02-27-2007 08:39 PM - edited 03-03-2019 03:57 PM
Hello all, I am having a problem with my setup that I havent been able to fix, so any help is much appreciated, here is the issue:
I have a 3600 router with 4 fast ethernet interfaces, 2 of them connected to 2 LAN, and the other 2 connected to two different ISP's, I've setup two route maps in order to use isp1's gateway for lan1 and isp2's gateway for lan2, I also have a couple of 1-1 NATting going on and a couple of PAT entries for the servers running in the LANs, the problem is that whenever I want to connect to one of the mail servers on lan2 from a computer on lan1 I get connection refused, I've had similar problems before with other more simplistic hardware, and the problem was due to the lack of loopback routing on this devices, however I have no idea on how to fix this on the Cisco router I believe it can be done but my CCNA knowledge doesnt help me on this one, attached is my config file, thank you very much for your help
02-27-2007 11:13 PM
you have attached a downloaded config (directly from router using tftp)
it's hard to read that please copy paste or cpture using hyperterminal and send it.
02-28-2007 01:42 AM
Sorry for the inconvinience, here is the file:
interface FastEthernet0/0
ip address 162.x.x.164 255.255.255.240 secondary
ip address 162.x.x.163 255.255.255.240 secondary
ip address 162.x.x.162 255.255.255.240
ip access-group 110 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.57.1 255.255.255.0
ip nat inside
ip policy route-map one
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 162.x.x.180 255.255.255.240 secondary
ip address 162.x.x.179 255.255.255.240 secondary
ip address 162.x.x.178 255.255.255.240
ip access-group 120 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet3/0
ip address 192.168.58.1 255.255.255.0
ip nat inside
ip policy route-map dedicated
duplex auto
speed auto
!
ip nat pool nat-pool 162.x.x.162 162.208.157.162 netmask 255.255.255.240
ip nat pool nat-pool2 162.208.157.178 162.208.157.178 netmask 255.255.255.240
ip nat inside source list 10 pool nat-pool overload
ip nat inside source list 20 pool nat-pool2 overload
ip nat inside source static 192.168.57.3 122.208.157.163
ip nat inside source static tcp 192.168.57.40 80 162.208.157.162 10000 extendable
ip nat inside source static 192.168.58.3 162.208.157.179
ip nat inside source static 192.168.58.4 162.208.157.180
ip nat inside source static tcp 192.168.58.20 53 162.208.157.178 53 extendable
ip nat inside source static tcp 192.168.58.20 443 162.208.157.178 443 extendable
ip nat inside source static tcp 192.168.58.20 25 162.208.157.178 25 extendable
ip nat inside source static tcp 192.168.58.20 110 162.208.157.178 110 extendable
ip nat inside source static tcp 192.168.58.20 80 162.208.157.178 80 extendable
ip classless
no ip http server
!
access-list 1 permit 192.168.57.0 0.0.0.255
access-list 2 permit 192.168.58.0 0.0.0.255
access-list 10 permit 192.168.57.0 0.0.0.255
access-list 20 permit 192.168.58.0 0.0.0.255
access-list 110 deny tcp any 162.208.157.160 0.0.0.15 eq telnet
access-list 110 deny icmp any 162.x.x.160 0.0.0.15 8 0
access-list 110 permit ip any any
access-list 120 deny tcp any 162.208.157.176 0.0.0.15 eq telnet
access-list 120 deny icmp any 162.208.157.176 0.0.0.15 8 0
access-list 120 permit ip any any
route-map one permit 1
match ip address 1
set ip next-hop 162.x.x.161
!
route-map dedicated permit 2
match ip address 2
set ip next-hop 162.x.x.177
03-02-2007 04:35 AM
Try changing your ACL 1 and 2 to ACL 101 and 102;
access-list 101 deny ip 192.168.57.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 permit ip 192.168.57.0 0.0.0.255 any
access-list 102 deny ip 192.168.58.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 102 permit ip 192.168.58.0 0.0.0.255 any
!
route-map one permit 1
match ip address 101
set ip next-hop 162.x.x.161
!
route-map dedicated permit 2
match ip address 102
set ip next-hop 162.x.x.177
03-04-2007 04:21 PM
Hello Medan, thank you very much for your help, I will be making the suggested changes tonight, and will let you know how it goes, again much appreciated.
03-06-2007 12:06 AM
Hello all, first of all thank you very much for your help, after installing the new access-lists it seems the problem is 50% solved, now I can access machines in net2 from net1 and vice versa, however, the initial issue is still present, let me explain a bit further:
lets say I own the domain carlosruiz.com, and the server hosting that domain is in net2, I have setup a couple of PAT's for example carlosruiz.com:22 -> net2ip:2222, carlosruiz.com:25 -> net2ip:25 and carlosruiz.com:80 -> net2ip:80 as you can see if I am sitting in a computer in net1 and enter net2ip in my web browser it does work as expected however if I enter carlosruiz.com I get a connection refused as before there are no firewall rules preventing this trafic so the problem still is that anything that comes into the router ISP1 or ISP2 from net1 or net2 gets a connection refused, but pings still work, are the Port Address Translations restriceted in any way? when the traffic comes from the inside?
access-list 1 permit 192.168.57.0 0.0.0.255
access-list 2 permit 192.168.58.0 0.0.0.255
access-list 10 permit 192.168.57.0 0.0.0.255
access-list 20 permit 192.168.58.0 0.0.0.255
access-list 101 deny ip 192.168.57.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 permit ip 192.168.57.0 0.0.0.255 any
access-list 102 deny ip 192.168.58.0 0.0.0.255 192.168.57.0 0.0.0.255
access-list 102 permit ip 192.168.58.0 0.0.0.255 any
access-list 110 deny tcp any 162.208.157.160 0.0.0.15 eq telnet
access-list 110 deny icmp any 162.208.157.160 0.0.0.15 8 0
access-list 110 permit ip any any
access-list 120 deny tcp any 162.208.157.176 0.0.0.15 eq telnet
access-list 120 deny icmp any 162.208.157.176 0.0.0.15 8 0
access-list 120 permit ip any any
route-map e-buy permit 1
match ip address 101
set ip next-hop 162.208.157.161
!
route-map dedicated permit 2
match ip address 102
set ip next-hop 162.208.157.177
Best Regards
Carlos Ruiz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide