thomasm1948
asked on
CISCO Static Routing
Hi,
We have CISCO ASA 3750 L3 Switch and we want to do load balancing across to Internet lines. The issue that I have is that we have 1-to1 NATs for some of our devices on the network and I know that we cannot have them go out both Internet lines
How can I create a static route to the firewall that has the NAT policies for those devices
for example:
device 192.168.1.1 needs its routes of last resort to go to 192.168.72.253
Thank you in advance
We have CISCO ASA 3750 L3 Switch and we want to do load balancing across to Internet lines. The issue that I have is that we have 1-to1 NATs for some of our devices on the network and I know that we cannot have them go out both Internet lines
How can I create a static route to the firewall that has the NAT policies for those devices
for example:
device 192.168.1.1 needs its routes of last resort to go to 192.168.72.253
Thank you in advance
ASKER
After reading I think I might have to do this , but I am unsure
access-list 1 deny ip host 192.168.1.1 192.168.72.254 255.255.255.255 (new router gateway)
access-list 1 permit 192.168.1.1 any (allowing the host to have access to the other VLANs
route-map NatGwy permit 1
set up next-hop 192.168.72.253 (original gateway with the NAT policies)
ip policy route-map NatGwy
Still unsure though
access-list 1 deny ip host 192.168.1.1 192.168.72.254 255.255.255.255 (new router gateway)
access-list 1 permit 192.168.1.1 any (allowing the host to have access to the other VLANs
route-map NatGwy permit 1
set up next-hop 192.168.72.253 (original gateway with the NAT policies)
ip policy route-map NatGwy
Still unsure though
The ASA doesn't do PBR; only redundant links/routing.
The 3750 doesn't do NAT.
Either way, you probably won't get what you want unless you use a proper router upstream from the ASA on the outside.
The 3750 doesn't do NAT.
Either way, you probably won't get what you want unless you use a proper router upstream from the ASA on the outside.
ASKER
Hi,
Sorry used some wrong terminology. The 3750 is our core L3 switch in which currently the last resort route goes to 0.0.0.0 0.0.0.0 192.168.72.253
We got a new Internet line in and the school would like to load balance between them. The issue that I see is there is static NAT policies on their Pix firewall. If I do load balancing then those devices such a web portal is not going to work correctly being that the traffic could possibly go out the new pix firewall
Sorry used some wrong terminology. The 3750 is our core L3 switch in which currently the last resort route goes to 0.0.0.0 0.0.0.0 192.168.72.253
We got a new Internet line in and the school would like to load balance between them. The issue that I see is there is static NAT policies on their Pix firewall. If I do load balancing then those devices such a web portal is not going to work correctly being that the traffic could possibly go out the new pix firewall
Ok, so load balancing is easy. Just configure a second static route on the 3750 pointing to the new gateway and use the same metric.
You're right - static NAT will be a problem. Where is your web portal? Is it on your LAN but accessible from the internet? If so, that's not going to work too well. You will only be able to send that portal's traffic through one line at a time or it will break traffic, especially if it runs HTTPS.
You're right - static NAT will be a problem. Where is your web portal? Is it on your LAN but accessible from the internet? If so, that's not going to work too well. You will only be able to send that portal's traffic through one line at a time or it will break traffic, especially if it runs HTTPS.
ASKER
How can I route a single device through only one line and then have the rest do load balancing on the 3750.
ASKER
The web portal is on the LAN and is accessible for the teacher and students outside of the network
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
does the 3750 support that. If so would my idea above work then
ASKER
access-list 1 permit 192.168.1.1
route-map NatGwy permit 1
set up next-hop 192.168.72.253
ip policy route-map NatGwy
I am not sure but I think policy based routing might work. any ideas?