Routing problems with the cisco 1841

Answered Question
Jul 10th, 2007
User Badges:

Here at our office we're using a cisco 1841 with both a SDSL connection as an ADSL connection. This is all working great actually, the ADSL connection provides our LAN the internet and the SDSL connection is completely seperate and hosts our webserver with it's own IP (so no LAN configured for that connection). Obviously, the ADSL connection has NAT enabled and the SDSL connection is completely NAT disabled. Our problem was like this: At our LAN we couln't connect to our website (so basically we couldn't connect to the IP-range of the SDSL connection). Now we discovered where the problem lies. In the cisco router there are 2 ACL rules defined: Rule #150 has 2 subrules which are


1) Permit, source=any, destination=IP range from SDSL connection.

2) Permit, source=IP range from SDSL connection, destination=any


Now, when we delete the second rule we can connect from our LAN to the SDSL IP's but the rest of the world can't connect to it anymore. When we have both this rules enabled, the rest of the world can connect to the SDSL IP's but we can't connect from our LAN. Also i should mention that when we look with tcpdump we see packages arriving at the SDSL IP's and the replies are there as well, but the route back to the LAN seems to be disabled. There is no firewall installed whatsoever btw. Please give us any information you can think of, because we are totally stunned of how this can happen.

Correct Answer by Richard Burts about 9 years 8 months ago

Maarten


I agree with Peter that your problem is that the Policy Based Routing that is configured is matching responses which should go back to your LAN and sending them out the dialer interface. I would suggest that you need to modify access-list 150 to deny traffic to your LAN before you permit other traffic. I would suggest that you paste this into your router:

no access-list 150

!

access-list 150 remark SDM_ACL Category=1

access-list 150 deny ip 192.168.0.0 0.0.0.255 80.127.207.192 0.0.0.15

access-list 150 deny ip 80.127.207.192 0.0.0.15 192.168.0.0 0.0.0.255

access-list 150 permit ip any 80.127.207.192 0.0.0.15

access-list 150 permit ip 80.127.207.192 0.0.0.15 any


Give this a try and let us know if it fixes your problem.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.shaik Tue, 07/10/2007 - 04:06
User Badges:

Could you please add configuration of this router.Network diagram is also welcome.

From your description, I don't known where acl 150 is applied.


Regards

Shaik ASSANA


maartenvanmalland Tue, 07/10/2007 - 04:19
User Badges:

I have attached the running configuration of the router. I do not have a network diagram readily available, but i'll try my ASCII art on it:


SDSL ADSL

| |

| |

| |

----------

Cisco 1841

----------

| |Lan with NAT enabled

|

|Completely seperated SDSL IP's



EDIT: the forums fubars my little drawing, but the diagram can be derived from my description i think.



Attachment: 
PETER EIJSBERG Tue, 07/10/2007 - 06:10
User Badges:

If I understand it correctly, accesslist 150 is used in route-map sdsl to set the outgoing interface to the DSL port. But that acl matches with 80.127.bla both as source and destination address, so it will also send return traffic (from the DSL interface) back into the DSL interface.... Basically blackholing the traffic that way. Seems to me that this may be one of the reasons why it wont work.

If this is the case, if you turn on debugging on the interface you would see encapsulation errors and so on.

maartenvanmalland Tue, 07/10/2007 - 06:17
User Badges:

Okay, that makes sense. Where can i configure that "route-map sdsl"? I have looked everywhere but i can't find it anywhere.

PETER EIJSBERG Tue, 07/10/2007 - 07:16
User Badges:

I'm pretty sure now that the policy routing on FastEth 0/1 is the source of your problems. Best way to proceed would be to clearly redefine how you want the routing policy to be (which flows from where to where), and then decide where you will enforce it (applying policies to interfaces). In any event, you will need two policies instead of one, to route traffic to/from the LAN and to/from the Internet.


By the way: The route-map is all the way down in the config, and the ip policy map is applied on FasEth0/1

Correct Answer
Richard Burts Mon, 07/23/2007 - 05:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Maarten


I agree with Peter that your problem is that the Policy Based Routing that is configured is matching responses which should go back to your LAN and sending them out the dialer interface. I would suggest that you need to modify access-list 150 to deny traffic to your LAN before you permit other traffic. I would suggest that you paste this into your router:

no access-list 150

!

access-list 150 remark SDM_ACL Category=1

access-list 150 deny ip 192.168.0.0 0.0.0.255 80.127.207.192 0.0.0.15

access-list 150 deny ip 80.127.207.192 0.0.0.15 192.168.0.0 0.0.0.255

access-list 150 permit ip any 80.127.207.192 0.0.0.15

access-list 150 permit ip 80.127.207.192 0.0.0.15 any


Give this a try and let us know if it fixes your problem.


HTH


Rick

maartenvanmalland Mon, 07/23/2007 - 05:22
User Badges:

Allright, this works beautifully. Thank you so much for your solution, it really is awsome!

Actions

This Discussion