Help PBR problem with serial

Answered Question
May 14th, 2009

a customer with a netcafe bought a 2801 router with 2 ADSLs and 1 wic-1T. he wanted to pass internet and torrent traffic through ADSLs and games traffic through leased line.

I configured him PBR and works fine with 2 ADSLs but the serial int doesnot work. I am sure that this is a nat problem but i dont know how to fix it (i am not a pro :( ).

please take a look at the config file(the first 2 big ACLs are for ADSLs and i wrote at the bottom permit any to bypass PBR for now until it works with serial int)

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 5 months ago

Here are the modifications. Please read through before implementing and there will be an outage so you may have to schedule the change.

If you need to revert then simplest thing is just to change the "ip nat inside..." statements back to how you have it now and at least you will no worse off.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Giuseppe Larosa Thu, 05/14/2009 - 22:57

Hello Emmanuel,

you should at least add

int ser0/2/0

ip nat outside

otherwise third NAT statement is not invoked

ip nat inside source list 101 pool T1pool overload

the ip next-hop is the ip address on the ISP side, otherwise use

set interface s0/2/0 in the www route-map clause 30.

if you have problems also on this way you can think to use a route-map in the third NAT statement.

The route-map has to deny traffic that is matched by clauses 10 and 20 of route-map www used for PBR.

something like

route-map nat-for-t1 deny 10

match ip address internet torrent

route-map nat-for-t1 permit 20

match ip address 101

then third nat statement has to be changed in :

no ip nat inside source list 101 pool T1pool overload

ip nat inside source route-map nat-for-t1 pool T1pool overload

Hope to help


ekatscisco Thu, 05/14/2009 - 23:24

Hi Giuseppe

Thanks for looking at my problem

I've tried the ip nat outside on s0/2/0

and the next hop s0/2/0

but without fortune.

I will now try the route-map solution and i hope to work because the netcafe is desperate.

Thanks a lot again if it works i will reply it to help others having same problem.

ekatscisco Fri, 05/15/2009 - 00:59

Nop unforunatelly none of these solutions helped as i see this, the serial pings fine but none can reach internet through it.

Jon Marshall Fri, 05/15/2009 - 01:33

At the end of each acl ie. internet, torrent and games you have a "permit ip any any" so when that route-map is called under the fa0/0 interface all traffic will match the first permit statement ie.

route-map www permit 10

match ip address internet

set interface Dialer0

no traffic will ever get past this statement as any traffic will always match. From the looks of this config even the torrent traffic goes out via dialer0.


ekatscisco Fri, 05/15/2009 - 01:41

Hi there Mr jon.marshall

thank you for answering

Yes you are right about the permit all ACL but as i wrote to my first post i did this temporarelly to bypass the PBR until it starts working the serial int. So because the customer is an internet cafe and the internet connection is extremely vital i choosed to load balance between 2 ADSLs until i find a solution for the serial.

Jon Marshall Fri, 05/15/2009 - 01:43

Okay, but be aware that you are not load-balancing between the 2 ADSL's anymore, you are only using the dialer0 adsl.


ekatscisco Fri, 05/15/2009 - 01:48

ok john thanks for your help but this is the best way i could find to make my client work with some internet speed, when i used PBR to these 2 dialers because serial doesnt work, the games couldn't connect to their servers.

Jon Marshall Fri, 05/15/2009 - 01:52

Can you clarify what you want to do with the NAT pool T1pool in your config because for internet and torrent you are overloading on the interface.


Jon Marshall Fri, 05/15/2009 - 02:38

I have just labbed this up with Dynamips.

The problem is with your acl's that define traffic for your NAT statements. You have -

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source list 3 interface Dialer1 overload

access-list 2 permit

access-list 3 permit

But this doesn't work. When i tested in dynamips the same source was always natted to the same destination.

What you need to do is make a copy of your internet, torrent and games acl's and use those in your route-maps eg.

ip access-list extended torrent


remark Holds access lists that handle torrent pbr

remark SDM_ACL Category=1

remark Kazaa tcp

permit tcp any any eq 1214

remark Kazaa udp

permit udp any any eq 1214

remark Waste tcp

permit tcp any any eq 1337

remark Waste udp

permit udp any any eq 1337

remark Emule-Edonkey tcp

permit tcp any any eq 4662

remark Emule-Edonkey udp

permit udp any any eq 4672

remark Azureus-Bittorrent-Bitcommet-Bittornado 1 tcp

permit tcp any any range 6881 6999

ip nat inside source list torrent_rmap interface dialer1 overload

and do the same for internet and games.

Then make sure you "ip nat outside" under your serial interface and then retry.


ekatscisco Fri, 05/15/2009 - 03:03

ok jon see your point i think that would be the solution i am going to try it right now and i will reply the results.

ekatscisco Fri, 05/15/2009 - 03:09

jon sorry for not explaining this to you.

What i want to do with natting is ADSLs pass the local ips through them with their ips(not range just one static) but for the serial i need the pool because it has 30 static ips and i need every host with a unique static ip assigned if it gets through serial(for the games). Thats why i made the pool, only for serial int.

Jon Marshall Fri, 05/15/2009 - 03:13

Okay, just modify your config ie.

ip nat inside source list games_rmap pool T1pool overload

If you want to drop any further connections after all of the address pool has been used up then don't use "overload" keyword.


ekatscisco Fri, 05/15/2009 - 03:20

Damn you are a fast writer and i would like to thank you again i apreciate it because i am realy dissapointed and my customer furious.

i think the best is to attach the new config because i think all these are done but still that router dissapoints me. in a minute i upload the new one.

Jon Marshall Fri, 05/15/2009 - 03:49

You still haven't modified the 2 nat's for internet and torrent ie. in your config -

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source list 3 interface Dialer1 overload

you need to modify these as per my previous post or else all Nats will be done on list 2 and therefore natted to dialer0.

One other thing. You are natting the games people to -> Are you sure that return traffic for this back to your router will be sent to the serial interface ? If you are not sure better to just nat the games people to the serial interface address in the same way you do with the dialer interfaces.


ekatscisco Fri, 05/15/2009 - 03:52

ok jon but if i do something like this

ip nat inside source list 101 interface s0/2/0 overload

that doesnt mean that all the hosts will end up with the same static ip like ADSLs?

Jon Marshall Fri, 05/15/2009 - 03:58

Yes they will all end up with the same IP ie. the IP address on the serial interface. If you are sure your NAT pool is routed back to the serial interface you don't have a problem.

Edit - just done a traceroute to and it does end up at your serial interface so you can use that nat pool for games.


ekatscisco Fri, 05/15/2009 - 04:07

ok i feel a lot of stress leaving my mind right now.

Then looks like the only think yet is to fix my ACLs as you have shown me.

May i ask you a really big favour?

Because i didnt realy understood the solution about the ACLs it would be too much if i was asking you to attach my config with this change because my problem is i cannot do mayour changes with that router now as the netcafe is full with kids and i cannot risk another internet drop.

If i am asking too much its ok, you have already helped much much more than i could imagine and i am gratefull for that.

Jon Marshall Fri, 05/15/2009 - 04:16

There are a couple of issues.

1) You need to remove the old NAT statements to put new ones in. When you remove the old statements it's going to complain so you need a 5 min downtime if that's possible.

2) The games acl has permit ip any any which could create the same problems as before. So i have had to modify the games acl to deny all internet/torrent traffic before permitting any ip.

Give me about 5 minutes and i'll post up the config. The config i post you can cut and paste directly into the router - are you familiar with connecting to router via console cable or telnet ?. Sorry not familiar with SDM.

One other thing. Make sure you can revert back if needed so keep copy of existing config.


ekatscisco Fri, 05/15/2009 - 04:28

jon you are the best i wish you could imagine how desperate i was before meeting you.

About the telnet, i've configured it in the router and i am working right now through it (by the way the dialer1 doesnt respond to telnet the last days, i guess is ACLs problem) and i know for restoring backup i need a TFTP but i dont know the cli commands and i dont really want to use sdm because the last time i did i spended a lot more time to clear the mess it did so its ok you are not familiar with this.

Correct Answer
Jon Marshall Fri, 05/15/2009 - 04:32

Here are the modifications. Please read through before implementing and there will be an outage so you may have to schedule the change.

If you need to revert then simplest thing is just to change the "ip nat inside..." statements back to how you have it now and at least you will no worse off.


ekatscisco Fri, 05/15/2009 - 04:39

jon i really dont know what words to use to show you how gratefull i am i hope my client stops yelling now. By the way the command ip virtual reassembly its ok to be at the serial int? or i will have problems?

Jon Marshall Fri, 05/15/2009 - 04:42

"ip virtual reassembly"

fine to leave as is.

Don't thank me just yet as we haven't actually got it working properly at the moment :-)


ekatscisco Fri, 05/15/2009 - 04:52

jon i am thanking you just for helping because you deserve it and you use your knowledge with patience helping nubies like me. But if bytheway works i invite you for lunch and coffe in greece :)

Jon Marshall Fri, 05/15/2009 - 05:04

No problem, this is what NetPro is for and we have all been in these situations before where someones pressurising you to get it working.

Coffee in Greece - if i remember correctly from last time i was there it's strong stuff !!

ekatscisco Fri, 05/15/2009 - 05:21

we have a perfect sunshine right now so think about it for vacations this summer far away from routers in a white beach with a beer in the hand. Luckily my local supplier became available to help me now before i try your solution which i am sure i will because he cannot find why my configuration dont work :P

Jon Marshall Fri, 05/15/2009 - 05:43


Many thanks for the ratings.

Would like to hear how you get on.


ekatscisco Fri, 05/15/2009 - 05:59

please not thanking me the least i could do. About the configuration my local supplier has an appointment and stopped it but in 3-4 hours he will reconnect to check it out. I spoke with my client and he said that it would be disaster if i change something in the rooter right now and i have to wait for early the morning to do our changes, at about 14 hours from now :( . I hope jon to succeed my supplier when he retries today so i dont have this pressure on me until tomorow.


This Discussion