The server traffic will hit the ASA and the ASA will push the traffic outbound over the sub-intf to the router sub intf which in the vrf..In this case the router will act like a PE with the ASA & ISP as CE....
Maybe a drawing of the topology will help..... ________________________________ From: Rogelio Gamino [mailto:[email protected]] Sent: Thursday, November 18, 2010 3:36 PM To: Lackraj, Andy Cc: A 1; Tyson Scott; [email protected] Subject: Re: [OSL | CCIE_RS] DUAL homed I'm not sure that's going to help. How do you direct traffic from the portal servers out the sub-interface connecting to VRF for ISP3? ASA does not support PBR. On Nov 18, 2010, at 3:22 PM, Lackraj, Andy wrote: Can you make the sub interfaces on the ASA and routers? Place one of the sub intfs (asa & router) in a vrf (vrf lite) along with the new circuit? This is based on the fact that only portal servers should use this new ISP circuit.... Trying to help.....if this makes sense.... ________________________________ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of A 1 Sent: Thursday, November 18, 2010 11:59 AM To: Tyson Scott Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_RS] DUAL homed thanks Tyson, As outgoing traffic is routed via firewall ASA and ASA does not support policy based routing.. On Tue, Nov 16, 2010 at 5:09 PM, Tyson Scott <[email protected]<mailto:[email protected]>> wrote: connect the new ISP to the active HSRP device. Policy route the traffic at that point. Unless these are some seriously high speed bandwidth interfaces, which I am assuming not since you are coming to us for support, you should be fine having the two connections on one router. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected]<mailto:[email protected]> Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat<http://www.ipexpert.com/chat> eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities<http://www.ipexpert.com/communities> and our public website at www.ipexpert.com<http://www.ipexpert.com/> From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of --Hammer-- Sent: Tuesday, November 16, 2010 10:01 AM To: 'A 1' Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_RS] DUAL homed So we are only halfway there. This really depends on how radical you want to go. You could always fire up a second network. Trunk it, dual NICs, etc. NAT it back at the edge routers to a public address. I mean, there are several ways to do it but there is an ugliness factor to contend with. How ugly do you want to make it? --Hammer "I was a normal American nerd." -Jack Herer From: A 1 [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, November 16, 2010 8:56 AM To: --Hammer-- Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_RS] DUAL homed I can apply the PBR for outgoing traffic the firewall ASA does not support source based routing. Regards M On Tue, Nov 16, 2010 at 9:47 AM, --Hammer-- <[email protected]<mailto:[email protected]>> wrote: Ok, I try not to speak up on technical stuff because there are far smarter people on this thread than me but why can't you do PBR on the routers for this? This new application is going to have a unique IP address right? So why can't you write some route maps for the IP address of the application and PBR it to the right circuit? Am I missing something? --Hammer "I was a normal American nerd." -Jack Herer From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of A 1 Sent: Monday, November 15, 2010 12:07 PM To: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_RS] DUAL homed On Mon, Nov 15, 2010 at 1:06 PM, A 1 <[email protected]<mailto:[email protected]>> wrote: Hello, My apologies if I put this request in the wrong section. Can any one help me out .. I have two ISP routers( from the same company ) working as a primary and secondary ( HSRP ) and all our network outbound is using this HSRP address. There is an ASA firewall behind these routers. I have a requirement for a portal applcation having couple of servers that resides in firewall DMZ should pass through a new circuit ( ISP ) i.e only portal servers should use this new ISP circuit. How can I do that.. one solution that I was thinking to - enable static NAT (with the ISP provided IP with local IP at DMZ for all servers) - source based routing but there is no policy base routing supported by ASA http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#pbr My preference is not to use BGP Regards M ________________________________ This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
