I have a Cisco 3725 router with 3 Fast Ethernet ports. We also have 2 separate firewalls (Checkpoint and Sonicwall)
We got this router to allow us the option of making gateway changes on the fly without having to change anyones default gateway.
What I have done so far is assigned one of the Ethernet ports on the router a primary and secondary address... These addresses were the gateway addresses of the 2 firewalls. I have configured the 2 other ports on the router to have an address out of a unique subnet (each port to be connected directly to one of the 2 firewalls, obviously assigning the firewall ports addresses that allow them to communicate with the router).
So lets say the 2 IP addresses that are assigned to that one port on the router are 220.127.116.11 and 18.104.22.168. These being the 2 possible default gateways of all computers on the network... I want the router to recognize which address traffic from the network arrived on and from that, route to one of the 2 firewalls... So if a computer had 22.214.171.124 as its gateway, the router would route Internet request to the Checkpoint, and if a computer had 126.96.36.199 as its gateway, that the traffic would be routed to the other gateway (Sonicwall). The only exception to traffic from one gateway address being routed to a specific firewall all the time, is when they try and access shares on one of our remote sites, (we have a site to site VPN tunnel) and that tunnel is only between the checkpoint and the remote site, the sonicwall has no VPN tunnels... I have configured static routes for those subnets to go to the checkpoint on the router, so I don't think that will be an issue...
Anyway, how do I route traffic depending on what gateway address computers used? Gateway of last resort forces all internet traffic to one of the 2, without any dynamic routing options...
Thanks in advance!
Just getting another interface will not make it much easier to be honest. As i said previously you would need to readdress clients that go onto the other subnet, you can't have 2 ethernet interfaces on the same router using addresses out of the same subnet.
So you will still need allocate the IT users and execs into a new vlan. If you know who they are you could use Lauren's post with the setup you have now. But you would need to make the client IP addresses static ie. all those going via the Sonicwall need static IP's or need to be in a different vlan which requires extra interface. Either way there is some work to do.
And that also assumes a fairly static setup ie. an exec doesn't have a laptop that they could connect in to the network at various different points. If they do use static IP reservations and go with the existing setup you have with Lauren's post.
If I understood correctly, you want to add the 3725 router between your hosts and the 2x Fws without re-addressing the default-gateway of the hosts right ?
In this case, you need the two addresses on your router interface as it's now the unique default-gateway of all the hosts.
The router is not aware about the host IP configuration, the only thing he knows is he will answer to ARP request regarding 188.8.131.52 and 184.108.40.206 addresses
That's being said, the only solution I see is to make routing decision based on the source @ using PBR:
route-map GW-SELECTION permit 10
match ip address 101
set ip next-hop FW1
route-map GW-SELECTION permit 20
match ip address 102
set ip next-hop FW2
interface Fast a/b
ip policy route-map GW-SELECTION
ACL 101 matches host source @ which default-gateway is 220.127.116.11
ACL 102 matches host source @ which default-gateway is 18.104.22.168
Don't add in the ACLs the host whose traffic need to go in the VPN so the router will use its routing table for this one (and use the static routes you configured).
This is not a scalable solution as you will have to update manually the ACLs each time you have a new hosts.
If you detail a little bit your needs, we may come up with another design