Question : Cisco 2811 - 2 ASA 5510's

Hello all...

I'm getting in slightly over my head here and need some help.  I've got a Cisco 2811 that has a 4-port HWIC installed.  Above that, I have 2 Cisco ASA 5510's, each with their own way out to the internet (2 ISP's).

What I'm wanting to do is create a policy-map on the inside of my network (on the 2811) that will route my 192.168.x.x network to ISP "A" and the rest of the network(s) to ISP "B".  You can see in my config that I've got some stuff in there, but I'm not sure this is going to work:

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:

Current configuration : 4100 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-25c.bin
boot system flash c2800nm-advipservicesk9-mz.124-24.T3.bin
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated

!
voice-card 0
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 172.16.0.66 255.255.255.192
 ip access-group sdm_fastethernet0/0_in in
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 100
!
interface FastEthernet0/1
 no ip address
 ip access-group sdm_fastethernet0/1_in in
 ip nat outside
 ip virtual-reassembly
 duplex full
 speed 100
!
interface FastEthernet0/0/0
 switchport access vlan 88
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 switchport access vlan 88
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
 no ip address
!
interface Vlan88
 ip address 172.16.1.1 255.255.255.0
!
ip forward-protocol nd
ip route 10.0.1.0 255.255.255.240 172.16.0.65
ip route 10.0.2.0 255.255.255.0 172.16.0.65
ip route 10.164.111.0 255.255.255.0 172.16.0.65
ip route 172.16.0.128 255.255.255.192 172.16.0.65
ip route 172.16.16.0 255.255.255.0 FastEthernet0/0/1
ip route 192.168.20.0 255.255.255.0 172.16.0.65
ip http server
ip http authentication local
ip http secure-server
!
ip policy-list route-map permit
!
!
ip nat inside source route-map pbr interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.69.0 0.0.0.255
access-list 2 permit any
!
!
!
!
route-map pbr permit 10
 match ip address 1
 set interface FastEthernet0/0
 set ip default next-hop 172.16.1.2
!
route-map pbr permit 20
 match ip address 2
 set interface FastEthernet0/0
 set ip default next-hop 172.16.1.3
!
route-map pbr permit 30
 set default interface Null0
!
!
!
control-plane
!
scheduler allocate 20000 1000
ntp update-calendar
end

Router#


Any help or advice here would be greatly appreciated.

Thank you!

-Chris

Answer : Cisco 2811 - 2 ASA 5510's

>route-map pbr permit 10
 match ip address 1
 set interface FastEthernet0/0  <-- you don't need this
 set ip default next-hop 172.16.1.2

route-map pbr permit 20
 match ip address 2
 set interface FastEthernet0/0  <-- you don't need this
 set ip default next-hop 172.16.1.3

>ip nat inside source route-map pbr interface FastEthernet0/0 overload
I would remove this and let the ASAs do the NAT.

Now just apply the route-map to the interface and not the nat process:
interface FastEthernet0/0
 description $ETH-LAN$
 no  ip access-group sdm_fastethernet0/0_in in  <-- remove this
 ip policy route-map pbr

>ip route 172.16.16.0 255.255.255.0 FastEthernet0/0/1
Don't use an interface as a next hop. Remove this and use the actual next-hop IP address

Add some static defaults:
ip route 0.0.0.0 0.0.0.0 <ip address of ASA1>
ip route 0.0.0.0 0.0.0.0 <ip address of ASA2> 100  



Random Solutions  
 
programming4us programming4us