cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
821
Views
0
Helpful
9
Replies

Routing Problem

worldcalltel
Level 1
Level 1

See Config Below:

Check my config below:

Exchange Server IP: 100.100.100.69

Gateway: 100.100.100.65

PC: 192.168.111.22

GW: 192.168.111.1

Cisco7206:

interface FastEthernet1/0

description Connection-to-Digitel

ip address 100.100.100.65 255.255.255.192

ip nat outside

ip policy route-map Digitel

duplex half

interface FastEthernet4/0.1

description VLAN1-Management

encapsulation dot1Q 1 native

ip address 192.168.111.1 255.255.255.0

no ip redirects

ip nat inside

ip nat pool primary-pool 100.100.100.67 100.100.100.68 netmask 255.255.255.192

ip nat inside source route-map primary-map pool primary-pool overload

route-map primary-map permit 10

match ip address 10

set interface FastEthernet4/0

!

route-map Digitel permit 20

match ip address 30

set interface FastEthernet1/0

access-list 10 permit 192.168.111.0 0.0.0.255

access-list 30 permit 100.100.100.64 0.0.0.63

ip route 0.0.0.0 0.0.0.0 100.100.100.66

My question is, why can't I ping the exchange server with IP 100.100.100.69 from my workstation 192.168.111.22. Tracereoute shows that it only reaching the 192.168.111.1. Based on the NAT it should be able to translate the 192.168.111.22 to 100.100.100.67. So i checked the show ip nat translation and there is a line which the 192.168.111.22 translate into 100.100.100.67 before going to 100.100.100.69 (Exchange Server). I tried configuring my workstation's IP with same block as 100.100.100.64/26 network, and i can ping the server. But when changing it into private IP address it does not work.

Help me on this one. thank you in advance. its very urgent.

9 Replies 9

Kevin Dorrell
Level 10
Level 10

I'm not sure what you are trying to do with the policy routing, but I think that may be the origin of your problem. I shall study the route-map to see if I can work out what it is supposed to do. Maybe you don't need it. It seems to be routing the packets from Digitel according to their source address, but everything from Digitel will have something in 100.100.100.64/26 as source address.

But in any case, it has a set interface F4/0 but it looks like it might want to say F4/0.1,although I am not sure, being the native VLAN.

I think the ping is going out OK, but the response is getting lost in the route map.

Kevin Dorrell

Luxembourg

The real scenario here is I have a 7206 router with 4 Fa port, 3 of which is connected to 3 ISP and 1 for my LAN. I use the route map to forced only the subnet for each ISP to route to the specific interface going out.

Yes, it is FA4/0.1 i mistyped that..

here is my whole config:

interface FastEthernet1/0

description Connection-to-Digitel

ip address 100.100.100.65 255.255.255.192

ip nat outside

ip policy route-map Digitel

duplex full

!

interface FastEthernet2/0

description Connection-to-FiberCity

ip address 200.200.200.129 255.255.255.248

ip nat outside

ip policy route-map FiberCity

duplex half

!

interface FastEthernet3/0

description Connection-to-IPLC-NY2

ip address 60.192.168.225 255.255.255.224 secondary

ip address 60.192.168.49 255.255.255.240

ip nat outside

ip policy route-map IPLC

duplex full

!

interface FastEthernet4/0

description Connection-to-GACI-LAN

no ip address

duplex full

!

interface FastEthernet4/0.1

description VLAN1-Management

encapsulation dot1Q 1 native

ip address 192.168.111.1 255.255.255.0

no ip redirects

ip nat inside

!

interface FastEthernet4/0.3

description VLAN3-ZHAPA LAN

encapsulation dot1Q 3

ip address 10.10.10.254 255.255.255.0

no ip redirects

ip nat inside

!

ip nat translation timeout 3600

ip nat pool ZHAPA-pool 100.100.100.71 100.100.100.71 netmask 255.255.255.192

ip nat pool primary-pool 100.100.100.67 100.100.100.68 netmask 255.255.255.192

ip nat inside source route-map CCATEL pool CCATEL-POOL overload

ip nat inside source route-map ZHAPA-map pool ZHAPA-pool overload

ip nat inside source route-map primary-map pool primary-pool overload

ip nat inside source static tcp 192.168.111.31 80 202.138.152.75 80 extendable

ip nat inside source static tcp 192.168.111.31 3389 202.138.152.75 3389 extendable

ip nat inside source static 10.10.10.253 60.192.168.227 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 100.100.100.66

ip route 0.0.0.0 0.0.0.0 60.192.168.50

ip route 0.0.0.0 0.0.0.0 60.192.168.254

ip route 0.0.0.0 0.0.0.0 200.200.200.130

no ip http server

!

access-list 10 deny 192.168.111.31

access-list 10 deny 192.168.111.30

access-list 10 deny 192.168.111.26

access-list 10 deny 192.168.111.36

access-list 10 deny 192.168.111.33

access-list 10 deny 192.168.111.32

access-list 10 deny 192.168.111.49

access-list 10 deny 192.168.111.207

access-list 10 deny 192.168.111.206

access-list 10 deny 192.168.111.204

access-list 10 deny 192.168.111.203

access-list 10 deny 192.168.111.202

access-list 10 deny 192.168.111.201

access-list 10 deny 192.168.111.215

access-list 10 deny 192.168.111.214

access-list 10 deny 192.168.111.213

access-list 10 deny 192.168.111.212

access-list 10 deny 192.168.111.209

access-list 10 deny 192.168.111.218

access-list 10 deny 192.168.111.217

access-list 10 permit 192.168.111.0 0.0.0.255

access-list 20 permit 200.200.200.128 0.0.0.7

access-list 30 permit 100.100.100.64 0.0.0.63

access-list 40 permit 60.192.168.48 0.0.0.15

access-list 40 permit 60.192.168.224 0.0.0.31

access-list 60 permit 10.10.10.0 0.0.0.255

route-map ZHAPA-map permit 35

match ip address 60

!

route-map IPLC permit 25

match ip address 40

set interface FastEthernet3/0

!

route-map primary-map permit 10

match ip address 10

!

route-map Digitel permit 20

match ip address 30

set interface FastEthernet1/0

!

route-map FiberCity permit 15

match ip address 20

set interface FastEthernet2/0

I still don't get it. Your policy route for Digitel says "Anything that comes from 100.100.100.64/26, send it out F1/0, back to Digitel. Anything else, route it in the normal way."

Kevin Dorrell

Luxembourg

My objective here I want to route a specific subnet to its correct ISP router. Since Fa1/0 is connected to Digitel Router. All 100.100.100.64/26 should go out using the FA1/0. For IPLC use the Fa3/0 and FiberCity use the FA2/0. FA4/0 is connected to my L2 switch for VLANs. All subnets must be able to see each other, whether internally or externally.

If the route-map is the cause, what do you suggest?

Everything that is addressed to100.100.100.64/26 will go out F1/0 automatically, because that is the subnet on that interface. You don't need a policy map for that. You will see that on the show ip route.

The policy map is used when you want to route stuff differently depending on the address it comes from.

Try removing the policy from F1/0.

Kevin Dorrell

Luxembourg

If I remove the policy for each interfaces. Would there be a conflict on my static routes?

No, all packets to any address in 100.100.100.64/22 would be routed out F0/1. You will be able to see that in the show ip route. The default static route you have there will only come into play when there is not already a more specific route for the subnet.

If there are two routes that match the destination of the packet, the more specific route wins.

If you want to avoid that when one of the other interfaces is down, that its packets are routed along the default route, I shall show you how once you have the basic routing working.

Kevin Dorrell

Luxembourg

So I remove the policy and it works. I still don't understand. Why this thing happen? Do you have any links or study guides for route-maps. and what are its disadvantages. thanks

I don't have anything to hand, but maybe I should explain a bit about policy routing.

The main functions of the router are to forward packets to the destination address in the packet. Like the post office routing a letter according to the destination address on the envelope. That basic function has to do with interface addresses, static routes, and routing protocols. But nothing to do with policy routes.

Then some time in the 90s someone decided that it would be a useful to be able to route traffic differently for different source addresses. It is like the mail service deciding to route a letter differently according to who is the sender. That is route maps. Itis really a "fine tuning" feature, and 99 times out of 100 you would never use it.

Frankly, I don't think you need any route maps at all. The interface IP's will take care of the routing to each ISP according to the destination of the packet. The default route will take care of the rest.

Kevin Dorrell

Luxembourg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco