Problem in LAN routing.

puneitsupport · ‎03-07-2012

Hello,

I have a kind of small but complex network.

Recently I realized their is routing problem which not diverting HTTP traffic to the right leased line.

Problem : HTTP/HTTPS traffic not going through leased line which is only for HTTP/HTTPS traffic

Goal : Need to configure Cisco L3 switch which seems to have malfunctioned to resume HTTP traffic

Scenario :-

-2 ASA 5510 plain firewalls [ with no extra security modules. ]

-1 Cisco 3560 L3 switch & 1 3COM L3 switch.

- 2 Leased lines

- 1 leased line is for HTTP, 2nd 1 is for site to vpn

- Cisco 1841 router

Floor 1

ISP [ for VPN ]>> Cisco 1841 router >>> 8 port switch >> Cisco 5510 ASA

>>> L3 switch >> LAN distribution

LAN subnets = 10.100.10.x , 193.168.1.x

Gateways configured on above ASA = 10.100.10.1 & 193.168.1.100

As of now can not reach 193.168.1.100 gateway from 10.x subnet but can reach from 193.168.1.x subnet

Above gateways configured on ethernet interfaces of ASA.

VPN's are configured in this ASA

L3 switch has 193.168.2.1 IP and 10.100.10.70

Floor 2

ISP Mux [ for HTTP ]>> Cisco ASA 5510 >> Cisco 3560 L3 switch >>> LAN distribution

Squid proxy with IP 193.168.1.8

routing is configured in proxy and gateway fixed is 193.168.1.100

No policies in this ASA. Just simple allow any any policy.

No routing/IP records found in Cisco l3 switch.

As of now if I go to whatismyip it shows IP of my ISP at Floor 1.

It means my proxy isnt forwarding http traffic to link on Floor 2.

What settings shall I make in cisco L3 switch to ensure that HTTP traffic will pass by HTTP link?

Some additional info >> on 1st floor ASA I have added internal proxy IP in allowed server list. Rest PC's has deny http access.

Squid proxy has only 1 lan card. As of now PC's in both LAN's reachable except gateways of 193.x subnet.

I tried rebooting ASA's,router,L3 switches. No use.

Regards,

Amey.

Mandlenkosi Nkiwane · ‎03-13-2012

Does the Squid proxy do WCCP? Looking at it you might have to do a wccp web-cache to divert all http traffic to the proxy and out the desired interface.

HTH

Mandlenkosi Nkiwane · ‎03-13-2012

Try this link, it might help you;

http://www.crypt.gen.nz/papers/cisco_squid_wccp.html

**********---------------------******************

Please rate all helpful posts.

puneitsupport · ‎03-13-2012

Hello,

It's a plain squid proxy with URL filtering enabled on it.

Main issue coming in to picture is also that workstations in 10.100.10.x range not able to reach 193.168.1.100 & 193.168.1.240 gateways.

How ever I see these IP's configured in ASA's for routing (?)

Mandlenkosi Nkiwane · ‎03-13-2012

Is this how you are setup:

puneitsupport · ‎03-14-2012

Here is the diagram >>

Sorry I am not so good in drawing.

Regards,

Amey.

Mandlenkosi Nkiwane · ‎03-15-2012

I am thinking that you need a redesign of your network. I am not sure why you have it this way, however it would be beneficial for you to have a layered network.

By the way are you running any routing protocol in your network?

puneitsupport · ‎02-22-2013

Sorry for very late reply.

I am not running any routing protocol.

Problem is I can not use 2 internet links at same time on single ASA. That's why I am using above design.

jawad-mukhtar · ‎02-22-2013

Hi For that you have to use PBR on L3 Switch or on ASA for spliting your traffice.

Jawad