cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1042
Views
5
Helpful
21
Replies

Policy Based Routing (Suggestion Needed)

sajjidkhan
Level 1
Level 1

I've two 2800 series routers, one ADSL and one Leased Line. Two 515E Firewalls connected to each one. They are then connected to an L2 switch (2960G) for aggregation to two L3 Core switches (3750). I want all my traffic to use ADSL and all my mail (smtp) traffic to use LL. Do i need policy based routing here or just specifying the default gateway for the mail servers to be the firewall connected to the LL router.

Suggestion will be appreciated.

21 Replies 21

Jon Marshall
Hall of Fame
Hall of Fame

If the mail servers are on a different subnet than the internal interface of the firewall that connects to the LL router then you will need PBR. Where is the L3 interface for the mail servers.

I'm assuming from your explanation that the firewalls are independent of each other ie. they are not running as a pair ?

Jon

@jon

Thanks for the prompt reply.

The mail servers are on the same subnet (vlan) as the firewall (inside). The firewalls are independent of each other as both are on different vlans.

Browsing is perfect, had a small glitch with few sites but was restored when I played a little with the mtu size. Now the problem lies with the mail going through the LL. Email is not bounced back but never reaches the other party.

Presumably you are Natting the mail servers to the public addresses in use on the LL firewall. You need to make sure these are the DNS MX records.

Jon

@jon

I tried the following config and all I got was a mail to my gmail account, the rest of them never reached.

My config shows;

static (inside,outside) tcp 83.x.x.195 smtp 192.168.1.206 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 83.x.x.196 https 192.168.1.206 https netmask 255.255.255.255 0 0

and ACL shows;

access-list acl_out permit tcp any host 83.x.x.195 eq smtp

access-list acl_out permit tcp any host 83.x.x.195 eq https

access-list acl_out permit icmp any any

What is the DNS record for your mail server ie. if i looked up

83.x.x.195 on the Internet would it resolve to your mail server ?

Jon

@jon

No you can't resolve it as there is no DNS record for the mail servers. We need it only to send mails, not recieve (for the time being). We do have other servers to do the job in different locations.

By the way, the mail which arrived at gmail was through adsl as I traced it to the dynamic ip.

Still not clear what should be done.

Are you sure these are independant of each other. If the default-gateway of the mail server is the LL firewall and the leased line firewall only connects to the LL router then how is the mail server getting out via the ADSL link ?

Perhaps a diagram would help.

Jon

@jon

I tried to simplify it as much as I can but i'm not good at drawing :)

The problem might be at the Core SW 1, where inter Vlan routing takes place. I'm not sure how to apply PBR on the core though.

Saj:

Just to reiterate, correct me if Im wrong.

MBX 1 and 2 are the email servers?

What are their default gateways set to?

What are the IP addresses of BOTH FW inside interfaces?

The switch that both FWs are connected to is an L2 switch, correct?

Victor

@lamav

MBX1 & 2 are mail servers but are dependent on CAS/HOB which is 192.168.1.206.

The LL Fw is 192.168.1.254, which is also defined as gateway for CAS/HOB. The Adsl Fw is 192.168.101.2 (diff vlan) and is gateway to all other trafiic through Core SW1 (192.168.101.1).

The switch which aggregates the firewalls with Core SW1 is an L2 (2960G, lanbase) switch. Respective Vlans are defined on the port of switch for LL Fw & Adsl Fw.

Saj:

Just to reiterate, correct me if Im wrong.

MBX 1 and 2 are the email servers?

What are their default gateways set to?

What are the IP addresses of BOTH FW inside interfaces?

The switch that both FWs are connected to is an L2 switch, correct?

Victor

if the mail servers have their default-gateway on SW1 then you will need to use PBR but you said that the mail servers default-gateway was the LL Fw.

If the mail server default-gateway is on SW1 then you have to set up PBR. Do your internal clients need to talk to the mail servers ? Lets assume they do and lets say your internal vlans are

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

access-list 101 deny ip host 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.2.0 0.0.0.255

access-list 101 deny ip host 192.168.2.0 0.0.0.255

access-list 101 deny ip host 192.168.3.0 0.0.0.255

access-list 101 deny ip host 192.168.3.0 0.0.0.255

access-list 101 permit ip host any

access-list 101 permit ip host any

route map MAIL permit 10

match ip address 101

set ip next-hop

Then apply it to the mail server vlan interface eg

int vlan 10

ip policy route-map MAIL

Edit - you may also need to enable the SDM routing template on the 3750 for PBR.

Jon

Dear Jon

Although I can create a route map but unfortunately I can't apply it to the interface. There is no "ip policy" command available. Do it have to do something with my IOS as its ip base version.

Hey, Jon:

How are you, buddy?

Id like to ask a question about your route map. I dont want to hijack Saj's thread, though...I just want to understand your solution.

Can you please explain the logic of your route map? What's with the deny statements? I dont think Ive ever seen an ACL created for PBR that uses negative logic...what do those deny statements achieve?

Are you trying to say "dont policy route traffic between internal vlans and the mail servers"? And if so, doesnt the implicit deny at the end of the ACL take care of that? Anything that isnt PBR'd is routed normally...

Thanks

Victor

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: