routing a site trafic from adsl to internet leased line router

Unanswered Question
Jan 5th, 2010

Hi All,

I have a branch with adsl connection and ho with internet lease line connection.

dmvpn is configured among the branches to HO.

what customer wants is that, there is a site with some public ip address which has to go through the HO's ISA server

meaning the site request should come though the adsl of the branch to the internet leased line router and then come internal to the network

talk to the ISA and inturn isa should route it to other adsl which it is connected to.

how can i route a public ip address request to some other router without involving ISP in between.

is this scenario possible??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Wed, 01/06/2010 - 02:23

please correct me if i did not understand your network

LAN---router--DMVPN----DSL---Internet ----HQ---ISA----Internet

you want Internet traffic from the lan to go to the ISA for whatever filtering then ISA will send the traffic to the Internet in the HQ site ?

try the following

first your router need to use the Internet for DMVPN NHRP registration ( assuming the HQ riouter is the DMVPN Hub)

in the lan interface create a policy-based routing the point all the traffic to the HQ DMVPN tunnel interface

lets say the lan is

and the tunnel interface of th eHQ is

access-list 100 permit any

route-map PBR1

match ip add 100

set ip next-hop

int fax/x  -- laninterface

ip policy rout-emap PBR1

now al the traffic from the lan coming to the insideinterface of the oruter wil be sent to the HQ tunnel interface

the problem here the HQ Internet router has a default route to the internet  (loop)

i think its better to solve this issue with another PBR same as the above but with the following diffrences

the ACL same

the next hope int the route-map change it to the ISA server ip

apply it o the HQ DMVPN tunnel interface

by the way in the above ACL if you require access to the routers for management such as telnet you need to exclude this taffic from PBR by adding deny

access-list 100 deny host x.x.x.x eq telnet    ---- where x.x.x.x the inside router interface

access-list 100 pemrit any


you need to consider your nating traffic configurations as well

good luck

if helpful Rate

jvalin__s Wed, 01/06/2010 - 03:09


thanks for the wonderful logic,

i understood the first pbr but in my case I am attaching a diagram for your better understanding.

after HO internet router internal is connected a cisco asa and then core switch to which

isa's internal interface is connected and then external interface is the adsl.

so i guess the 2nd pbr should be pointed to asa's outside interface or directly to the ISA's internal interface???


Marwan ALshawi Wed, 01/06/2010 - 21:59

No, the second PBR need to use ISA as the next hop

then the router must have a route to reach the ISA through the ASA then the ASA will send it to the ISA

then ISA i will assume it configured in route mode to route between LAN and Internet interfaces

please note that NATing need to be considered from the LAN sunet as source becuase the source will be kept as the LAN subnet

also for returning traffic make sure that ISA and ASA has route to the LAN end to the 2800 router and this router will send it back to the other end (DMVPN spoke)

actually i ahv't configured a network in this way but i am trying to apply the logic with tchnical configuration

let know if it works or not

good luck


This Discussion