06-22-2008 05:34 AM - edited 03-03-2019 10:27 PM
Hi,
I have a problem that i don't understand.
We have the network topology :
Internet
|
|
Router 2800
|
|
PIX 515E---DMZ: ftp-dns-proxy
|
|
Inside
We made a modification on the router.
We have on the router 2 outside interface : T1 and ADSL.
The HTTP stream go out on the ADSl interface and the all others on the T1 interface.
We connect to all ftp servers ! but when we want to connect to a ftp server with this address 80.245.57.134 we have a problem.
When we try to connect to it with the T1 interface it's ok.
I understand that it's strange but could you please check my config.
in advance thanks.
PS: there is a problem with the attachment option, so I'll post the configuration in 2 parts.
the configuration ( Part 1 ) :
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 emergencies
logging console critical
enable secret xxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 212.217.1.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-369948791
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-369948791
revocation-check none
rsakeypair TP-self-signed-369948791
!
!
crypto pki certificate chain TP-self-signed-369948791
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363939 34383739 31301E17 0D303630 39303631 39303031
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 39393438
37393130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C31172B6 28AA86E5 D9F12237 6F4203CA 0C6E3294 750137E6 A1546EDE AE16E02C
8935A118 8A856808 7ABB9C91 ACA4D7E0 F009EA18 92F14BC2 C37A142D 202E876A
B70EFDF8 EA587122 84F0305E 855EFA8E BB671895 F443CF3C 295DDE0F CF6D8171
D14C6402 62D4AAFA FF4B7EF3 466927A4 94997034 2BC30B51 1A46F93B 1BDD15D5
02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D
11041930 17821552 6F757465 722E796F 7572646F 6D61696E 2E636F6D 301F0603
551D2304 18301680 147A508A 0BCC0200 69163749 89473CE6 CBEAFCC1 DD301D06
03551D0E 04160414 7A508A0B CC020069 16374989 473CE6CB EAFCC1DD 300D0609
2A864886 F70D0101 04050003 81810087 C138F29A 7DD103FF 8AD66C79 6A0D5C39
47830629 C79522DC 026EB610 A01D0A12 26930714 7E62CAF4 62D80371 5D79F9C8
286DF73C 57AA1024 F3D6ABE8 BF0963C3 0422BFD8 695DBBB3 37921B50 79D06AD7
3093339E 87676326 0E535560 B9D17B57 A6C76799 321D0E60 5FCA9194 25F21517
D4E58894 E5CE883C 47086AF0 FD0828
quit
username admin privilege 15 password xxx
!
06-22-2008 05:34 AM
The configuration ( Part 2 ):
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 81.192.62.x 255.255.255.252 secondary
ip address 81.192.64.y 255.255.255.240
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache policy
ip route-cache flow
ip tcp adjust-mss 1412
ip policy route-map webmedi1
duplex auto
speed auto
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
pvc 8/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface Serial0/2/0
ip address 81.192.61.z 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname medi03@menara
ppp chap password xxx
ppp pap sent-username medi03@menara password xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
ip route 81.192.64.w 255.255.255.255 81.192.64.H
ip route 81.192.64.g 255.255.255.255 81.192.64.H
ip route 81.192.64.t 255.255.255.255 81.192.64.H
ip route 81.192.64.u 255.255.255.255 81.192.64.H
!
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 160 interface Dialer0 overload
!
logging trap emergencies
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 81.192.64.p 0.0.0.15
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 81.192.64.p 0.0.0.15
access-list 160 remark SDM_ACL Category=18
access-list 160 permit tcp host 81.192.64.H any eq www
access-list 160 permit tcp host 81.192.64.H any eq 443
dialer-list 1 protocol ip permit
no cdp run
route-map webmedi permit 10
match ip address 160
set interface Dialer0
set default interface Dialer0 ATM0/1/0.1
!
control-plane
!
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
06-22-2008 06:48 AM
magid
I have looked at the config that you posted and there are several things that I do not understand, some of which may relate to the cause of your problem.
It looks like interface FastEther0/0 is the logical inside interface where your end stations would be. I am puzzled about the function of FastEther0/1 whose addresses would appear to be public addresses. But it is configured as ip nat inside, which implies that it is a second inside address. And this is the interface where Policy Based Routing is configured.
So web traffic from the addresses on FA0/1 may be policy routed and traffic from addresses on FA0/0 will not be. Is this what you intended?
I also note that the route map for PBR uses access list 160 to identify traffic to be translated. The same access list identifies traffic to be Policy Routed. I find the use of the same access list for both functions a bit unusual. So only Policy Routed traffic will be translated. Is this what you intended?
And access list 160 permits traffic only from a specific host (permit tcp host 81.192.64.H ) so only web traffic from that specific host can be Policy Routed and only that traffic will be translated. Is that what you intended?
I also note that interface FA0/1 has this:
ip access-group 100 in
but the config that you posted does not have access list 100.
If you can clarify these issues perhaps we will be closer to finding the cause of your issue.
[edit] in reading the thread again I notice another inconsistency. In the original post you say "The HTTP stream go out on the ADSl interface and the all others on the T1 interface". But with 2 equal cost static routes configured:
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
the router will send traffic over both of the interfaces. So there is traffic going over the dialer interface that is not web traffic.
HTH
Rick
06-23-2008 01:59 AM
Thank you very much Rick for your answer!
It looks like interface FastEther0/0 is the logical inside interface where your end stations would be. I am puzzled about the function of FastEther0/1 whose addresses would appear to be public addresses. But it is configured as ip nat inside, which implies that it is a second inside address. And this is the interface where Policy Based Routing is configured.
-->The FastEthet0/0 is only to configure and monitor the router and The FastEthet0/1 is the inside interface connected to the pix.
So web traffic from the addresses on FA0/1 may be policy routed and traffic from addresses on FA0/0 will not be. Is this what you intended?
--->Its intented by us.
I also note that the route map for PBR uses access list 160 to identify traffic to be translated. The same access list identifies traffic to be Policy Routed. I find the use of the same access list for both functions a bit unusual. So only Policy Routed traffic will be translated. Is this what you intended?
--->Its intented by us. But could you please give us an example of appropriate solution.
And access list 160 permits traffic only from a specific host (permit tcp host 81.192.64.H ) so only web traffic from that specific host can be Policy Routed and only that traffic will be translated. Is that what you intended?
--->Its intented by us. 81.192.64.H is the address of pix outside interface.
I also note that interface FA0/1 has this:
ip access-group 100 in
but the config that you posted does not have access list 100.
--->You're right it's an error.
If you can clarify these issues perhaps we will be closer to finding the cause of your issue.
[edit] in reading the thread again I notice another inconsistency. In the original post you say "The HTTP stream go out on the ADSl interface and the all others on the T1 interface". But with 2 equal cost static routes configured:
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
the router will send traffic over both of the interfaces. So there is traffic going over the dialer interface that is not web traffic.
--->You're right.
if i configure like taht it's ok?:
ip route 0.0.0.0 0.0.0.0 Dialer0 100
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
in advance thanks!
06-23-2008 03:52 AM
magid
Thanks for clarifying some aspects of the config that I asked about. It does make some better sense now that these are explained.
Yes if you apply the administrative distance on the static default route through dialer0 (as 100 in your post) then it will create a floating static default route. Normally the route out the serial interface will carry all traffic (except for the PBR traffic0 and if the serial link fails then traffic will be sent out the dialer.
There is one aspect of this that you might want to think about. The PIX is translating traffic to an address that seems to be associated with the serial link. If you send traffic out the dialer using the floating static route, will response traffic return through the dialer or will it attempt to return through the serial link (which would be down if you are using the floating static to the dialer)?
I am not clear whether fixing the static default route and fixing the access list 100 issues will change your original problem. After you fix these will you let us know if the problem still exists?
HTH
Rick
06-23-2008 04:48 AM
Hi rick,
Thank you very much for your help
I change the ip route like that:
ip route 0.0.0.0 0.0.0.0 Dialer0 100
and i delete the commande line :
ip access-group 100 in
For the moment, all it's ok.
But please could you answer me for this problem :
I also note that the route map for PBR uses access list 160 to identify traffic to be translated. The same access list identifies traffic to be Policy Routed. I find the use of the same access list for both functions a bit unusual. So only Policy Routed traffic will be translated. Is this what you intended?
--->Its intented by us. But could you please give us an example of appropriate solution.
06-23-2008 05:15 AM
magid
You know your situation much better than I do. And if things are working as expected now, then there may not be a need to change anything.
But I wonder if you may have a need to translate additional traffic going out the dialer interface. As it is configured now, using access list 160 for translation as well as PBR means that only web traffic from a specific host address will be translated. I wonder if the serial link fails and you begin using the floating static to send all traffic out the dialer interface whether you may need to translate that traffic to the dialer interface address. Using access list 160 would not allow that. Using a different access list would allow it - if you determine that additional traffic does need to be translated.
HTH
Rick
06-28-2008 12:48 AM
Dear Rick,
Thank you very much!
I resolved my problem!!
06-23-2008 02:55 AM
Congratulation Rick for your 10,000 points new start!
And kudos to be always willing to dig into obscure configurations that many times would benefit from a radical overhaul.
I gave you 5 points here and hope you can keep doing generous help here.
Paolo.
06-23-2008 03:39 AM
Paolo
Thanks for the points. Thanks even more for the compliment. It means a lot to me to have the respect of my colleagues who also contribute so much to NetPro.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide