Cisco Router Telnet Access via Multiple Interfaces

Answered Question
Jul 30th, 2009
User Badges:

I have a Cisco 1811 router with DSL connected to FastEthernet0 and Cable connected to FastEthernet 1. The DSL is only used when the cable connection goes down, but I would like to have the ability to telnet to the router on both the DSL IP and the Cable IP.


The default route sends traffic out the Cable connection. For testing I have removed all firewalls statements and access-lists from FastEthernet0. Telnet to the Cable IP works fine, and the vty interface is configured for access. I expect the problem is with routing, as the traffic I'm sending to the DSL IP is likely returning with a source address of the Cable IP.


In order to try to resolve this problem, I configured a route-map and applied it to FastEthernet0. I was hoping by setting the next hop, I would be able to establish a telnet connection to FastEthernet0 using the DSL IP. I still cannot ping the DSL IP though so my route-map does not seem to be accomplishing my intended effect. The applicable configuration is below with private IP addresses substituted for the actual IP addresses.


interface FastEthernet0

ip address 192.168.1.70 255.255.255.0

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map DSL_RMAP

duplex auto

speed auto


access-list 106 permit ip host 10.0.0.1 any

access-list 108 permit ip host 192.168.1.70 host 10.0.0.1 log


route-map DSL_RMAP permit 1

match ip address 108

set ip next-hop 192.168.1.1


line vty 0 4

access-class 106 in

privilege level 15

password 7 xxxxxxxxxxxxxx

login local

transport input telnet ssh

Correct Answer by Peter Paluch about 7 years 12 months ago

Hello Ryan.


Note that a route-map applied on an interface for the policy-based routing applies only to inbound packets - never to outbound packets. Your ACL is obviously made in the opposite direction, as if you wanted to match the packets that are generated by your router and that go out the Fa0. However, these won't be catched by the PBR route-map for two reasons:


1.) It does not apply to packets going out your interface


2.) No PBR route-map or an ACL applied on an interface in the outbound direction applies to locally generated packets


If you want to set up a route-map for packets that are generated by your router, you need to use the "ip local policy route-map" command.


Best regards,

Peter


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rick Morris Thu, 07/30/2009 - 09:25
User Badges:
  • Silver, 250 points or more

have you done any debug telnet yet this will tell you if you are hitting the router or not and what you are coming from.


From the config it looks like you are telnetting from the inside to the router, is that correct?


Also, it looks like your ACL is not correct.


I read it this way:

host 192.168.1.70 is permitted to talk to 10.0.0.1 and when using the route-map the next hop for 192.168.1.70 is via 192.168.1.1


Is that what you want?

r.d.schnitzer Thu, 07/30/2009 - 09:37
User Badges:

As I stated in my post, I substituted private IP's for the actual public IP's. I would like to be able to telnet to both outside interfaces of the router (Fa0 and Fa1) from another location. Fa0 is connected to DSL and Fa1 is connected to Cable. I also mentioned that I currently cannot even ping the Fa0 interface from my outside, and it's likely because the default route sends traffic out the cable interface (Fa1).

Correct Answer
Peter Paluch Thu, 07/30/2009 - 09:42
User Badges:
  • Cisco Employee,

Hello Ryan.


Note that a route-map applied on an interface for the policy-based routing applies only to inbound packets - never to outbound packets. Your ACL is obviously made in the opposite direction, as if you wanted to match the packets that are generated by your router and that go out the Fa0. However, these won't be catched by the PBR route-map for two reasons:


1.) It does not apply to packets going out your interface


2.) No PBR route-map or an ACL applied on an interface in the outbound direction applies to locally generated packets


If you want to set up a route-map for packets that are generated by your router, you need to use the "ip local policy route-map" command.


Best regards,

Peter


r.d.schnitzer Thu, 07/30/2009 - 10:17
User Badges:

Thanks for the very clear response Peter. I'm still not able to ping the public IP on Fa0 interface from another location outside the router, but I think we're considerably closer now. I removed the route-map from the fa0 interface and added ip local policy route-map DSL_RMAP to the global configuration. It seems that there is still something more that is needed for the traffic to get routed back out the same interface. Any ideas?


Thanks,


Ryan

Actions

This Discussion