Cisco router internet traffic split

Dear experts,

I need to figure a rule that can make all internet traffic for users go in dedicated gateway.

We have 2 ISP we are not using one much want to put all Internet traffic there.

what are the steps to take.

HTTP/SSL rule with a entry on the routing table.

What else?

Thank youi
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Are both internet connections on a single router?  If so, what make/model router?

If not, a topology diagram would be helpful.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I think something like this is the solution.

Details to follow.

https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla
0
Don JohnstonInstructorCommented:
So you're saying both internet connections terminate on a single router and that router is a Cisco?

Then yes, that would be I suggestion. PBR with SLA for failover.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

marceloNYCMiddle-Tier AdministratorAuthor Commented:
We have:

LAN <--->Router <--> ASA <--> Internet.

Router entries:

ip route 0.0.0.0 0.0.0.0 10.2.1.10

interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.255.255.1 255.255.255.0 secondary
 ip address 172.16.201.1 255.255.255.0 secondary
 ip address 172.16.200.1 255.255.255.0 <--- Our network affected with bandwidth shortage
 ip accounting access-violations
 ip pim dense-mode
 ip nat inside
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 00cccccccccccccccccccc543C
 ip ospf lls disable
 no cdp enable

Some ASA Entries:

interface Ethernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.2.1.10 255.255.255.0
 ospf message-digest-key 1 md5 *****
 ospf authentication message-digest

global (OUTSIDE) 1 interface
global (DMZ) 1 interface
 
nat (INSIDE) 1 10.2.1.0 255.255.255.0
nat (INSIDE) 1 172.16.0.0 255.240.0.0

Someone started messing with Google drives and bandwidth shortage begin.

We have an unused ISP line 100 megs.
0
Don JohnstonInstructorCommented:
We have an unused ISP line 100 megs.
If that's connected to the ASA, then PBR and SLA will work.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
No is not connected to the ASA I actually found a server running linux server as a firewall for that line. I can't connect to it..

Will dig up a ASA 5505 and replace... Still in the router I need to know what to do.
0
Don JohnstonInstructorCommented:
There's a fair amount of ambiguity here.

Where do (or will) the two internet links terminate?  Do they terminate on the same device?

Why are you replacing the ASA? Is it not working?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Sorry,

I m new here and walking into this things. I found that line going into a linux server. I ask what it was and learned is an unused Internet line with cox.

Apparently it was a second line... Not sure.

I want to use it because Internet traffic is so slow here. The users work with Google drives....

So since there an unused Internet line why not assign it for Internet traffic.
0
Don JohnstonInstructorCommented:
I understand that.  

But you said that it's terminated on a Linux firewall.  Then you say that you need to get an ASA replacement. Which makes it sound like you're going to have two separate ASA's.

And there's a router between the LAN and the existing ASA.  Is there something else connected to the router?  If not, it doesn't make any sense as to why the router is there.

And once again, where will the two internet links terminate?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Yes,

The linux firewall no one knows how to connect to it. The person that left the company never document anything.

So I am going to replace with an ASA firewall.

So it will be LAN <---> Router <-- ASA 1/ ASA2

ASA2 for http/https traffic.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
So i need the steps to get:

LAN 172.16.200.0 <------> Internet using ASA2

I am all set now with ASA2.
0
Don JohnstonInstructorCommented:
Why do you have a router between the LAN and the ASA?

And you're going to connect the ASA's serially??? Meaning that traffic will go through the router, then the first ASA and then the second ASA?

Or will each internet link be connected to a different ASA?  If so, how will the ASA's connect to the LAN?  Through the router?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
We are retail company and have a lot of other networks connecting here via VPN.

I think that is why was design this way.
0
Don JohnstonInstructorCommented:
You currently have:

LAN----Router----ASA-----Internet

and you're going to add an ASA like this?

                                                             ___ Internet1
LAN----Router----ASA1-----ASA2---<
                                                              ----Internet2

Or are you doing this:
                            ----ASA1-----Internet1
LAN----Router<
                            ----ASA2-----Internet2
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
doing this:
                            ----ASA1-----Internet1
LAN----Router<
                            ----ASA2-----Internet2
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I think we should configure our router to direct HTTP and HTTPS traffic through the ASA2.

 sample:
 
access-list 100 permit tcp 172.16.200.0 0 0.0.0.255 any eq www
access-list 100 permit tcp 172.16.200.0 0.0.0.255 any eq 443
access-list 101 permit ip any any

ip route 0.0.0.0 0.0.0.0 10.2.1.10 (Cisco ASA)
ip route 0.0.0.0 0.0.0.0 172.16.200.83  ( ASA2)

Configuration Idea
https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla

With the access list HTTP/HTTPS traffic has to take the assigned gateway.

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

I am missing something for our network...
0
Don JohnstonInstructorCommented:
Okay.

So you will be doing the PBR and SLA on the router and NAT on the ASA's, right?

Which means the configs on the link will work perfectly except that you will remove any references to NAT.  Other than that, you're good to go.
0
Don JohnstonInstructorCommented:
I'm doing this from memory, but this should be what you're looking for.

track 123 ip sla 1 reachability
!
track 234 ip sla 2 reachability
!
interface F0/0
 description Link to LAN
 ip address 172.16.200.1 255.255.255.0
 ip policy route-map alpha
!
interface f0/1
 description to ASA 1
 ip address y.y.y.y 255.255.255.248
!
interface f0/2
 description to ASA 2
 ip address x.x.x.x 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 64.140.240.113
ip route 0.0.0.0 0.0.0.0 75.144.185.30
ip route 75.67.98.237 255.255.255.255 75.144.185.30
!
ip access-list extended web-traffic (admin)
 permit tcp 172.16.200.0 0.0.0.255 any eq 80
 permit tcp 172.16.200.0 0.0.0.255 any eq 443
ip access-list extended non-web
 permit ip 172.16.200.0 0.0.0.255 any
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface f0/1 (to ASA 1)
 timeout 1000
 frequency 3
ip sla schedule 1 life forever start-time now

ip sla 2
 icmp-echo 8.8.8.8 source-interface f0/2 (to ASA 2)
 timeout 1000
 frequency 3
ip sla schedule 2 life forever start-time now

route-map alpha permit 10
 match ip address web-traffic
 set ip next-hop verify-availability y.y.y.z 10 track 123 !(ip address of ASA 1)
 set ip next-hop verify-availability x.x.x.z 20 track 234 !(ip address of ASA 2)
!
route-map alpha permit 20
 match ip address non-web
 set ip next-hop verify-availability x.x.x.z 10 track 234 !(ip address of ASA 2)
 set ip next-hop verify-availability y.y.y.z 20 track 123 !(ip address of ASA 1)

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Sorry it took me so long to get back to you.

Thank you for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.