cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
0
Helpful
20
Replies

PBR help! VPN + Internet on ADSL; static NAT on serial.

agcastle2000
Level 1
Level 1

Hi,

We have a router with ADSL modem connection. VPN and browsing works fine with the current setup. Now we are adding serial (Internet Leased Line) mainly for one server to be accessible in the Internet.

What Policy-Based Routing approach I can apply here? I'm not successful so far.

VPN & Internet should continue using ADSL.

One server should be using Internet Leased Line (Serial0/0/0).

Below is the snippets of the config.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key xxxxxxxx address x.x.26.91

crypto isakmp key xxxxxxx address x.x.124.74

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 10 ipsec-isakmp

set peer x.x.124.74

set transform-set ESP-3DES-MD5

match address 100

crypto map SDM_CMAP_1 20 ipsec-isakmp

set peer x.x.26.91

set transform-set ESP-3DES-MD5

match address 101

interface FastEthernet0/0

description $INSIDE$

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

description $OUTSIDE$

ip address 20.20.20.2 255.255.255.0

ip nat outside

crypto map SDM_CMAP_1

!

interface Serial0/0/0

ip address x.x.57.206 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 20.20.20.1

!

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.6 x.x.182.193

!

access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 10

match ip address 105

1 Accepted Solution

Accepted Solutions

Edison Ortiz
Hall of Fame
Hall of Fame

interface FastEthernet0/0

ip policy route-map SERVER

interface Serial0/0/0

ip nat outside

route-map SERVER

match ip address 110

set ip next-hop x.x.57.207

access-list 105 deny ip host server_ip_address any

access-list 110 deny ip host server_ip_address 10.0.1.0 0.0.0.255

access-list 110 deny ip host server_ip_address 90.0.0.0 0.0.0.255

access-list 110 permit ip host server_ip_address any

ip nat inside source list 110 interface s0/0/0 overload

View solution in original post

20 Replies 20

owillins
Level 6
Level 6

Policy-based routing is applied to incoming packets. All packets received on an interface with policy-based routing enabled are considered for policy-based routing .

You can apply PBR based upon your user traffic and internet requirements.

http://cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

Hi,

Thanks for your reply. I already got this document. It's just that I can't figure how it can be applied in our particular scenario. It looks like the next reply by EdisonOrtiz is the solution to my problem.

Grateful for your sharing your knowledge and for your time.

Regards, Archie

Edison Ortiz
Hall of Fame
Hall of Fame

interface FastEthernet0/0

ip policy route-map SERVER

interface Serial0/0/0

ip nat outside

route-map SERVER

match ip address 110

set ip next-hop x.x.57.207

access-list 105 deny ip host server_ip_address any

access-list 110 deny ip host server_ip_address 10.0.1.0 0.0.0.255

access-list 110 deny ip host server_ip_address 90.0.0.0 0.0.0.255

access-list 110 permit ip host server_ip_address any

ip nat inside source list 110 interface s0/0/0 overload

Hi Edison,

Many thanks for sharing your knowledge and time.

And I really appreciate the fact that you provided the exact commands to resolve my issue.

Right now, I'm remotely connecting to the inside interface of the router through VPN. After injecting the PBR, I'm not sure if I would be able to directly connect to the serial interface.

Regards,

Archie

Those commands shouldn't affect your VPN, however I don't recommend making those changes from remote unless you have another way of getting into the router (via modem, for instance).

Hi,

Unfortunately, your warning came late. I already tested the commands (remotely via VPN) on one server and it works. Thanks.

Do I have to add an "ip route..." command to make the Serial interface accessible remotely?

In other sites, the default gateway is the serial int. next hop and accessing serial is not a problem.

Any idea?

Thanks,

Archie

Hi,

I was wrong in my tests. It still doesn't work. I attached the config for you to see. Months back we hired the services of a Cisco Gold Partner and the engineer can't make it to work.

Hope you'll stay with me.

Regards,

Archie

What portion does not work ?

The device 10.0.0.6 is able to get out to the internet ? How about via the tunnel ?

Have you try turning debug on the route-map ?

Hi,

I portqry on the public IP address ports 1352 and SMTP and it says it's filtered instead of listening. I got the same result with NotesConnect tool. The private IP (through the VPN) appears to be responding.

So you can't find anything wrong with the config?

The Domino Server is a VM on ESX but I don't think it makes a difference.

Thanks once again.

Regards, Archie

You can't do that unless you statically assign an IP to the internal device via NAT.

Currently, this device is using PAT out to the internet.

If you want to test the route-map works, you need to check the show ip nat trans and see if it's being translated properly.

You can also go to http://www.whatsmyip.org/ from the server and see if it's exiting via the serial 0/0/0 or the fastethernet0/1

Hi,

These lines should take care of the static nat. Isn't it?

ip nat inside source static tcp 10.0.0.6 25 x.x.182.193 25 extendable

ip nat inside source static tcp 10.0.0.6 1352 x.x.182.193 1352 extendable

All I need is to give a static nat to a Domino Server in the private network such that it will be accessible from outside using x.x.182.193. Something similar to ASA/PIX firewall command:static (inside,outside) x.x.182.193 10.0.0.6 netmask 255.255.255.255

I already have the PAT:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

So I think I no longer need the line for PAT:

ip nat inside source list 110 interface Serial0/0/0 overload

Thanks,

Archie

Correct, you can't have PAT and static NAT on same IP address translation.

Hi,

Static translation looks fine from show ip nat translation but there's still no reply if I portqry on x.x.182.193 from outside.

Pro Inside global Inside local

--- 83.111.182.193 10.0.0.6

10.0.1.0/24 and 90.0.0.0/24 are subnets in other office where VPN is linked.

Don't know what's really wrong with the config below. What if I'll reverse, make my default gateway to x.x.57.205 and PBR on existing setup.

******

interface Serial0/0/0

ip address x.x.57.206 255.255.255.252

ip access-group 107 in

ip route 0.0.0.0 0.0.0.0 20.20.20.1

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.6 25 x.x.182.193

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

access-list 107 permit tcp any host x.x.182.193 eq 1352

access-list 107 permit tcp any host x.x.182.193 eq smtp

access-list 110 deny ip host 10.0.0.6 10.0.1.0 0.0.0.255

access-list 110 deny ip host 10.0.0.6 90.0.0.0 0.0.0.255

access-list 110 permit ip host 10.0.0.6 any

route-map SERVER permit 10

match ip address 110

set ip next-hop x.x.57.205

route-map SDM_RMAP_1 permit 10

match ip address 105

Regards,

Archie

Does the ISP connected via S0/0/0 knows to send the route back to you if you source your connection with this address ? (83.111.182.193) ?

Based on the output you've posted, the ISP has a different subnet on s0/0/0.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: