Solved

Cisco router PBR not working

Posted on 2009-06-27
2
1,109 Views
Last Modified: 2013-11-16
Hi friends
                 I have a situation here that i have two internet connections one is Internet leased line and the other is ADSL. I want to route all my web traffic through ADSL line and all other mail traffic and vpn L2L and Remote access traffic over Leased line. I have a cisco 1721 router at the edge and an ASA 5510 behind router. There are three L2L tunnels created to different locations and remote access vpn as well same time we have hosted our mail server outside with a third party service provider. I have tried configure router with PBR but it stoped all my l2l vpn and remote access vpn users also internet connectivity. I am attaching the network diagram , ASA config and router config as well. Please suggest me how to do the PBR in router???
Here is my ASA configuration 
: Saved
: Written by enable_15 at 17:34:12.258 GST Tue May 5 2009
!
ASA Version 8.0(4)23 
!
hostname ciscoasa
domain-name ae.geodiswilson.local
enable password xxxxxx encrypted
multicast-routing
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 195.xx.xx.98 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.99.0.254 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif dmz
 security-level 50
 ip address 10.99.30.1 255.255.255.0 
!
interface Management0/0
 nameif Management
 security-level 100
 ip address 10.99.10.1 255.255.255.0 
!
boot system disk0:/asa804-23-k8.bin
boot config disk0:/start-up
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
 domain-name ae.geodiswilson.local
same-security-traffic permit intra-interface
object-group network Hamburg_NETWORKS
 network-object 10.229.104.0 255.255.255.0
 network-object 10.229.105.0 255.255.255.0
 network-object 10.229.16.0 255.255.255.0
 network-object 10.229.20.80 255.255.255.240
 network-object 10.229.4.0 255.255.255.0
 network-object 10.229.8.0 255.255.255.0
 network-object 10.229.9.0 255.255.255.0
 network-object 10.23.48.0 255.255.255.0
 network-object 192.168.180.0 255.255.255.0
access-list Mail_outside_in extended permit tcp any interface outside eq smtp 
access-list Mail_outside_in extended permit tcp any interface outside eq imap4 
access-list Mail_outside_in extended permit tcp any interface outside eq 2000 
access-list Mail_outside_in extended permit icmp any host 195.xx.xx.98 echo-reply 
access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 50 
access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 51 
access-list Mail_outside_in extended permit tcp any host 195.xx.xx.98 eq 500 
access-list Mail_outside_in extended permit udp any host 195.xx.xx.98 eq isakmp 
access-list outside_3_cryptomap extended permit ip 10.99.0.0 255.255.255.0 object-group Hamburg_NETWORKS 
access-list outside_2_cryptomap extended permit ip 10.99.0.0 255.255.255.0 10.103.0.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 10.99.0.0 255.255.255.0 10.160.188.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.160.188.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.103.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 object-group Hamburg_NETWORKS 
access-list inside_nat0_outbound extended permit ip 10.99.0.0 255.255.255.0 10.99.40.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 object-group Hamburg_NETWORKS 
access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 10.103.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.99.40.0 255.255.255.0 10.160.188.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.99.40.0 255.255.255.0 
access-list inside_in extended permit ip any any 
access-list internet_in extended permit icmp any any echo-reply 
access-list internet_in extended permit icmp any any source-quench 
access-list internet_in extended permit icmp any any unreachable 
access-list internet_in extended permit icmp any any time-exceeded 
access-list gwvpn standard permit 10.99.0.0 255.255.255.0 
access-list gwvpn standard permit 10.103.0.0 255.255.255.0 
access-list gwvpn standard permit 10.160.188.0 255.255.255.0 
access-list gwvpn standard permit 10.229.104.0 255.255.255.0 
access-list gwvpn standard permit 10.229.105.0 255.255.255.0 
access-list gwvpn standard permit 10.229.16.0 255.255.255.0 
access-list gwvpn standard permit 10.229.20.80 255.255.255.240 
access-list gwvpn standard permit 10.229.4.0 255.255.255.0 
access-list gwvpn standard permit 10.229.8.0 255.255.255.0 
access-list gwvpn standard permit 10.229.9.0 255.255.255.0 
access-list gwvpn standard permit 10.23.48.0 255.255.255.0 
access-list gwvpn standard permit 192.168.180.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging console warnings
logging buffered critical
logging trap errors
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Management 1500
ip local pool vpn_pool 10.99.40.10-10.99.40.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.99.0.0 255.255.255.0
nat (Management) 0 0.0.0.0 0.0.0.0
static (inside,outside) interface 10.99.0.5 netmask 255.255.255.255 
access-group Mail_outside_in in interface outside
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 195.229.65.97 1
route outside 194.64.7.0 255.255.255.0 195.229.65.97 1
route outside 195.229.96.0 255.255.255.0 195.229.65.97 1
route outside 195.229.241.222 255.255.255.255 195.229.65.97 1
route outside 212.77.209.0 255.255.255.0 195.229.65.97 1
route outside 213.42.20.20 255.255.255.255 195.229.65.97 1
route outside 216.82.241.0 255.255.255.0 195.229.65.97 1
route outside 216.82.249.0 255.255.255.0 195.229.65.97 1
route outside 216.82.254.0 255.255.255.0 195.229.65.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.99.0.250 255.255.255.255 inside
http 10.99.10.99 255.255.255.255 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set gwset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set gwset
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 212.xx.xx.138 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set security-association lifetime kilobytes 32000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 195.xx.xx.114 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 2 set security-association lifetime kilobytes 10000
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 194.xx.xx.16 
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 7200
crypto map outside_map 3 set security-association lifetime kilobytes 10000
crypto map outside_map 10 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.99.0.250 255.255.255.255 inside
telnet 10.99.0.5 255.255.255.255 inside
telnet 10.99.10.99 255.255.255.255 Management
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy gwrvpn internal
group-policy gwrvpn attributes
 dns-server value 10.99.0.5
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value gwvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 15 retry 2
tunnel-group 194.64.7.16 type ipsec-l2l
tunnel-group 194.64.7.16 ipsec-attributes
 pre-shared-key xxxxx
 isakmp keepalive threshold 15 retry 10
tunnel-group 212.77.209.138 type ipsec-l2l
tunnel-group 212.77.209.138 ipsec-attributes
 pre-shared-key xxxxxx
 isakmp keepalive threshold 15 retry 10
tunnel-group 195.229.96.114 type ipsec-l2l
tunnel-group 195.229.96.114 ipsec-attributes
 pre-shared-key xxxxxxx
 isakmp keepalive threshold 15 retry 10
tunnel-group gwrvpn type remote-access
tunnel-group gwrvpn general-attributes
 address-pool vpn_pool
 default-group-policy gwrvpn
tunnel-group gwrvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:01eb65cff751025841095c8a40ffdec1
: end
 
Here is my router configuration
 
Current configuration : 1185 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ja
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gDa7$b4wskL6n5xsjXzT0bF7F11
!
no aaa new-model
ip subnet-zero
!
!
!
!
ip name-server 213.42.20.20
ip name-server 195.229.241.222
ip cef
no scripting tcl init
no scripting tcl encdir
!
!
!
!
interface Ethernet0
 ip address 172.16.30.1 255.255.255.0
 ip nat outside
 half-duplex
!
interface FastEthernet0
 ip address 195.2xx.xx.97 255.255.255.240
 ip nat inside
 ip policy route-map Inside-route
 speed auto
!
interface Serial0
 ip address 213.xx.xx.142 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
access-list 101 permit tcp any any eq www 
access-list 102 permit ip any any
route-map Inside-route permit 10
 match ip address 101
 set interface Ethernet0
!
route-map Inside-route permit 20
 match ip address 102
 set interface Serial0
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password password
 login
!
no scheduler allocate
!
end

Open in new window

GW-Network.jpg
GW-ASA-FW.txt
GW-Router-Config.txt
0
Comment
Question by:senmohan
2 Comments
 
LVL 5

Accepted Solution

by:
JanSc earned 500 total points
ID: 24730544
Hello,
Just took a quick look at configs.

When your ASA has outside WAN interface in 195..., you can't use NAT on your routers interfaces.
They simply will have to route internet traffic towards your ASA. Thats where it goes wrong in this setup.
The PBR setup will then redirect portbased traffic to either line connected to router according the acl for PBR.
So you need acl and maps for both serial and eth0 interface, and let the router decide where traffic should go. ASA has to be configured as 0/0 towards your faste0/0
0
 
LVL 1

Author Closing Comment

by:senmohan
ID: 31597644
Thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question