10-03-2007 04:50 AM - edited 03-05-2019 06:50 PM
See Config Below:
Check my config below:
Exchange Server IP: 100.100.100.69
Gateway: 100.100.100.65
PC: 192.168.111.22
GW: 192.168.111.1
Cisco7206:
interface FastEthernet1/0
description Connection-to-Digitel
ip address 100.100.100.65 255.255.255.192
ip nat outside
ip policy route-map Digitel
duplex half
interface FastEthernet4/0.1
description VLAN1-Management
encapsulation dot1Q 1 native
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip nat inside
ip nat pool primary-pool 100.100.100.67 100.100.100.68 netmask 255.255.255.192
ip nat inside source route-map primary-map pool primary-pool overload
route-map primary-map permit 10
match ip address 10
set interface FastEthernet4/0
!
route-map Digitel permit 20
match ip address 30
set interface FastEthernet1/0
access-list 10 permit 192.168.111.0 0.0.0.255
access-list 30 permit 100.100.100.64 0.0.0.63
ip route 0.0.0.0 0.0.0.0 100.100.100.66
My question is, why can't I ping the exchange server with IP 100.100.100.69 from my workstation 192.168.111.22. Tracereoute shows that it only reaching the 192.168.111.1. Based on the NAT it should be able to translate the 192.168.111.22 to 100.100.100.67. So i checked the show ip nat translation and there is a line which the 192.168.111.22 translate into 100.100.100.67 before going to 100.100.100.69 (Exchange Server). I tried configuring my workstation's IP with same block as 100.100.100.64/26 network, and i can ping the server. But when changing it into private IP address it does not work.
Help me on this one. thank you in advance. its very urgent.
10-03-2007 05:11 AM
I'm not sure what you are trying to do with the policy routing, but I think that may be the origin of your problem. I shall study the route-map to see if I can work out what it is supposed to do. Maybe you don't need it. It seems to be routing the packets from Digitel according to their source address, but everything from Digitel will have something in 100.100.100.64/26 as source address.
But in any case, it has a set interface F4/0 but it looks like it might want to say F4/0.1,although I am not sure, being the native VLAN.
I think the ping is going out OK, but the response is getting lost in the route map.
Kevin Dorrell
Luxembourg
10-03-2007 06:25 AM
The real scenario here is I have a 7206 router with 4 Fa port, 3 of which is connected to 3 ISP and 1 for my LAN. I use the route map to forced only the subnet for each ISP to route to the specific interface going out.
Yes, it is FA4/0.1 i mistyped that..
here is my whole config:
interface FastEthernet1/0
description Connection-to-Digitel
ip address 100.100.100.65 255.255.255.192
ip nat outside
ip policy route-map Digitel
duplex full
!
interface FastEthernet2/0
description Connection-to-FiberCity
ip address 200.200.200.129 255.255.255.248
ip nat outside
ip policy route-map FiberCity
duplex half
!
interface FastEthernet3/0
description Connection-to-IPLC-NY2
ip address 60.192.168.225 255.255.255.224 secondary
ip address 60.192.168.49 255.255.255.240
ip nat outside
ip policy route-map IPLC
duplex full
!
interface FastEthernet4/0
description Connection-to-GACI-LAN
no ip address
duplex full
!
interface FastEthernet4/0.1
description VLAN1-Management
encapsulation dot1Q 1 native
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip nat inside
!
interface FastEthernet4/0.3
description VLAN3-ZHAPA LAN
encapsulation dot1Q 3
ip address 10.10.10.254 255.255.255.0
no ip redirects
ip nat inside
!
ip nat translation timeout 3600
ip nat pool ZHAPA-pool 100.100.100.71 100.100.100.71 netmask 255.255.255.192
ip nat pool primary-pool 100.100.100.67 100.100.100.68 netmask 255.255.255.192
ip nat inside source route-map CCATEL pool CCATEL-POOL overload
ip nat inside source route-map ZHAPA-map pool ZHAPA-pool overload
ip nat inside source route-map primary-map pool primary-pool overload
ip nat inside source static tcp 192.168.111.31 80 202.138.152.75 80 extendable
ip nat inside source static tcp 192.168.111.31 3389 202.138.152.75 3389 extendable
ip nat inside source static 10.10.10.253 60.192.168.227 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 100.100.100.66
ip route 0.0.0.0 0.0.0.0 60.192.168.50
ip route 0.0.0.0 0.0.0.0 60.192.168.254
ip route 0.0.0.0 0.0.0.0 200.200.200.130
no ip http server
!
access-list 10 deny 192.168.111.31
access-list 10 deny 192.168.111.30
access-list 10 deny 192.168.111.26
access-list 10 deny 192.168.111.36
access-list 10 deny 192.168.111.33
access-list 10 deny 192.168.111.32
access-list 10 deny 192.168.111.49
access-list 10 deny 192.168.111.207
access-list 10 deny 192.168.111.206
access-list 10 deny 192.168.111.204
access-list 10 deny 192.168.111.203
access-list 10 deny 192.168.111.202
access-list 10 deny 192.168.111.201
access-list 10 deny 192.168.111.215
access-list 10 deny 192.168.111.214
access-list 10 deny 192.168.111.213
access-list 10 deny 192.168.111.212
access-list 10 deny 192.168.111.209
access-list 10 deny 192.168.111.218
access-list 10 deny 192.168.111.217
access-list 10 permit 192.168.111.0 0.0.0.255
access-list 20 permit 200.200.200.128 0.0.0.7
access-list 30 permit 100.100.100.64 0.0.0.63
access-list 40 permit 60.192.168.48 0.0.0.15
access-list 40 permit 60.192.168.224 0.0.0.31
access-list 60 permit 10.10.10.0 0.0.0.255
route-map ZHAPA-map permit 35
match ip address 60
!
route-map IPLC permit 25
match ip address 40
set interface FastEthernet3/0
!
route-map primary-map permit 10
match ip address 10
!
route-map Digitel permit 20
match ip address 30
set interface FastEthernet1/0
!
route-map FiberCity permit 15
match ip address 20
set interface FastEthernet2/0
10-03-2007 06:34 AM
I still don't get it. Your policy route for Digitel says "Anything that comes from 100.100.100.64/26, send it out F1/0, back to Digitel. Anything else, route it in the normal way."
Kevin Dorrell
Luxembourg
10-03-2007 07:04 AM
My objective here I want to route a specific subnet to its correct ISP router. Since Fa1/0 is connected to Digitel Router. All 100.100.100.64/26 should go out using the FA1/0. For IPLC use the Fa3/0 and FiberCity use the FA2/0. FA4/0 is connected to my L2 switch for VLANs. All subnets must be able to see each other, whether internally or externally.
If the route-map is the cause, what do you suggest?
10-03-2007 07:12 AM
Everything that is addressed to100.100.100.64/26 will go out F1/0 automatically, because that is the subnet on that interface. You don't need a policy map for that. You will see that on the show ip route.
The policy map is used when you want to route stuff differently depending on the address it comes from.
Try removing the policy from F1/0.
Kevin Dorrell
Luxembourg
10-03-2007 07:19 AM
If I remove the policy for each interfaces. Would there be a conflict on my static routes?
10-03-2007 07:35 AM
No, all packets to any address in 100.100.100.64/22 would be routed out F0/1. You will be able to see that in the show ip route. The default static route you have there will only come into play when there is not already a more specific route for the subnet.
If there are two routes that match the destination of the packet, the more specific route wins.
If you want to avoid that when one of the other interfaces is down, that its packets are routed along the default route, I shall show you how once you have the basic routing working.
Kevin Dorrell
Luxembourg
10-03-2007 07:36 AM
So I remove the policy and it works. I still don't understand. Why this thing happen? Do you have any links or study guides for route-maps. and what are its disadvantages. thanks
10-03-2007 07:49 AM
I don't have anything to hand, but maybe I should explain a bit about policy routing.
The main functions of the router are to forward packets to the destination address in the packet. Like the post office routing a letter according to the destination address on the envelope. That basic function has to do with interface addresses, static routes, and routing protocols. But nothing to do with policy routes.
Then some time in the 90s someone decided that it would be a useful to be able to route traffic differently for different source addresses. It is like the mail service deciding to route a letter differently according to who is the sender. That is route maps. Itis really a "fine tuning" feature, and 99 times out of 100 you would never use it.
Frankly, I don't think you need any route maps at all. The interface IP's will take care of the routing to each ISP according to the destination of the packet. The default route will take care of the rest.
Kevin Dorrell
Luxembourg
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: