please suggest me how to do the PBR in router???
Here is my ASA configuration 

: Saved

: Written by enable_15 at 17:34:12.258 GST Tue May 5 2009

!

ASA Version 8.0(4)23 

!

hostname ciscoasa

domain-name ae.geodiswilson.local

enable password xxxxxx encrypted

multicast-routing

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 195.xx.xx.98 255.255.255.240 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.99.0.254 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 nameif dmz

 security-level 50

 ip address 10.99.30.1 255.255.255.0 

!

interface Management0/0

 nameif Management

 security-level 100

 ip address 10.99.10.1 255.255.255.0 

!

boot system disk0:/asa804-23-k8.bin

boot config disk0:/start-up

ftp mode passive

clock timezone GST 4

dns server-group DefaultDNS

 domain-name ae.geodiswilson.local

same-security-traffic permit intra-interface

object-group network Hamburg_NETWORKS

 network-object 10.229.104.0 255.255.255.0

 network-object 10.229.105.0 255.255.255.0

 network-object 10.229.16.0 255.255.255.0

 network-object 10.229.20.80 255.255.255.240

 network-object 10.229.4.0 255.255.255.0

 network-object 10.229.8.0 255.255.255.0

 network-object 10.229.9.0 255.255.255.0

 network-object 10.23.48.0 255.255.255.0

 network-object 192.168.180.0 255.255.255.0

access-list Mail_outside_in extended permit tcp any interface outside eq smtp 

access-list Mail_outside_in extended permit tcp any interface outside eq imap4 

access-list Mail_outside_in extended permit tcp any interface outside eq 2000 

access-list Mail_outside_in extended permit icmp any host 195.xx.xx.98 echo-reply 

access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 50 

access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 51 

access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 500 

access-list Mail_outside_in extended permit udp any host 195.xx.xx.98 eq isakmp 

access-list outside_3_cryptomap extended permit ip 10.99.0.0 255.255.255.0 object-group Hamburg_NETWORKS 

access-list outside_2_cryptomap extended permit ip 10.99.0.0 255.255.255.0 10.103.0.0 255.255.255.0 

access-list outside_1_cryptomap extended permit ip 10.99.0.0 255.255.255.0 10.160.188.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.160.188.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.103.0.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 object-group Hamburg_NETWORKS 

access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.99.40.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 object-group Hamburg_NETWORKS 

access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 10.103.0.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 10.160.188.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 10.99.40.0 255.255.255.0 

access-list inside_in extended permit ip any any 

access-list internet_in extended permit icmp any any echo-reply 

access-list internet_in extended permit icmp any any source-quench 

access-list internet_in extended permit icmp any any unreachable 

access-list internet_in extended permit icmp any any time-exceeded 

access-list gwvpn standard permit 10.99.0.0 255.255.255.0 

access-list gwvpn standard permit 10.103.0.0 255.255.255.0 

access-list gwvpn standard permit 10.160.188.0 255.255.255.0 

access-list gwvpn standard permit 10.229.104.0 255.255.255.0 

access-list gwvpn standard permit 10.229.105.0 255.255.255.0 

access-list gwvpn standard permit 10.229.16.0 255.255.255.0 

access-list gwvpn standard permit 10.229.20.80 255.255.255.240 

access-list gwvpn standard permit 10.229.4.0 255.255.255.0 

access-list gwvpn standard permit 10.229.8.0 255.255.255.0 

access-list gwvpn standard permit 10.229.9.0 255.255.255.0 

access-list gwvpn standard permit 10.23.48.0 255.255.255.0 

access-list gwvpn standard permit 192.168.180.0 255.255.255.0 

pager lines 24

logging enable

logging timestamp

logging console warnings

logging buffered critical

logging trap errors

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu Management 1500

ip local pool vpn_pool 10.99.40.10-10.99.40.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.99.0.0 255.255.255.0

nat (Management) 0 0.0.0.0 0.0.0.0

static (inside,outside) interface 10.99.0.5 netmask 255.255.255.255 

access-group Mail_outside_in in interface outside

access-group inside_in in interface inside

route outside 0.0.0.0 0.0.0.0 195.229.65.97 1

route outside 194.64.7.0 255.255.255.0 195.229.65.97 1

route outside 195.229.96.0 255.255.255.0 195.229.65.97 1

route outside 195.229.241.222 255.255.255.255 195.229.65.97 1

route outside 212.77.209.0 255.255.255.0 195.229.65.97 1

route outside 213.42.20.20 255.255.255.255 195.229.65.97 1

route outside 216.82.241.0 255.255.255.0 195.229.65.97 1

route outside 216.82.249.0 255.255.255.0 195.229.65.97 1

route outside 216.82.254.0 255.255.255.0 195.229.65.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.99.0.250 255.255.255.255 inside

http 10.99.10.99 255.255.255.255 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set gwset esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set gwset

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 212.xx.xx.138 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 1 set security-association lifetime kilobytes 32000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 195.xx.xx.114 

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 86400

crypto map outside_map 2 set security-association lifetime kilobytes 10000

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer 194.xx.xx.16 

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 3 set security-association lifetime seconds 7200

crypto map outside_map 3 set security-association lifetime kilobytes 10000

crypto map outside_map 10 ipsec-isakmp dynamic dynmap

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 10.99.0.250 255.255.255.255 inside

telnet 10.99.0.5 255.255.255.255 inside

telnet 10.99.10.99 255.255.255.255 Management

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy gwrvpn internal

group-policy gwrvpn attributes

 dns-server value 10.99.0.5

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value gwvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

 isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

 isakmp keepalive threshold 15 retry 2

tunnel-group 194.64.7.16 type ipsec-l2l

tunnel-group 194.64.7.16 ipsec-attributes

 pre-shared-key xxxxx

 isakmp keepalive threshold 15 retry 10

tunnel-group 212.77.209.138 type ipsec-l2l

tunnel-group 212.77.209.138 ipsec-attributes

 pre-shared-key xxxxxx

 isakmp keepalive threshold 15 retry 10

tunnel-group 195.229.96.114 type ipsec-l2l

tunnel-group 195.229.96.114 ipsec-attributes

 pre-shared-key xxxxxxx

 isakmp keepalive threshold 15 retry 10

tunnel-group gwrvpn type remote-access

tunnel-group gwrvpn general-attributes

 address-pool vpn_pool

 default-group-policy gwrvpn

tunnel-group gwrvpn ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:01eb65cff751025841095c8a40ffdec1

: end
 

Here is my router configuration
 

Current configuration : 1185 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ja

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$gDa7$b4wskL6n5xsjXzT0bF7F11

!

no aaa new-model

ip subnet-zero

!

!

!

!

ip name-server 213.42.20.20

ip name-server 195.229.241.222

ip cef

no scripting tcl init

no scripting tcl encdir

!

!

!

!

interface Ethernet0

 ip address 172.16.30.1 255.255.255.0

 ip nat outside

 half-duplex

!

interface FastEthernet0

 ip address 195.2xx.xx.97 255.255.255.240

 ip nat inside

 ip policy route-map Inside-route

 speed auto

!

interface Serial0

 ip address 213.xx.xx.142 255.255.255.252

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

no ip http server

!

!

access-list 101 permit tcp any any eq www 

access-list 102 permit ip any any

route-map Inside-route permit 10

 match ip address 101

 set interface Ethernet0

!

route-map Inside-route permit 20

 match ip address 102

 set interface Serial0

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

 password password

 login

!

no scheduler allocate

!

end

Open in new window

GW-Network.jpg
GW-ASA-FW.txt
GW-Router-Config.txt
0
Comment
Question by:senmohan
2 Comments
 
LVL 5

Accepted Solution

by:
JanSc earned 500 total points
ID: 24730544
Hello,
Just took a quick look at configs.

When your ASA has outside WAN interface in 195..., you can't use NAT on your routers interfaces.
They simply will have to route internet traffic towards your ASA. Thats where it goes wrong in this setup.
The PBR setup will then redirect portbased traffic to either line connected to router according the acl for PBR.
So you need acl and maps for both serial and eth0 interface, and let the router decide where traffic should go. ASA has to be configured as 0/0 towards your faste0/0
0
 
LVL 1

Author Closing Comment

by:senmohan
ID: 31597644
Thank you
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now