I believe my scenario is far more complicated then I thought it was.
I've more then one IP range (vlans), starting from 192.168.1.x to 20.x, include the 101.x and 200.x too. Another subnet is 10.10.1.x with vlan9 tag.
The 192.168.1.x is server range and needs access for fetching mails etc, hence Leased Line will be used by this subnet. Some users might want to connect from outside to the mail servers.
All of other subnets will be using (83.x.x.195) Adsl1 router for web access, except vlan9 which is 10.10.1.x, and will be using (83.x.x.196) Adsl2 rtr.
Another thing, I'm using another vlan (vlan22) to aggregate and connect the three routers to the firewall. Will it make sense not using or wasting any of my global IP on this vlan.
Internal IP 192.168.x.x/24 (for all vlans)
users with IP 192.168.x.x using first ADSL
users with IP 10.10.1.x using second ADSL
servers with IP 192.168.1.x using Leased Line
Core Switch IP: 192.168.101.1
Firewall IP inside 192.168.101.2
Firewall IP outside 83.x.x.194
Leased Line assigned IP: 83.x.x.192 255.255.255.240
LeasedLine router IP: 83.x.x.193
ADSL router IP: 83.x.x.195 (do I need NAT of 83.x.x.192 to this ADSL int?)
ADSL router IP: 83.x.x.196 (do I need NAT of 83.x.x.192 to this one too?)
ip address inside 192.168.101.2 255.255.255.0
ip address outside 83.x.x.194 255.255.255.240
global (outside) 1 interface
global (outside) 10 83.x.x.197
global (outside) 20 83.x.x.198
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 10 192.168.0.0 255.255.0.0
nat (inside) 20 10.10.1.0 255.255.255.0
static (inside,outside) tcp 83.x.x.199 smtp 192.168.1.206 smtp netmask 255.255.255.0
static (inside,outside) tcp 83.x.x.200 https 192.168.1.206 https netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 83.x.x.193 1
In the config above, I've devised static nat for the email server, will it work for the teleworker to connect to mail. Do I also need to change something on the access list, like the one below?
access-list acl_out permit tcp any host 83.x.x.199 eq smtp
access-list acl_out permit tcp any host 83.x.x.199 eq www
access-list acl_out permit tcp any host 83.x.x.199 eq https
access-list acl_out permit tcp any host 83.x.x.199 eq 3389
access-list acl_out permit icmp any any
Other then that, do I need to have a routes to all inside vlans (I'm not sure why I need it :-P ), like the one below:-
route inside 192.168.x.0 255.255.255.0 192.168.101.1 1
I think I might not need to configure anything on the ADSL routers, only leased line router might do the trick, if yes, then, is this config enough to do the tasks I want it to do?
Router with leased line
The router interface is configured for policy based routing.
ip address 83.x.x.193 255.255.255.240
ip policy route-map adsl
ip route 0.0.0.0 0.0.0.0 Serial0
ip access-list extended ADSL-list1
permit ip host 83.x.x.197 any
ip access-list extended ADSL-list2
permit ip host 83.x.x.198 any
Other then the access list, the route map is as follows.
route-map adsl permit 10
match ip address ADSL-list1
set ip next-hop 83.x.x.195
route-map adsl permit 20
match ip address ADSL-list2
set ip next-hop 83.x.x.196
route-map adsl permit 30
set default interface Serial0
Now the question is, what did I missed and will it work?
P.S: I haven't tried this configuration till now. Just need confirmation if this is the right way to do it.