I have a 1811 router which has 2 internet connections(FE0 and FE1) and Vlan1. What I need to achieve is:
1. all the internet browser traffic going through FE1
2. ipsec site-to-site tunnel established through FE0
3. mail sending in and out through FE1
4. other services (web, citrix,etc) from outside through FE0
According to this design, I think PBR is needed to apply to VLAN1 inside. The precedence is
10 ipsec traffic (permit 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255) interface FE0
20 servers providing outside service (permit host 10.0.0.3,10.0.0.5) interface FE0
default route interface FE1
Is my understanding of PBR right? When the package reached VLAN1 from inside, it check PBR first. If it meet the requirement than pass the packet on, otherwise use the default route.
For the servers providing services, the original traffic is generated outside. When it replies, it hits VLAN1, does it need route to tell it which way to go back like I defined in PBR 20?
In this way, all the traffic from the servers are through FE0, not only the replying traffic.
Since nat overload are set on FE1, if I want to browse internet from servers,it wont work. Unless another route-map for servers is defined for the dynamic nat on FE0.
Is it possible not to use PBR, but ACL to deny traffic through Fastethernet interface therefore it will try the other interface if it is rejected? Sure it will use static route 0.0.0.0 0.0.0.0 to both interface.
Can anybody tell me what is the simple and logical way to do so?
1. Normally, site-to-site VPN tunnels appear to your internal IP traffic as a normal link that ties together one "internal" router with another "internal" router. The tunnel configuration has the actual Internet IP addresses for the tunnel's end points, but these addresses, if known, are seen as external Internet addresses by the rest of your network.
The far side of the tunnel internal LAN addresses need to be known. This can be done with static routes or, sometimes, using dynamic routing across the tunnel.
PBR is, more or less, special conditions static routing. Usually used when there are multiple paths to a destination and you want to specify path preference for different types of traffic.
In your case, probably, you have traffic to/from the Internet, and/or to/from the remote tunnel end's LAN. Different logical destinations even though the tunnel, itself, runs across the Internet.
2. Usually, internal hosts, will see Internet hosts with an Internet address. Your internal routing, normally, will forward any unknown internal host addresses to the Internet. In your case, likely as the traffic passes out to the Internet, the internal source address is NAT'ed to a public Internet address. The Internet host, replies back to the NAT'ed address. The NAT translates the reply destination address back to the original requester's source address. Your internal routing delivers it. The two special elements are sending unknown addresses out to the Internet. Translating internal private addresses to/from public Internet addresses. Everything else usually is standard routing.