Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

How i can route the traffic based on destination address ?

Dears,

As you can see in the image i have two different setups.

ISP A setup is completely dedicated for Production & ISP B setup is dedicated for whole staff internet.

Below is the network information;

Firewall:

GigE0/0 - PUBLIC IP (PAT)

GigE0/1 - 192.168.0.1/24  no dhcp

 

ISP B Router:

ATM 0 - PUBLIC IP (PAT)

FaE0/0 - 192.168.0.2/24

FaE0/1 - 192.168.92.1/24 dhcp

 

Servers - 192.168.0.xxx/24

Clients - 192.168.92.xxx/24

All the clients have internet access through ISP B.

If a client wants to connect to any of the server, what kind of configuration is required on ISP B rotuer. I though of route-maps or doing a static routing between Firewall & ISP B Router but i am not sure which is the best practice to do so.

Kindly suggest with some suitable solutions.

Regards

@Mohammed

 

 

Everyone's tags (3)
10 REPLIES
Gold

Hi Mohammed,I'm not a

Hi Mohammed,

I'm not a firewall guy but still trying to use my logic here.

Based on the assumption that clients have their default gateway configured as ISP B router, the servers have default gateway configured as firewall and connection between ISP B fas 0/0 and server switch is working you can add a single static entry on the firewall as below. Please be aware that syntax will be different based on what firewall you are using. There is no other configuration required on ISP B router. The logic here is when server try to reach clients the traffic will be send to the default gateway and default gateway should know where to send the traffic.

ip route 192.168.92.0 255.255.255.0 192.168.0.2

Hope that helps.

Regards

Najaf

Hi Najaf,Thanks for your

Hi Najaf,

Thanks for your answer, yes i know by just adding a static route in my firewall the clients can reach the severs but i want more specific access. As an example, i want only some clients to reach the server network but not all, and the traffic should be one way only with only access to specific protocol like, 21,88,443,3306,3389 etc.

Regards

@Mohammed

Gold

Hi,I'm sure that you are well

Hi,

I'm sure that you are well aware that this can be easily achieved by putting ACL on the ISP B router. With an extended ACL you can control the IP address of clients which should have access to server on specific port numbers.

Hope that helps

Regards

Najag

Hi Shareef, on ISP-B router,

Hi Shareef,

 

on ISP-B router, you can have the PBR created for diverting access to servers from clients. On Server side you can have the static route to reach the clients.

Hope this helps

 

Regards

Karthik

Hi Karthik,Thanks for your

Hi Karthik,

Thanks for your answer, may i know how does PBR works (a basic example of config would be more helpful) and what are the benefits out of it ?

Regards

@Mohammed

Hi Shareef, Below is the

Hi Shareef,

 

Below is the example of PBR.

ip access-list extended Redirect_PBR
permit tcp host 192.168.92.10 host 192.168.0.10 eq 443
permit tcp host 192.168.92.10 host 192.168.0.10 eq 21
.
.
.
etc

!
route-map Client_Server permit 10
 match ip address Redirect_PBR
 set ip next-hop 192.168.0.1 (Server LAN)
!
int Fa E 0/1
ip policy route-map Client_Server
!

 

You can have the required filtered rule created as an ACL... you can restrict how ever you wan't.  Map that ACL to the route map and set a next hop to needed routing point. Then finally map that ACL to the interface of the router. In this case every traffic mentioned in route map and access-list will follow the PBR rule. All other traffic will route as usuall with the default route.

 

Hope this helps

Regards

Karthik

Hi Karthik,Thanks for the

Hi Karthik,

Thanks for the example, it looks simple but i am afraid about the ACL's, i have multiple ACL's configured in the ISP B Router, and am also very much afraid of others clients having access to the servers so i will do this now in Packet Tracer and get back to you with the results shortly.

Regards

@Mohammed

Hi Shareef, Yeah that would

Hi Shareef,

 

Yeah that would be a fair idea to test it through Packet tracer and then on to production environment. But it works, i have implemented for a couple of customers like this. Make sure that you filter as much as possible to give a exact benefit out of the result.

21,88,443,3306,3389 these ports alone you can make it in acl and try it out.

 

All the best.

 

Hope this helps

Regards

Karthik

Hi Karthik,PBR not support on

Hi Karthik,

PBR not support on Packet Tracer crying .

I think i have to test it on GNS now else i have an extra piece of hardware, let me see and get back to you.

Regards

@Mohammed

 

Hi Shareef, did you managed

Hi Shareef,

 

did you managed to get this tested??

 

Regards

Karthik

394
Views
0
Helpful
10
Replies
CreatePlease login to create content