cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1536
Views
30
Helpful
28
Replies

Help PBR problem with serial

ekatscisco
Level 1
Level 1

a customer with a netcafe bought a 2801 router with 2 ADSLs and 1 wic-1T. he wanted to pass internet and torrent traffic through ADSLs and games traffic through leased line.

I configured him PBR and works fine with 2 ADSLs but the serial int doesnot work. I am sure that this is a nat problem but i dont know how to fix it (i am not a pro :( ).

please take a look at the config file(the first 2 big ACLs are for ADSLs and i wrote at the bottom permit any to bypass PBR for now until it works with serial int)

1 Accepted Solution

Accepted Solutions

Here are the modifications. Please read through before implementing and there will be an outage so you may have to schedule the change.

If you need to revert then simplest thing is just to change the "ip nat inside..." statements back to how you have it now and at least you will no worse off.

Jon

View solution in original post

28 Replies 28

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Emmanuel,

you should at least add

int ser0/2/0

ip nat outside

otherwise third NAT statement is not invoked

ip nat inside source list 101 pool T1pool overload

the ip next-hop is the ip address on the ISP side, otherwise use

set interface s0/2/0 in the www route-map clause 30.

if you have problems also on this way you can think to use a route-map in the third NAT statement.

The route-map has to deny traffic that is matched by clauses 10 and 20 of route-map www used for PBR.

something like

route-map nat-for-t1 deny 10

match ip address internet torrent

route-map nat-for-t1 permit 20

match ip address 101

then third nat statement has to be changed in :

no ip nat inside source list 101 pool T1pool overload

ip nat inside source route-map nat-for-t1 pool T1pool overload

Hope to help

Giuseppe

Hi Giuseppe

Thanks for looking at my problem

I've tried the ip nat outside on s0/2/0

and the next hop s0/2/0

but without fortune.

I will now try the route-map solution and i hope to work because the netcafe is desperate.

Thanks a lot again if it works i will reply it to help others having same problem.

Nop unforunatelly none of these solutions helped as i see this, the serial pings fine but none can reach internet through it.

At the end of each acl ie. internet, torrent and games you have a "permit ip any any" so when that route-map is called under the fa0/0 interface all traffic will match the first permit statement ie.

route-map www permit 10

match ip address internet

set interface Dialer0

no traffic will ever get past this statement as any traffic will always match. From the looks of this config even the torrent traffic goes out via dialer0.

Jon

Hi there Mr jon.marshall

thank you for answering

Yes you are right about the permit all ACL but as i wrote to my first post i did this temporarelly to bypass the PBR until it starts working the serial int. So because the customer is an internet cafe and the internet connection is extremely vital i choosed to load balance between 2 ADSLs until i find a solution for the serial.

Okay, but be aware that you are not load-balancing between the 2 ADSL's anymore, you are only using the dialer0 adsl.

Jon

ok john thanks for your help but this is the best way i could find to make my client work with some internet speed, when i used PBR to these 2 dialers because serial doesnt work, the games couldn't connect to their servers.

Can you clarify what you want to do with the NAT pool T1pool in your config because for internet and torrent you are overloading on the interface.

Jon

I have just labbed this up with Dynamips.

The problem is with your acl's that define traffic for your NAT statements. You have -

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source list 3 interface Dialer1 overload

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 3 permit 192.168.0.0 0.0.0.255

But this doesn't work. When i tested in dynamips the same source was always natted to the same destination.

What you need to do is make a copy of your internet, torrent and games acl's and use those in your route-maps eg.

ip access-list extended torrent

_rmap

remark Holds access lists that handle torrent pbr

remark SDM_ACL Category=1

remark Kazaa tcp

permit tcp any any eq 1214

remark Kazaa udp

permit udp any any eq 1214

remark Waste tcp

permit tcp any any eq 1337

remark Waste udp

permit udp any any eq 1337

remark Emule-Edonkey tcp

permit tcp any any eq 4662

remark Emule-Edonkey udp

permit udp any any eq 4672

remark Azureus-Bittorrent-Bitcommet-Bittornado 1 tcp

permit tcp any any range 6881 6999

ip nat inside source list torrent_rmap interface dialer1 overload

and do the same for internet and games.

Then make sure you "ip nat outside" under your serial interface and then retry.

Jon

ok jon see your point i think that would be the solution i am going to try it right now and i will reply the results.

jon sorry for not explaining this to you.

What i want to do with natting is ADSLs pass the local ips through them with their ips(not range just one static) but for the serial i need the pool because it has 30 static ips and i need every host with a unique static ip assigned if it gets through serial(for the games). Thats why i made the pool, only for serial int.

Okay, just modify your config ie.

ip nat inside source list games_rmap pool T1pool overload

If you want to drop any further connections after all of the address pool has been used up then don't use "overload" keyword.

Jon

Damn you are a fast writer and i would like to thank you again i apreciate it because i am realy dissapointed and my customer furious.

i think the best is to attach the new config because i think all these are done but still that router dissapoints me. in a minute i upload the new one.

OK jon this is it i think this is by far better than the previous one but the results are the same :(

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: