[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cisco 3945 router.. lease line/ adsl mix up

Posted on 2011-05-09
6
Medium Priority
?
682 Views
Last Modified: 2012-05-11
hi guys

im having a problem at a client...

its very complicated to explain the full environment but the basic problem i am having is

 we just installed a TMG server  but before the TMG install the router say all traffic from the exchange servers IP address as traffic for the lease line and the rest would be for adsl..

now after the TMG install all the traffic is coming from one IP address ( the TMG external nic)
so now the router doesnt know what to do with the traffic (to send it on lease line or adsl)
is there a way or rule on the router (cisco 3945 router) that all HTTP/HTTPS traffic uses the ADSL and all SMTP traffic uses the lease line?

thanks for the help
0
Comment
Question by:YOlanie_Visser
6 Comments
 
LVL 1

Expert Comment

by:akhilw
ID: 35728186
I am still not sure about the scenario but it seems what you needs is PBR..

http://www.petri.co.il/how-to-use-cisco-ios-policy-based-routing-features.htm
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35728196
You can try doing policy-based routing and specify protocol in the ACL, but I've never configured it that way so I can't guarantee there isn't some performance-based reason not to do that.  Here's a sample that might help to get you started:

access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 443

access-list 102 permit tcp any any eq 25

route-map WEB permit 10
match ip add 101
set interface <ADSL>

route map MAIL permit 10
match ip add 102
set interface <LEASE>

interface <ADSL>
ip policy route-map WEB

interface <LEASE>
ip policy route-map MAIL
0
 
LVL 6

Expert Comment

by:Wissam
ID: 35735130
policy based routing as explained above is the solution for you,
of course you can manipulate the access-lists and use it on the incoming interface to affect outbound traffic from your router, these config above are for the inbound traffic

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:YOlanie_Visser
ID: 35735460
yeah the only problem with this is that its based by destination IP
before TMG the rules stated that everything coming from the Exchange servers IP address will go out the lease line..

but now all the traffic is coming out the external interface of the TMG so the router is only seeing one IP address so its had to split the types of traffic..

this is the reason i need to split http/https and smtp traffic

but i have found that only layer7 appliances are able to do this...
 
0
 
LVL 1

Accepted Solution

by:
akhilw earned 2000 total points
ID: 35736372
i need to split http/https and smtp traffic
....This is what specifically the above acl config does.

The acls used in the route-maps can be used to classify the traffic solely on destination ports/services rather than destination ip addresses.
In below acls,
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 443

access-list 102 permit tcp any any eq 25

the terms 'any any' means that the
src ip= any(you could specify the Exchange servers ip address here)
dest ip = any(so that the routing is not based on destination IP)
&
eq 80,443 means that the
destination ports = TCP/80,443 which are the standard ports for http & https traffic.
eq 25 means that the
destination ports = TCP/25 which are the standard ports for SMTP.

Although the route map configuration mentioned above needs to be tweaked..
You will have one route map 'WEB_MAIL'

For directing HTTP/HHTPS traffic to ADSL
route-map WEB_MAIL permit 10
match ip add 101
set interface <ADSL>

For directing SMTP traffic to Lease
route map WEB_MAIL permit 20
match ip add 102
set interface <LEASE>

To apply the route map on the incoming interface
int <incoming_internal_interface>
ip policy route-map WEB_MAIL

All in all you need is
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 443
access-list 102 permit tcp any any eq 25

route-map WEB_MAIL permit 10
match ip add 101
set interface <ADSL>

route map WEB_MAIL permit 20
match ip add 102
set interface <LEASE>

int <incoming_internal_interface>
ip policy route-map WEB_MAIL
0
 

Author Closing Comment

by:YOlanie_Visser
ID: 35885747
had to add an extra nic on the TMG server one for internal one for web publishing and one for internet
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question