01-16-2012 04:43 AM - edited 03-07-2019 04:22 AM
hi,
i have one Cisco 3750, am using it as Core Switch where i have 6 more access switches are connected deirectly, and we are using VLANs in our network with the IP reange of 172.16.0.0 , now we had a new Internet connection which is dedicated to Exchange Server only.
So we have TWO internet connection One for internet access to all users and another one for only Exchange Server.
internet connection for the users is termiated at a Cisco 1700 Series Router and Internet for Exchage Server is terminated at a Cisco ASA Firewall.
Now the problem is how can i write an access list, which says that all packets from Exchange server should be routed to ASA Firewall , and all other packets shoulde route to Cisco Router.
IP address os Exchange server is 172.16.2.1, 172.16.2.2
please help me to define an accesslist were i can use it for policy based routing.
thanks,
Anvar
01-16-2012 05:10 AM
Perhaps the easiest way is to change the default gateway on the Exchange box.
Together with a few static routes for the internal network, this could work quite nicely.
It will depend on your topology of course but please note that you need advipservices image to do PBR on the 3750 when you are running 12.2 IOS.
regards,
Leo
01-16-2012 05:19 AM
But i Second Leo's suggestion.
Point to the ASA as the Exchange Server's Default Gateway add static routes on the firewall. It will make the auditors smile as well
01-16-2012 07:16 AM
Hi Daniel,
I am aware this may not be the best solution from a security perspective.
Point is that OP may not be able to use PBR because of software restrictions.
I may be wrong about this, in which case he already got plenty of help regarding ACL configuration.
The sneaky thing with the 3750-ipbase is that it lets you configure PBR as you would expect it to but then subsequently it doesn't work. Thought it better to make him aware of this in advance.
regards,
Leo
01-16-2012 09:46 PM
sir,
please find below my current Image
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
01-16-2012 05:33 AM
Thanks Leo ,
presently this PBR is using only for Exchange servers , but in future for the whole Server's Subnet i mean 172.16.2.0/24
Anvar
01-16-2012 05:12 AM
Create a Extended ACL permitting the IP address of the exchange server then apply it to a route-map.
ip access-list extended PBR_TEST
permit ip host 10.64.68.35 any <----- what ever IP your exchange server is.
route-map TEST permit 10
match ip address PBR_TEST
set interface Serial0/0 <---- the interface you want it to go out of.
HTH
01-16-2012 05:18 AM
you could use route-maps.
I think it should look a bit like this:
1st step is to create a access list which has as source your exchange server:
ip access-list 1 permit
step 2 is to create a policy which routes the traffic to your asa
route-map exchange-internet permit 10
match ip addres 1
set ip next-hop
route-map exchange-internet permit 20
the final stape is to apply the route-map to the correct interface. This should be the L3 interface to which your
exchange server is connected:
ip policy route-map exchange-internet
01-16-2012 05:39 AM
hi all,
if i imlemented this Policy Maps at my VLAN-2 interface then i will lose my connection with all other devices at my Local Network, i mean if i use the access-list
access-list 110 permit ip host 172.16.2.1 any and applied this to my policy and let say next hope is my ASA, then the Core Switch will not look into Routing table rather it will forward all the packets from 172.16.2.1 to to my policy next hope which is ASA.
its need an access-list like any destination (except 172.16.0.0 )
thanks,
Anvar
01-16-2012 05:45 AM
i have local users within the Network as 172.16.3.0 ( LAN users ) , 172.16.5.0 ( WLAN Users ) and so on..
Anvar
01-16-2012 06:18 AM
You can narow down the ACL.
access-list 110 permit TCP host 172.16.2.1 host
01-16-2012 06:23 AM
hi Daniel,
my ultimate target is to route all packets from my Exchange Server to ASA, not only SMTP traffic.
thanks,
Anvar
01-16-2012 07:14 AM
Hi Anvar,
Can this suffice your requirement
access-list 110 permit tcp 172.16.2.1 any
This is match the traffic with source as 172.16.2.1 .. Infact you can use the standard access list since you are looking only at the source ip.
Then apply this access list to the route-map statement defining the next hop as ASA.
-Vijay
01-16-2012 09:44 PM
Hi Vijay,
theoretically all you guys are correct , but if i applied any of the above access list with-in a route map end applied this route map at my VLAN-2 interface ( Server VLAN ) my Exchange server will not be able to communicate with any other devices at my local network or LAN , because of once match criteria is applied at an interface if any packets matching the access-list it will forward the packets directly to next hope ip address ( without looking the Routing Table ) , even I will not be able to ping from my Exchange Server to its default gateway ( which is VLAN-2 IP Address -172.16.2.254 )
am using below image
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: