Solved

dual wan on cisco 887 router

Posted on 2013-06-16
4
1,003 Views
Last Modified: 2013-08-12
Hi all,

Im stuck a bit at the configuration of this topology attached.

I have a mission critical traffic from LAN side. It is emails. I have to set WAN1 interface for only this kind of traffic. WAN1 bandwith is 256Kbps and WAN2  1Mbps.
Or how can i set load balance even email traffic between this dual links ? PBR can do that.
Sharing a configuration would be perfect.
Thanks.

http://pierky.wordpress.com/2009/03/28/dual-wan-connection-on-cisco-with-policy-based-routing-pbr/
ciscoasa-cisco878.pdf
0
Comment
Question by:ata1915
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 39252935
match your email traffic in ACL

ip access-list extended EMAIL_Traffic
permit ........

define route map

route-map EMAIL permit 10
match ip address EAMIL_TRAFFIC
set next-hop interface WAN1

put this route MAP on LAN

int LAN
ip policy route-map EMAIL

check the command syntax...

let me know if your need more help
0
 
LVL 1

Author Comment

by:ata1915
ID: 39255581
thank you guptasan26,  on cisco 887 config seems okay. First I need to test this configuration on GNS3 before doing production network on customer.

My question according to ASA is same. The provider side only let 192.168.0.100 acmeserver to reach email service. So I need to place ASA behind Cisco 887 because ASA does not support dual wan and PBR function. ASA's internal and outside interface will change and of course the configuration. What shoul I do to perform this task.





acme server : 192.168.0.100
acme cctv   : 192.168.0.150

++++++++++++++++++++++++++++

ASA Version 8.2(5)
!
hostname acme_asa
domain-name acme.com
enable password 123456 encrypted
passwd 123456 encrypted
names
name 192.168.0.100 acmesrvserv
name 1.1.1.1 my_ip_add
name 212.58.7.11 Doruk_FSecure description Doruknet FSecure
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 212.58.24.242 255.255.255.248
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name acme.com
access-list acl_ins extended permit udp any any eq domain
access-list acl_ins extended permit tcp host acmesrv host Doruk_FSecure eq smtp
access-list acl_ins extended permit tcp any any eq www
access-list acl_ins extended permit tcp any any eq 3389
access-list acl_ins extended permit tcp any any eq https
access-list acl_ins extended permit udp any any eq 443
access-list acl_ins extended permit icmp any any
access-list acl_ins extended permit tcp any any eq 8443
access-list acl_ins extended permit ip host acmesrv any
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq www
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pop3
access-list acl_out extended permit tcp any any eq 3389
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list acmevpn_splitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 any
access-list acmevpn_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.20.0 255.255.255.0
access-list remotevpn_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.20.1-192.168.20.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (outside) 1 212.58.24.243 netmask 255.255.255.248
global (outside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 192.168.0.0 255.255.255.0
static (inside,outside) tcp 212.58.24.244 3389 192.168.0.101 3389 netmask 255.255.255.255
static (inside,outside) 212.58.24.245 acmesrv netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_ins in interface inside
route outside 0.0.0.0 0.0.0.0 212.58.24.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http mycompany 255.255.255.255 outside
snmp-server host inside 192.168.0.138 community *****
snmp-server host inside 192.168.0.200 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 212.58.24.240 255.255.255.248 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 10
ssh mycompany 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.64-192.168.0.69 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 193.204.114.105 source outside prefer
webvpn
group-policy remotevpn internal
group-policy remotevpn attributes
 dns-server value 192.168.0.100 4.2.2.4
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remotevpn_splitTunnelAcl
 default-domain value acmesrv.com

tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
 address-pool vpnpool
 default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect http
  inspect ils
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dfdf1a33627fce0211de8889794cbf03
: end
0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 500 total points
ID: 39255687
I am not exactly ASA guys..but I can say..that for ASA you can do the sme thing by putting rule...

since you are putting ASA behind 887 thus simply put your traffic to 887-ASA link and then you 887 acl will fwd email traffic to WAN1
0
 
LVL 1

Author Comment

by:ata1915
ID: 39273962
Hi again, sorry for late response but was really stuck at another case.
Now I have downloaded Cisco 887VA IOS and preparing GNS lab to create this topology ,
I will share the result and configs and topology draws in this week. Thank you for your patients.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now