I'm hoping someone can help me with some configuration assistance. I'd like to see if the proposed scenario is possible. We have a customer who would like to phase out their SonicWall firewall with an ASA5512. They currently have 2 ISP's, a standard T1 for their servers and FiOS which is used for some server NAT's and internet access for client workstations. I've seen this question asked many times but the config I'm going to propose is slightly different. Before getting into the details I'd like to point out I began configuring this and ran into a ton of strange occurrences with PBR on the 3560. ACL's which weren't being matched, some VLANs matching the policies and other's not.. I'm used to PBR being flaky and applied/unapplied/reapplied many times to no avail.
The ASA would be 10.0.0.254 and is the default route on the 3560.
Int Gig0/0 nameif T1 18.104.22.168 directly connected neighbor 22.214.171.124
Int Gig0/0 nameif FiOS 126.96.36.199 directly connected neighbor 188.8.131.52
There are NATs setup for servers on both interfaces. The default route on the ASA is 184.108.40.206.
Since the default route would lead out the T1, I need PBR to send specific devices through the FiOS connection. Could I configure something like this on the 3560 and have the routing table consulted to locate the PBR next-hop.
ip route 220.127.116.11 255.255.255.255 10.0.0.254
access-list 101 deny ip host 10.0.0.51
access-list 101 deny ip host 10.0.0.52
access-list 101 deny ip host 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
access-list 101 permit ip
route-map PBR permit 10
match ip address 101
set ip next-hop 18.104.22.168
So essentially, I'd deny servers 10.0.0.51 and 10.0.0.52 so they continue to follow the path out the T1. Local traffic would be denied just incase, and then permit any so all other internal traffic destined for the internet would change gateways. Please note the main purpose of this question is the fact I'm using the directly connected neighbor on the ASA. So the path in my head would look like..
ingress interface VLAN 1
ip policy route-map PBR
matches policy, changes next hop to 22.214.171.124
3560 does not have a connected neighbor, static route points to 10.0.0.254
packet sent to ASA destined for 126.96.36.199, the ASA has a directly connected interface and forwards the traffic out the appropriate interface
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.