Problem with ip policy

piotrlit07 · ‎03-13-2008

Hi,

I have one 1841 routes with 2 internet providers (ADSL routers connected to 1841 FE interfaces).

One of those is primary and other serves as backup connection. Default route is 192.168.1.1 and secondary is 192.168.2.1

I want to route all traffic from specific local hosts to secondary ISP, while maintaining all the rest through primary ISP. Used route-map based ip policy.

My problem is that policy seems to work OK for all traffic except POP3 and some IM applications.

Any clue about where may be the problem? My configuration follows:

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.2.2 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

interface Vlan1

description LAN$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip policy route-map ALPI

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 123

ip route 0.0.0.0 0.0.0.0 192.168.2.1 250

!

access-list 109 permit ip host 192.168.0.66 any

!

route-map ALPI permit 10

match ip address 109

set ip next-hop 192.168.2.1

!

Thanks in advance for your help,

Albert Moran

Richard Burts · ‎03-13-2008

Albert

Your policy based routing selects traffic from a specific host (192.168.0.66) and redirects it. From your description I would have assumed that you were looking for certain traffic types rather than looking at a specific host. If some POP3 is not being policy routed it is because that POP3 traffic was not sourced from 192.168.0.66.

HTH

Rick

HTH

Rick

piotrlit07 · ‎03-14-2008

Thanks for your indications. I tried policy routing all POP3 traffic (from all hosts) through secondary ISP, but still does not work.

Also, I found that some mail accounts are able to connect and some others (different providers) do not. I will check the clients configuration, just in case.

Anyway, any other advice will be welcome.

Albert

Richard Burts · ‎03-14-2008

Albert

Perhaps you can post the changed configs. If you do that and especially if you can provide any more detail about what is not working as expected then we might be able to identify the problem.

HTH

Rick

HTH

Rick

simon.birtles · ‎03-14-2008

Albert,

I would suggest you take a look at 'sh ip nat trans' output during an POP3 connection attempt, as long as you have a entry to the correct outside IP address (as per your nat config vs secondary outgoing interface), you have proved your policy routing and NAT. Having proved this, your next move is to check your firewall config ensuring correct rules for POP3 from both outside interface IP address (primary & secondary).

Have a look at http://www.cisco.com/warp/public/556/5.html for order of packet operations to create troubleshooting steps based on packet operation, the zone based FW policy is the old CBAC as mentioned on the page.

Without seeing a more complete config, its hard to predict where the issue may be. But based on the above config with the access-list being focused on a POP3 client (as per other post), i would suggest there is no configuration error in the output you have shown.

piotrlit07 · ‎04-03-2008

Hi,

Sorry about my lack of answer, but I've been ill for a couple of weeks.

Now, again at work. I have checked NAT translations and they look correct, translates host ip and port 110 to secondary outgoing interface IP address.

I think firewall config is also correct. Both outside interfaces are in same zone and have the same FW policies. When going through primary interface, all works OK.

I made another test: Disabled policy routing, disconnected primary ISP line (FE0/0) and checked. When all traffic goes through secondary ISP interface (FE0/1) POP3 works OK. Is only when policy routing is enabled that host is unable to make POP3 connections.

Also, 'debug ip policy' output shows what looks like duplicated policy routing for POP3 packets, one to interface and other to IP address:

s=192.168.0.65 (Vlan1), d=62.42.230.11 (FastEthernet0/1), len 52, policy routed

s=192.168.0.65 (Vlan1), d=62.42.230.11, g=192.168.2.1, len 52, FIB policy routed

What is this 'FIB policy' about? Any other suggestion?

Thanks in advance,

Albert

simon.birtles · ‎04-05-2008

Albert,

The FIB is the CEF table which IOS uses to lookup the next hop for a packet. What you have shown with the debug you pasted is correct, It does actually show the same interface (g0/1 and 192.168.2.1) are the same.

Question about your ISP service. You say your ISP has provided two routers which are connected to the router we are focused on here... Are the ADSL primary and secondary ccts and routers provided by the same ISP and is it a primary and back up service you have purchased ? What I am getting at it is... your ISP maybe routing all traffic back to your site via the primary unless the primary fails... maybe worth while checking with them to find out.

Regards,

Simon

piotrlit07 · ‎04-06-2008

Hi,

Sorry, maybe I didn't make it clear in my first post. I have 2 different ISP. Have two ADSL routers connected to my Cisco 1841, but they belong to independent providers.

Albert

simon.birtles · ‎04-08-2008

can you post a sh ver ?

piotrlit07 · ‎04-17-2008

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(9)T1,

RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 30-Aug-06 15:13 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

TR13 uptime is 2 weeks, 1 hour, 50 minutes

System returned to ROM by power-on

System image file is "flash:c1841-advipservicesk9-mz.124-9.T1.bin"

Cisco 1841 (revision 6.0) with 235520K/26624K bytes of memory.

Processor board ID FCZ110973AS

6 FastEthernet interfaces

2 Virtual Private Network (VPN) Modules

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102