01-05-2010 10:04 PM - edited 03-04-2019 07:07 AM
Hi All,
I have a branch with adsl connection and ho with internet lease line connection.
dmvpn is configured among the branches to HO.
what customer wants is that, there is a site with some public ip address which has to go through the HO's ISA server
meaning the site request should come though the adsl of the branch to the internet leased line router and then come internal to the network
talk to the ISA and inturn isa should route it to other adsl which it is connected to.
how can i route a public ip address request to some other router without involving ISP in between.
is this scenario possible??
01-06-2010 02:23 AM
please correct me if i did not understand your network
LAN---router--DMVPN----DSL---Internet ----HQ---ISA----Internet
you want Internet traffic from the lan to go to the ISA for whatever filtering then ISA will send the traffic to the Internet in the HQ site ?
try the following
first your router need to use the Internet for DMVPN NHRP registration ( assuming the HQ riouter is the DMVPN Hub)
in the lan interface create a policy-based routing the point all the traffic to the HQ DMVPN tunnel interface
lets say the lan is 10.1.1.0/24
and the tunnel interface of th eHQ is 100.1.1.1
access-list 100 permit 10.1.1.0 0.0.0.255 any
route-map PBR1
match ip add 100
set ip next-hop 100.1.1.1
int fax/x -- laninterface
ip policy rout-emap PBR1
now al the traffic from the lan coming to the insideinterface of the oruter wil be sent to the HQ tunnel interface
the problem here the HQ Internet router has a default route to the internet (loop)
i think its better to solve this issue with another PBR same as the above but with the following diffrences
the ACL same
the next hope int the route-map change it to the ISA server ip
apply it o the HQ DMVPN tunnel interface
by the way in the above ACL if you require access to the routers for management such as telnet you need to exclude this taffic from PBR by adding deny
access-list 100 deny 10.1.1.0 0.0.0.255 host x.x.x.x eq telnet ---- where x.x.x.x the inside router interface
access-list 100 pemrit 10.1.1.0 0.0.0.255 any
Note:
you need to consider your nating traffic configurations as well
good luck
if helpful Rate
01-06-2010 03:09 AM
hi,
thanks for the wonderful logic,
i understood the first pbr but in my case I am attaching a diagram for your better understanding.
after HO internet router internal is connected a cisco asa and then core switch to which
isa's internal interface is connected and then external interface is the adsl.
so i guess the 2nd pbr should be pointed to asa's outside interface or directly to the ISA's internal interface???
Regards,
01-06-2010 09:59 PM
No, the second PBR need to use ISA as the next hop
then the router must have a route to reach the ISA through the ASA then the ASA will send it to the ISA
then ISA i will assume it configured in route mode to route between LAN and Internet interfaces
please note that NATing need to be considered from the LAN sunet as source becuase the source will be kept as the LAN subnet
also for returning traffic make sure that ISA and ASA has route to the LAN end to the 2800 router and this router will send it back to the other end (DMVPN spoke)
actually i ahv't configured a network in this way but i am trying to apply the logic with tchnical configuration
let know if it works or not
good luck
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: