07-10-2007 02:58 AM - edited 03-03-2019 05:47 PM
Here at our office we're using a cisco 1841 with both a SDSL connection as an ADSL connection. This is all working great actually, the ADSL connection provides our LAN the internet and the SDSL connection is completely seperate and hosts our webserver with it's own IP (so no LAN configured for that connection). Obviously, the ADSL connection has NAT enabled and the SDSL connection is completely NAT disabled. Our problem was like this: At our LAN we couln't connect to our website (so basically we couldn't connect to the IP-range of the SDSL connection). Now we discovered where the problem lies. In the cisco router there are 2 ACL rules defined: Rule #150 has 2 subrules which are
1) Permit, source=any, destination=IP range from SDSL connection.
2) Permit, source=IP range from SDSL connection, destination=any
Now, when we delete the second rule we can connect from our LAN to the SDSL IP's but the rest of the world can't connect to it anymore. When we have both this rules enabled, the rest of the world can connect to the SDSL IP's but we can't connect from our LAN. Also i should mention that when we look with tcpdump we see packages arriving at the SDSL IP's and the replies are there as well, but the route back to the LAN seems to be disabled. There is no firewall installed whatsoever btw. Please give us any information you can think of, because we are totally stunned of how this can happen.
Solved! Go to Solution.
07-23-2007 05:04 AM
Maarten
I agree with Peter that your problem is that the Policy Based Routing that is configured is matching responses which should go back to your LAN and sending them out the dialer interface. I would suggest that you need to modify access-list 150 to deny traffic to your LAN before you permit other traffic. I would suggest that you paste this into your router:
no access-list 150
!
access-list 150 remark SDM_ACL Category=1
access-list 150 deny ip 192.168.0.0 0.0.0.255 80.127.207.192 0.0.0.15
access-list 150 deny ip 80.127.207.192 0.0.0.15 192.168.0.0 0.0.0.255
access-list 150 permit ip any 80.127.207.192 0.0.0.15
access-list 150 permit ip 80.127.207.192 0.0.0.15 any
Give this a try and let us know if it fixes your problem.
HTH
Rick
07-10-2007 04:06 AM
Could you please add configuration of this router.Network diagram is also welcome.
From your description, I don't known where acl 150 is applied.
Regards
Shaik ASSANA
07-10-2007 04:19 AM
I have attached the running configuration of the router. I do not have a network diagram readily available, but i'll try my ASCII art on it:
SDSL ADSL
| |
| |
| |
----------
Cisco 1841
----------
| |Lan with NAT enabled
|
|Completely seperated SDSL IP's
EDIT: the forums fubars my little drawing, but the diagram can be derived from my description i think.
07-10-2007 06:10 AM
If I understand it correctly, accesslist 150 is used in route-map sdsl to set the outgoing interface to the DSL port. But that acl matches with 80.127.bla both as source and destination address, so it will also send return traffic (from the DSL interface) back into the DSL interface.... Basically blackholing the traffic that way. Seems to me that this may be one of the reasons why it wont work.
If this is the case, if you turn on debugging on the interface you would see encapsulation errors and so on.
07-10-2007 06:17 AM
Okay, that makes sense. Where can i configure that "route-map sdsl"? I have looked everywhere but i can't find it anywhere.
07-10-2007 07:16 AM
I'm pretty sure now that the policy routing on FastEth 0/1 is the source of your problems. Best way to proceed would be to clearly redefine how you want the routing policy to be (which flows from where to where), and then decide where you will enforce it (applying policies to interfaces). In any event, you will need two policies instead of one, to route traffic to/from the LAN and to/from the Internet.
By the way: The route-map is all the way down in the config, and the ip policy map is applied on FasEth0/1
07-23-2007 05:04 AM
Maarten
I agree with Peter that your problem is that the Policy Based Routing that is configured is matching responses which should go back to your LAN and sending them out the dialer interface. I would suggest that you need to modify access-list 150 to deny traffic to your LAN before you permit other traffic. I would suggest that you paste this into your router:
no access-list 150
!
access-list 150 remark SDM_ACL Category=1
access-list 150 deny ip 192.168.0.0 0.0.0.255 80.127.207.192 0.0.0.15
access-list 150 deny ip 80.127.207.192 0.0.0.15 192.168.0.0 0.0.0.255
access-list 150 permit ip any 80.127.207.192 0.0.0.15
access-list 150 permit ip 80.127.207.192 0.0.0.15 any
Give this a try and let us know if it fixes your problem.
HTH
Rick
07-23-2007 05:22 AM
Allright, this works beautifully. Thank you so much for your solution, it really is awsome!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide