Multiple wan connections issue

Unanswered Question
Feb 27th, 2007

Hello all, I am having a problem with my setup that I havent been able to fix, so any help is much appreciated, here is the issue:

I have a 3600 router with 4 fast ethernet interfaces, 2 of them connected to 2 LAN, and the other 2 connected to two different ISP's, I've setup two route maps in order to use isp1's gateway for lan1 and isp2's gateway for lan2, I also have a couple of 1-1 NATting going on and a couple of PAT entries for the servers running in the LANs, the problem is that whenever I want to connect to one of the mail servers on lan2 from a computer on lan1 I get connection refused, I've had similar problems before with other more simplistic hardware, and the problem was due to the lack of loopback routing on this devices, however I have no idea on how to fix this on the Cisco router I believe it can be done but my CCNA knowledge doesnt help me on this one, attached is my config file, thank you very much for your help

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rajivrajan1 Tue, 02/27/2007 - 23:13

you have attached a downloaded config (directly from router using tftp)

it's hard to read that please copy paste or cpture using hyperterminal and send it.

carlosruizcastillo Wed, 02/28/2007 - 01:42

Sorry for the inconvinience, here is the file:

interface FastEthernet0/0

ip address 162.x.x.164 255.255.255.240 secondary

ip address 162.x.x.163 255.255.255.240 secondary

ip address 162.x.x.162 255.255.255.240

ip access-group 110 in

ip nat outside

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 192.168.57.1 255.255.255.0

ip nat inside

ip policy route-map one

duplex auto

speed auto

!

interface FastEthernet2/0

ip address 162.x.x.180 255.255.255.240 secondary

ip address 162.x.x.179 255.255.255.240 secondary

ip address 162.x.x.178 255.255.255.240

ip access-group 120 in

ip nat outside

duplex auto

speed auto

!

interface FastEthernet3/0

ip address 192.168.58.1 255.255.255.0

ip nat inside

ip policy route-map dedicated

duplex auto

speed auto

!

ip nat pool nat-pool 162.x.x.162 162.208.157.162 netmask 255.255.255.240

ip nat pool nat-pool2 162.208.157.178 162.208.157.178 netmask 255.255.255.240

ip nat inside source list 10 pool nat-pool overload

ip nat inside source list 20 pool nat-pool2 overload

ip nat inside source static 192.168.57.3 122.208.157.163

ip nat inside source static tcp 192.168.57.40 80 162.208.157.162 10000 extendable

ip nat inside source static 192.168.58.3 162.208.157.179

ip nat inside source static 192.168.58.4 162.208.157.180

ip nat inside source static tcp 192.168.58.20 53 162.208.157.178 53 extendable

ip nat inside source static tcp 192.168.58.20 443 162.208.157.178 443 extendable

ip nat inside source static tcp 192.168.58.20 25 162.208.157.178 25 extendable

ip nat inside source static tcp 192.168.58.20 110 162.208.157.178 110 extendable

ip nat inside source static tcp 192.168.58.20 80 162.208.157.178 80 extendable

ip classless

no ip http server

!

access-list 1 permit 192.168.57.0 0.0.0.255

access-list 2 permit 192.168.58.0 0.0.0.255

access-list 10 permit 192.168.57.0 0.0.0.255

access-list 20 permit 192.168.58.0 0.0.0.255

access-list 110 deny tcp any 162.208.157.160 0.0.0.15 eq telnet

access-list 110 deny icmp any 162.x.x.160 0.0.0.15 8 0

access-list 110 permit ip any any

access-list 120 deny tcp any 162.208.157.176 0.0.0.15 eq telnet

access-list 120 deny icmp any 162.208.157.176 0.0.0.15 8 0

access-list 120 permit ip any any

route-map one permit 1

match ip address 1

set ip next-hop 162.x.x.161

!

route-map dedicated permit 2

match ip address 2

set ip next-hop 162.x.x.177

Danilo Dy Fri, 03/02/2007 - 04:35

Try changing your ACL 1 and 2 to ACL 101 and 102;

access-list 101 deny ip 192.168.57.0 0.0.0.255 192.168.58.0 0.0.0.255

access-list 101 permit ip 192.168.57.0 0.0.0.255 any

access-list 102 deny ip 192.168.58.0 0.0.0.255 192.168.57.0 0.0.0.255

access-list 102 permit ip 192.168.58.0 0.0.0.255 any

!

route-map one permit 1

match ip address 101

set ip next-hop 162.x.x.161

!

route-map dedicated permit 2

match ip address 102

set ip next-hop 162.x.x.177

carlosruizcastillo Sun, 03/04/2007 - 16:21

Hello Medan, thank you very much for your help, I will be making the suggested changes tonight, and will let you know how it goes, again much appreciated.

carlosruizcastillo Tue, 03/06/2007 - 00:06

Hello all, first of all thank you very much for your help, after installing the new access-lists it seems the problem is 50% solved, now I can access machines in net2 from net1 and vice versa, however, the initial issue is still present, let me explain a bit further:

lets say I own the domain carlosruiz.com, and the server hosting that domain is in net2, I have setup a couple of PAT's for example carlosruiz.com:22 -> net2ip:2222, carlosruiz.com:25 -> net2ip:25 and carlosruiz.com:80 -> net2ip:80 as you can see if I am sitting in a computer in net1 and enter net2ip in my web browser it does work as expected however if I enter carlosruiz.com I get a connection refused as before there are no firewall rules preventing this trafic so the problem still is that anything that comes into the router ISP1 or ISP2 from net1 or net2 gets a connection refused, but pings still work, are the Port Address Translations restriceted in any way? when the traffic comes from the inside?

access-list 1 permit 192.168.57.0 0.0.0.255

access-list 2 permit 192.168.58.0 0.0.0.255

access-list 10 permit 192.168.57.0 0.0.0.255

access-list 20 permit 192.168.58.0 0.0.0.255

access-list 101 deny ip 192.168.57.0 0.0.0.255 192.168.58.0 0.0.0.255

access-list 101 permit ip 192.168.57.0 0.0.0.255 any

access-list 102 deny ip 192.168.58.0 0.0.0.255 192.168.57.0 0.0.0.255

access-list 102 permit ip 192.168.58.0 0.0.0.255 any

access-list 110 deny tcp any 162.208.157.160 0.0.0.15 eq telnet

access-list 110 deny icmp any 162.208.157.160 0.0.0.15 8 0

access-list 110 permit ip any any

access-list 120 deny tcp any 162.208.157.176 0.0.0.15 eq telnet

access-list 120 deny icmp any 162.208.157.176 0.0.0.15 8 0

access-list 120 permit ip any any

route-map e-buy permit 1

match ip address 101

set ip next-hop 162.208.157.161

!

route-map dedicated permit 2

match ip address 102

set ip next-hop 162.208.157.177

Best Regards

Carlos Ruiz

Actions

This Discussion