Go Premium for a chance to win a PS4. Enter to Win


dual wan on cisco 887 router

Posted on 2013-06-16
Medium Priority
Last Modified: 2013-08-12
Hi all,

Im stuck a bit at the configuration of this topology attached.

I have a mission critical traffic from LAN side. It is emails. I have to set WAN1 interface for only this kind of traffic. WAN1 bandwith is 256Kbps and WAN2  1Mbps.
Or how can i set load balance even email traffic between this dual links ? PBR can do that.
Sharing a configuration would be perfect.

Question by:ata1915
  • 2
  • 2

Expert Comment

by:Sandeep Gupta
ID: 39252935
match your email traffic in ACL

ip access-list extended EMAIL_Traffic
permit ........

define route map

route-map EMAIL permit 10
match ip address EAMIL_TRAFFIC
set next-hop interface WAN1

put this route MAP on LAN

int LAN
ip policy route-map EMAIL

check the command syntax...

let me know if your need more help

Author Comment

ID: 39255581
thank you guptasan26,  on cisco 887 config seems okay. First I need to test this configuration on GNS3 before doing production network on customer.

My question according to ASA is same. The provider side only let acmeserver to reach email service. So I need to place ASA behind Cisco 887 because ASA does not support dual wan and PBR function. ASA's internal and outside interface will change and of course the configuration. What shoul I do to perform this task.

acme server :
acme cctv   :


ASA Version 8.2(5)
hostname acme_asa
domain-name acme.com
enable password 123456 encrypted
passwd 123456 encrypted
name acmesrvserv
name my_ip_add
name Doruk_FSecure description Doruknet FSecure
interface Ethernet0/0
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif outside
 security-level 0
 ip address
interface Vlan2
 nameif inside
 security-level 100
 ip address
ftp mode passive
dns server-group DefaultDNS
 domain-name acme.com
access-list acl_ins extended permit udp any any eq domain
access-list acl_ins extended permit tcp host acmesrv host Doruk_FSecure eq smtp
access-list acl_ins extended permit tcp any any eq www
access-list acl_ins extended permit tcp any any eq 3389
access-list acl_ins extended permit tcp any any eq https
access-list acl_ins extended permit udp any any eq 443
access-list acl_ins extended permit icmp any any
access-list acl_ins extended permit tcp any any eq 8443
access-list acl_ins extended permit ip host acmesrv any
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq www
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pop3
access-list acl_out extended permit tcp any any eq 3389
access-list inside_outbound_nat0_acl extended permit ip
access-list inside_outbound_nat0_acl extended permit ip
access-list acmevpn_splitTunnelAcl extended permit ip any
access-list acmevpn_splitTunnelAcl extended permit ip any
access-list outside_cryptomap_dyn_20 extended permit ip any
access-list remotevpn_splitTunnelAcl standard permit
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (outside) 1 netmask
global (outside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2
static (inside,outside) tcp 3389 3389 netmask
static (inside,outside) acmesrv netmask
access-group acl_out in interface outside
access-group acl_ins in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http mycompany outside
snmp-server host inside community *****
snmp-server host inside community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet outside
telnet inside
telnet timeout 10
ssh mycompany outside
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source outside prefer
group-policy remotevpn internal
group-policy remotevpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remotevpn_splitTunnelAcl
 default-domain value acmesrv.com

tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
 address-pool vpnpool
 default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect http
  inspect ils
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Accepted Solution

Sandeep Gupta earned 1500 total points
ID: 39255687
I am not exactly ASA guys..but I can say..that for ASA you can do the sme thing by putting rule...

since you are putting ASA behind 887 thus simply put your traffic to 887-ASA link and then you 887 acl will fwd email traffic to WAN1

Author Comment

ID: 39273962
Hi again, sorry for late response but was really stuck at another case.
Now I have downloaded Cisco 887VA IOS and preparing GNS lab to create this topology ,
I will share the result and configs and topology draws in this week. Thank you for your patients.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question