I'm not sure that's going to help. How do you direct traffic from the portal servers out the sub-interface connecting to VRF for ISP3? ASA does not support PBR.
On Nov 18, 2010, at 3:22 PM, Lackraj, Andy wrote: > Can you make the sub interfaces on the ASA and routers? Place one of the sub > intfs (asa & router) in a vrf (vrf lite) along with the new circuit? > This is based on the fact that only portal servers should use this new ISP > circuit…. > > Trying to help…..if this makes sense…. > > > From: [email protected] > [mailto:[email protected]] On Behalf Of A 1 > Sent: Thursday, November 18, 2010 11:59 AM > To: Tyson Scott > Cc: [email protected] > Subject: Re: [OSL | CCIE_RS] DUAL homed > > thanks Tyson, > > As outgoing traffic is routed via firewall ASA and ASA does not support > policy based routing.. > > On Tue, Nov 16, 2010 at 5:09 PM, Tyson Scott <[email protected]> wrote: > connect the new ISP to the active HSRP device. Policy route the traffic at > that point. Unless these are some seriously high speed bandwidth interfaces, > which I am assuming not since you are coming to us for support, you should be > fine having the two connections on one router. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE > (R&S, Voice, Security & Service Provider) certification(s) with training > locations throughout the United States, Europe, South Asia and Australia. Be > sure to visit our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com > > From: [email protected] > [mailto:[email protected]] On Behalf Of --Hammer-- > Sent: Tuesday, November 16, 2010 10:01 AM > To: 'A 1' > > Cc: [email protected] > Subject: Re: [OSL | CCIE_RS] DUAL homed > > So we are only halfway there. > > This really depends on how radical you want to go. You could always fire up a > second network. Trunk it, dual NICs, etc. NAT it back at the edge routers to > a public address. I mean, there are several ways to do it but there is an > ugliness factor to contend with. How ugly do you want to make it? > > > > --Hammer > > "I was a normal American nerd." > -Jack Herer > > From: A 1 [mailto:[email protected]] > Sent: Tuesday, November 16, 2010 8:56 AM > To: --Hammer-- > Cc: [email protected] > Subject: Re: [OSL | CCIE_RS] DUAL homed > > I can apply the PBR for outgoing traffic the firewall ASA does not support > source based routing. > > Regards > M > > On Tue, Nov 16, 2010 at 9:47 AM, --Hammer-- <[email protected]> wrote: > Ok, I try not to speak up on technical stuff because there are far smarter > people on this thread than me but why can’t you do PBR on the routers for > this? This new application is going to have a unique IP address right? So why > can’t you write some route maps for the IP address of the application and PBR > it to the right circuit? Am I missing something? > > > > --Hammer > > "I was a normal American nerd." > -Jack Herer > > From: [email protected] > [mailto:[email protected]] On Behalf Of A 1 > Sent: Monday, November 15, 2010 12:07 PM > > To: [email protected] > Subject: Re: [OSL | CCIE_RS] DUAL homed > > > > On Mon, Nov 15, 2010 at 1:06 PM, A 1 <[email protected]> wrote: > Hello, > > My apologies if I put this request in the wrong section. > > Can any one help me out .. I have two ISP routers( from the same company ) > working as a primary and secondary ( HSRP ) and all our network outbound is > using this HSRP address. There is an ASA firewall behind these routers. I > have a requirement for a portal applcation having couple of servers that > resides in firewall DMZ should pass through a new circuit ( ISP ) i.e only > portal servers should use this new ISP circuit. How can I do that.. one > solution that I was thinking to > - enable static NAT (with the ISP provided IP with local IP at DMZ for all > servers) > - source based routing > > but there is no policy base routing supported by ASA > http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#pbr > > My preference is not to use BGP > Regards > M > > > > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. If > the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, notify the sender immediately by return > email and delete the message and any attachments from your system. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
