07-30-2009 09:19 AM - edited 03-04-2019 05:36 AM
I have a Cisco 1811 router with DSL connected to FastEthernet0 and Cable connected to FastEthernet 1. The DSL is only used when the cable connection goes down, but I would like to have the ability to telnet to the router on both the DSL IP and the Cable IP.
The default route sends traffic out the Cable connection. For testing I have removed all firewalls statements and access-lists from FastEthernet0. Telnet to the Cable IP works fine, and the vty interface is configured for access. I expect the problem is with routing, as the traffic I'm sending to the DSL IP is likely returning with a source address of the Cable IP.
In order to try to resolve this problem, I configured a route-map and applied it to FastEthernet0. I was hoping by setting the next hop, I would be able to establish a telnet connection to FastEthernet0 using the DSL IP. I still cannot ping the DSL IP though so my route-map does not seem to be accomplishing my intended effect. The applicable configuration is below with private IP addresses substituted for the actual IP addresses.
interface FastEthernet0
ip address 192.168.1.70 255.255.255.0
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map DSL_RMAP
duplex auto
speed auto
access-list 106 permit ip host 10.0.0.1 any
access-list 108 permit ip host 192.168.1.70 host 10.0.0.1 log
route-map DSL_RMAP permit 1
match ip address 108
set ip next-hop 192.168.1.1
line vty 0 4
access-class 106 in
privilege level 15
password 7 xxxxxxxxxxxxxx
login local
transport input telnet ssh
Solved! Go to Solution.
07-30-2009 09:42 AM
Hello Ryan.
Note that a route-map applied on an interface for the policy-based routing applies only to inbound packets - never to outbound packets. Your ACL is obviously made in the opposite direction, as if you wanted to match the packets that are generated by your router and that go out the Fa0. However, these won't be catched by the PBR route-map for two reasons:
1.) It does not apply to packets going out your interface
2.) No PBR route-map or an ACL applied on an interface in the outbound direction applies to locally generated packets
If you want to set up a route-map for packets that are generated by your router, you need to use the "ip local policy route-map" command.
Best regards,
Peter
07-30-2009 09:25 AM
have you done any debug telnet yet this will tell you if you are hitting the router or not and what you are coming from.
From the config it looks like you are telnetting from the inside to the router, is that correct?
Also, it looks like your ACL is not correct.
I read it this way:
host 192.168.1.70 is permitted to talk to 10.0.0.1 and when using the route-map the next hop for 192.168.1.70 is via 192.168.1.1
Is that what you want?
07-30-2009 09:37 AM
As I stated in my post, I substituted private IP's for the actual public IP's. I would like to be able to telnet to both outside interfaces of the router (Fa0 and Fa1) from another location. Fa0 is connected to DSL and Fa1 is connected to Cable. I also mentioned that I currently cannot even ping the Fa0 interface from my outside, and it's likely because the default route sends traffic out the cable interface (Fa1).
07-30-2009 09:42 AM
Hello Ryan.
Note that a route-map applied on an interface for the policy-based routing applies only to inbound packets - never to outbound packets. Your ACL is obviously made in the opposite direction, as if you wanted to match the packets that are generated by your router and that go out the Fa0. However, these won't be catched by the PBR route-map for two reasons:
1.) It does not apply to packets going out your interface
2.) No PBR route-map or an ACL applied on an interface in the outbound direction applies to locally generated packets
If you want to set up a route-map for packets that are generated by your router, you need to use the "ip local policy route-map" command.
Best regards,
Peter
07-30-2009 10:17 AM
Thanks for the very clear response Peter. I'm still not able to ping the public IP on Fa0 interface from another location outside the router, but I think we're considerably closer now. I removed the route-map from the fa0 interface and added ip local policy route-map DSL_RMAP to the global configuration. It seems that there is still something more that is needed for the traffic to get routed back out the same interface. Any ideas?
Thanks,
Ryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide