HTTP on an ADSL interface and all others protocols on a T1 interface

hassanimagid · ‎06-22-2008

Hi,

I have a problem that i don't understand.

We have the network topology :

Internet

|

Router 2800

|

PIX 515E---DMZ: ftp-dns-proxy

|

Inside

We made a modification on the router.

We have on the router 2 outside interface : T1 and ADSL.

The HTTP stream go out on the ADSl interface and the all others on the T1 interface.

We connect to all ftp servers ! but when we want to connect to a ftp server with this address 80.245.57.134 we have a problem.

When we try to connect to it with the T1 interface it's ok.

I understand that it's strange but could you please check my config.

in advance thanks.

PS: there is a problem with the attachment option, so I'll post the configuration in 2 parts.

the configuration ( Part 1 ) :

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 emergencies

logging console critical

enable secret xxx

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 0

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

ip cef

!

ip tcp synwait-time 10

no ip dhcp use vrf connected

!

no ip bootp server

ip domain name yourdomain.com

ip name-server 212.217.1.1

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto pki trustpoint TP-self-signed-369948791

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-369948791

revocation-check none

rsakeypair TP-self-signed-369948791

!

crypto pki certificate chain TP-self-signed-369948791

certificate self-signed 01

3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33363939 34383739 31301E17 0D303630 39303631 39303031

345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 39393438

37393130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

C31172B6 28AA86E5 D9F12237 6F4203CA 0C6E3294 750137E6 A1546EDE AE16E02C

8935A118 8A856808 7ABB9C91 ACA4D7E0 F009EA18 92F14BC2 C37A142D 202E876A

B70EFDF8 EA587122 84F0305E 855EFA8E BB671895 F443CF3C 295DDE0F CF6D8171

D14C6402 62D4AAFA FF4B7EF3 466927A4 94997034 2BC30B51 1A46F93B 1BDD15D5

02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D

11041930 17821552 6F757465 722E796F 7572646F 6D61696E 2E636F6D 301F0603

551D2304 18301680 147A508A 0BCC0200 69163749 89473CE6 CBEAFCC1 DD301D06

03551D0E 04160414 7A508A0B CC020069 16374989 473CE6CB EAFCC1DD 300D0609

2A864886 F70D0101 04050003 81810087 C138F29A 7DD103FF 8AD66C79 6A0D5C39

47830629 C79522DC 026EB610 A01D0A12 26930714 7E62CAF4 62D80371 5D79F9C8

286DF73C 57AA1024 F3D6ABE8 BF0963C3 0422BFD8 695DBBB3 37921B50 79D06AD7

3093339E 87676326 0E535560 B9D17B57 A6C76799 321D0E60 5FCA9194 25F21517

D4E58894 E5CE883C 47086AF0 FD0828

quit

username admin privilege 15 password xxx

!

hassanimagid · ‎06-22-2008

The configuration ( Part 2 ):

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

ip tcp adjust-mss 1412

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 81.192.62.x 255.255.255.252 secondary

ip address 81.192.64.y 255.255.255.240

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache policy

ip route-cache flow

ip tcp adjust-mss 1412

ip policy route-map webmedi1

duplex auto

speed auto

no mop enabled

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.1 point-to-point

pvc 8/35

oam-pvc manage

pppoe-client dial-pool-number 1

!

interface Serial0/2/0

ip address 81.192.61.z 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname medi03@menara

ppp chap password xxx

ppp pap sent-username medi03@menara password xxx

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Serial0/2/0

ip route 81.192.64.w 255.255.255.255 81.192.64.H

ip route 81.192.64.g 255.255.255.255 81.192.64.H

ip route 81.192.64.t 255.255.255.255 81.192.64.H

ip route 81.192.64.u 255.255.255.255 81.192.64.H

!

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 160 interface Dialer0 overload

!

logging trap emergencies

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 81.192.64.p 0.0.0.15

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 81.192.64.p 0.0.0.15

access-list 160 remark SDM_ACL Category=18

access-list 160 permit tcp host 81.192.64.H any eq www

access-list 160 permit tcp host 81.192.64.H any eq 443

dialer-list 1 protocol ip permit

no cdp run

route-map webmedi permit 10

match ip address 160

set interface Dialer0

set default interface Dialer0 ATM0/1/0.1

!

control-plane

!

banner login Authorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 101 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 102 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Richard Burts · ‎06-22-2008

magid

I have looked at the config that you posted and there are several things that I do not understand, some of which may relate to the cause of your problem.

It looks like interface FastEther0/0 is the logical inside interface where your end stations would be. I am puzzled about the function of FastEther0/1 whose addresses would appear to be public addresses. But it is configured as ip nat inside, which implies that it is a second inside address. And this is the interface where Policy Based Routing is configured.

So web traffic from the addresses on FA0/1 may be policy routed and traffic from addresses on FA0/0 will not be. Is this what you intended?

I also note that the route map for PBR uses access list 160 to identify traffic to be translated. The same access list identifies traffic to be Policy Routed. I find the use of the same access list for both functions a bit unusual. So only Policy Routed traffic will be translated. Is this what you intended?

And access list 160 permits traffic only from a specific host (permit tcp host 81.192.64.H ) so only web traffic from that specific host can be Policy Routed and only that traffic will be translated. Is that what you intended?

I also note that interface FA0/1 has this:

ip access-group 100 in

but the config that you posted does not have access list 100.

If you can clarify these issues perhaps we will be closer to finding the cause of your issue.

[edit] in reading the thread again I notice another inconsistency. In the original post you say "The HTTP stream go out on the ADSl interface and the all others on the T1 interface". But with 2 equal cost static routes configured:

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Serial0/2/0

the router will send traffic over both of the interfaces. So there is traffic going over the dialer interface that is not web traffic.

HTH

Rick

HTH

Rick

hassanimagid · ‎06-23-2008

Thank you very much Rick for your answer!

It looks like interface FastEther0/0 is the logical inside interface where your end stations would be. I am puzzled about the function of FastEther0/1 whose addresses would appear to be public addresses. But it is configured as ip nat inside, which implies that it is a second inside address. And this is the interface where Policy Based Routing is configured.

-->The FastEthet0/0 is only to configure and monitor the router and The FastEthet0/1 is the inside interface connected to the pix.

So web traffic from the addresses on FA0/1 may be policy routed and traffic from addresses on FA0/0 will not be. Is this what you intended?

--->Its intented by us.

I also note that the route map for PBR uses access list 160 to identify traffic to be translated. The same access list identifies traffic to be Policy Routed. I find the use of the same access list for both functions a bit unusual. So only Policy Routed traffic will be translated. Is this what you intended?

--->Its intented by us. But could you please give us an example of appropriate solution.

And access list 160 permits traffic only from a specific host (permit tcp host 81.192.64.H ) so only web traffic from that specific host can be Policy Routed and only that traffic will be translated. Is that what you intended?

--->Its intented by us. 81.192.64.H is the address of pix outside interface.

I also note that interface FA0/1 has this:

ip access-group 100 in

but the config that you posted does not have access list 100.

--->You're right it's an error.

If you can clarify these issues perhaps we will be closer to finding the cause of your issue.

[edit] in reading the thread again I notice another inconsistency. In the original post you say "The HTTP stream go out on the ADSl interface and the all others on the T1 interface". But with 2 equal cost static routes configured:

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Serial0/2/0

the router will send traffic over both of the interfaces. So there is traffic going over the dialer interface that is not web traffic.

--->You're right.

if i configure like taht it's ok?:

ip route 0.0.0.0 0.0.0.0 Dialer0 100

ip route 0.0.0.0 0.0.0.0 Serial0/2/0

in advance thanks!

Richard Burts · ‎06-23-2008

magid

Thanks for clarifying some aspects of the config that I asked about. It does make some better sense now that these are explained.

Yes if you apply the administrative distance on the static default route through dialer0 (as 100 in your post) then it will create a floating static default route. Normally the route out the serial interface will carry all traffic (except for the PBR traffic0 and if the serial link fails then traffic will be sent out the dialer.

There is one aspect of this that you might want to think about. The PIX is translating traffic to an address that seems to be associated with the serial link. If you send traffic out the dialer using the floating static route, will response traffic return through the dialer or will it attempt to return through the serial link (which would be down if you are using the floating static to the dialer)?

I am not clear whether fixing the static default route and fixing the access list 100 issues will change your original problem. After you fix these will you let us know if the problem still exists?

HTH

Rick

HTH

Rick

hassanimagid · ‎06-23-2008

Hi rick,

Thank you very much for your help

I change the ip route like that:

ip route 0.0.0.0 0.0.0.0 Dialer0 100

and i delete the commande line :

ip access-group 100 in

For the moment, all it's ok.

But please could you answer me for this problem :

I also note that the route map for PBR uses access list 160 to identify traffic to be translated. The same access list identifies traffic to be Policy Routed. I find the use of the same access list for both functions a bit unusual. So only Policy Routed traffic will be translated. Is this what you intended?

--->Its intented by us. But could you please give us an example of appropriate solution.

Richard Burts · ‎06-23-2008

magid

You know your situation much better than I do. And if things are working as expected now, then there may not be a need to change anything.

But I wonder if you may have a need to translate additional traffic going out the dialer interface. As it is configured now, using access list 160 for translation as well as PBR means that only web traffic from a specific host address will be translated. I wonder if the serial link fails and you begin using the floating static to send all traffic out the dialer interface whether you may need to translate that traffic to the dialer interface address. Using access list 160 would not allow that. Using a different access list would allow it - if you determine that additional traffic does need to be translated.

HTH

Rick

HTH

Rick

hassanimagid · ‎06-28-2008

Dear Rick,

Thank you very much!

I resolved my problem!!

paolo bevilacqua · ‎06-23-2008

Congratulation Rick for your 10,000 points new start!

And kudos to be always willing to dig into obscure configurations that many times would benefit from a radical overhaul.

I gave you 5 points here and hope you can keep doing generous help here.

Paolo.

Richard Burts · ‎06-23-2008

Paolo

Thanks for the points. Thanks even more for the compliment. It means a lot to me to have the respect of my colleagues who also contribute so much to NetPro.

HTH

Rick

HTH

Rick