05-14-2009 07:27 PM - edited 03-04-2019 04:46 AM
a customer with a netcafe bought a 2801 router with 2 ADSLs and 1 wic-1T. he wanted to pass internet and torrent traffic through ADSLs and games traffic through leased line.
I configured him PBR and works fine with 2 ADSLs but the serial int doesnot work. I am sure that this is a nat problem but i dont know how to fix it (i am not a pro :( ).
please take a look at the config file(the first 2 big ACLs are for ADSLs and i wrote at the bottom permit any to bypass PBR for now until it works with serial int)
Solved! Go to Solution.
05-15-2009 04:32 AM
Here are the modifications. Please read through before implementing and there will be an outage so you may have to schedule the change.
If you need to revert then simplest thing is just to change the "ip nat inside..." statements back to how you have it now and at least you will no worse off.
Jon
05-14-2009 10:57 PM
Hello Emmanuel,
you should at least add
int ser0/2/0
ip nat outside
otherwise third NAT statement is not invoked
ip nat inside source list 101 pool T1pool overload
the ip next-hop is the ip address on the ISP side, otherwise use
set interface s0/2/0 in the www route-map clause 30.
if you have problems also on this way you can think to use a route-map in the third NAT statement.
The route-map has to deny traffic that is matched by clauses 10 and 20 of route-map www used for PBR.
something like
route-map nat-for-t1 deny 10
match ip address internet torrent
route-map nat-for-t1 permit 20
match ip address 101
then third nat statement has to be changed in :
no ip nat inside source list 101 pool T1pool overload
ip nat inside source route-map nat-for-t1 pool T1pool overload
Hope to help
Giuseppe
05-14-2009 11:24 PM
Hi Giuseppe
Thanks for looking at my problem
I've tried the ip nat outside on s0/2/0
and the next hop s0/2/0
but without fortune.
I will now try the route-map solution and i hope to work because the netcafe is desperate.
Thanks a lot again if it works i will reply it to help others having same problem.
05-15-2009 12:59 AM
Nop unforunatelly none of these solutions helped as i see this, the serial pings fine but none can reach internet through it.
05-15-2009 01:33 AM
At the end of each acl ie. internet, torrent and games you have a "permit ip any any" so when that route-map is called under the fa0/0 interface all traffic will match the first permit statement ie.
route-map www permit 10
match ip address internet
set interface Dialer0
no traffic will ever get past this statement as any traffic will always match. From the looks of this config even the torrent traffic goes out via dialer0.
Jon
05-15-2009 01:41 AM
Hi there Mr jon.marshall
thank you for answering
Yes you are right about the permit all ACL but as i wrote to my first post i did this temporarelly to bypass the PBR until it starts working the serial int. So because the customer is an internet cafe and the internet connection is extremely vital i choosed to load balance between 2 ADSLs until i find a solution for the serial.
05-15-2009 01:43 AM
Okay, but be aware that you are not load-balancing between the 2 ADSL's anymore, you are only using the dialer0 adsl.
Jon
05-15-2009 01:48 AM
ok john thanks for your help but this is the best way i could find to make my client work with some internet speed, when i used PBR to these 2 dialers because serial doesnt work, the games couldn't connect to their servers.
05-15-2009 01:52 AM
Can you clarify what you want to do with the NAT pool T1pool in your config because for internet and torrent you are overloading on the interface.
Jon
05-15-2009 02:38 AM
I have just labbed this up with Dynamips.
The problem is with your acl's that define traffic for your NAT statements. You have -
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source list 3 interface Dialer1 overload
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 permit 192.168.0.0 0.0.0.255
But this doesn't work. When i tested in dynamips the same source was always natted to the same destination.
What you need to do is make a copy of your internet, torrent and games acl's and use those in your route-maps eg.
ip access-list extended torrent
_rmap
remark Holds access lists that handle torrent pbr
remark SDM_ACL Category=1
remark Kazaa tcp
permit tcp any any eq 1214
remark Kazaa udp
permit udp any any eq 1214
remark Waste tcp
permit tcp any any eq 1337
remark Waste udp
permit udp any any eq 1337
remark Emule-Edonkey tcp
permit tcp any any eq 4662
remark Emule-Edonkey udp
permit udp any any eq 4672
remark Azureus-Bittorrent-Bitcommet-Bittornado 1 tcp
permit tcp any any range 6881 6999
ip nat inside source list torrent_rmap interface dialer1 overload
and do the same for internet and games.
Then make sure you "ip nat outside" under your serial interface and then retry.
Jon
05-15-2009 03:03 AM
ok jon see your point i think that would be the solution i am going to try it right now and i will reply the results.
05-15-2009 03:09 AM
jon sorry for not explaining this to you.
What i want to do with natting is ADSLs pass the local ips through them with their ips(not range just one static) but for the serial i need the pool because it has 30 static ips and i need every host with a unique static ip assigned if it gets through serial(for the games). Thats why i made the pool, only for serial int.
05-15-2009 03:13 AM
Okay, just modify your config ie.
ip nat inside source list games_rmap pool T1pool overload
If you want to drop any further connections after all of the address pool has been used up then don't use "overload" keyword.
Jon
05-15-2009 03:20 AM
Damn you are a fast writer and i would like to thank you again i apreciate it because i am realy dissapointed and my customer furious.
i think the best is to attach the new config because i think all these are done but still that router dissapoints me. in a minute i upload the new one.
05-15-2009 03:28 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide