Yet Another Complicated PBR Question

Unanswered Question

I believe my scenario is far more complicated then I thought it was.

I've more then one IP range (vlans), starting from 192.168.1.x to 20.x, include the 101.x and 200.x too. Another subnet is 10.10.1.x with vlan9 tag.

The 192.168.1.x is server range and needs access for fetching mails etc, hence Leased Line will be used by this subnet. Some users might want to connect from outside to the mail servers.

All of other subnets will be using (83.x.x.195) Adsl1 router for web access, except vlan9 which is 10.10.1.x, and will be using (83.x.x.196) Adsl2 rtr.

Another thing, I'm using another vlan (vlan22) to aggregate and connect the three routers to the firewall. Will it make sense not using or wasting any of my global IP on this vlan.

Some info:

Internal IP 192.168.x.x/24 (for all vlans)

users with IP 192.168.x.x using first ADSL

users with IP 10.10.1.x using second ADSL

servers with IP 192.168.1.x using Leased Line

Core Switch IP:

Firewall IP inside

Firewall IP outside 83.x.x.194

Leased Line assigned IP: 83.x.x.192

LeasedLine router IP: 83.x.x.193

ADSL router IP: 83.x.x.195 (do I need NAT of 83.x.x.192 to this ADSL int?)

ADSL router IP: 83.x.x.196 (do I need NAT of 83.x.x.192 to this one too?)


Firewall config


ip address inside

ip address outside 83.x.x.194

global (outside) 1 interface

global (outside) 10 83.x.x.197

global (outside) 20 83.x.x.198

nat (inside) 1

nat (inside) 10

nat (inside) 20

static (inside,outside) tcp 83.x.x.199 smtp smtp netmask

static (inside,outside) tcp 83.x.x.200 https https netmask

route outside 83.x.x.193 1

In the config above, I've devised static nat for the email server, will it work for the teleworker to connect to mail. Do I also need to change something on the access list, like the one below?

access-list acl_out permit tcp any host 83.x.x.199 eq smtp

access-list acl_out permit tcp any host 83.x.x.199 eq www

access-list acl_out permit tcp any host 83.x.x.199 eq https

access-list acl_out permit tcp any host 83.x.x.199 eq 3389

access-list acl_out permit icmp any any

Other then that, do I need to have a routes to all inside vlans (I'm not sure why I need it :-P ), like the one below:-

route inside 192.168.x.0 1


I think I might not need to configure anything on the ADSL routers, only leased line router might do the trick, if yes, then, is this config enough to do the tasks I want it to do?


Router with leased line


The router interface is configured for policy based routing.

interface FastEthernet0/0

ip address 83.x.x.193

ip policy route-map adsl

ip route Serial0

ip access-list extended ADSL-list1

permit ip host 83.x.x.197 any

ip access-list extended ADSL-list2

permit ip host 83.x.x.198 any

Other then the access list, the route map is as follows.

route-map adsl permit 10

match ip address ADSL-list1

set ip next-hop 83.x.x.195

route-map adsl permit 20

match ip address ADSL-list2

set ip next-hop 83.x.x.196

route-map adsl permit 30

set default interface Serial0


Now the question is, what did I missed and will it work?

P.S: I haven't tried this configuration till now. Just need confirmation if this is the right way to do it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
baseljraki Tue, 05/13/2008 - 00:37

first, let us start with Firewall:

i don't think that we need these commands:

global (outside) 1 interface

global (outside) 20 83.x.x.198

nat (inside) 1

nat (inside) 20

because these commands doing natting for something we don't need it to pass from the firewall, we need firewall only for servers VLAN and instead for these commands that doing natting for all VLANs

global (outside) 10 83.x.x.197

nat (inside) 10

we can do it for only servers VLAN:

global (outside) 10 83.x.x.197

nat (inside) 10

about the access list if you are only use this server 83.x.x.200 so it is enough but u r using this server too: 83.x.x.200 so u need same access list for this server

also you don't have to put route to all VLANs because the firewall is only for servers VLAN but if you did that so it is ok you will not loose anything :D


you don't have to change any thing in ADSL router if the servers of servers VLAN routed to LL route, but if not i think u have to do something to enforce the servers VLAN traffic goes to LL Route when these traffic goes to ADSL router.

But let us try to go to easier way "which the same last way but without to miss anything because i believe in it" and that by putting static IP for servers but here we have to change the default gateway of the servers in server VLAN to internal Firewall interface but that must be done after u change the internal IP address to some thing that agree with servers VLAN and don't forget to change the VLAN access mode in the Switch that connected to that interface :D

by doing that u will enforce the servers to take the Pix firewall route which is the LL route


so let us say that now the traffic arrived to pix then the pix apply to it natting rules and route them to the LL-Router

so now let us check the LL-Router:

first, i don't think that u have to put policy route map on outside interface because by using the last configuration the only traffic that will arrived to it is the servers VLAN traffic so u have only to route them to outside and route there comming traffic to inside interface back to firewall

because the firewall just allowing the servers VLAN traffic to pass throught it and forbid the others and LL-Router is behind firwall, i think that :D

so u have to add back route:

ip route 83.x.x.199 83.x.x.194

ip route 83.x.x.200 83.x.x.194

so after that we don't need any access list and route map for LL-route i think they are useless /:)



This Discussion