08-05-2009 09:09 AM - edited 03-06-2019 07:06 AM
Hi All,
I would like some help in completing my configuration. Basically I have an internet router (1841ISR) with 1 internal (LAN) connection and 2 internet connections. What I want to do is route specific traffic for 3 of my internally hosted services (smtp, https, etc) through one internet connection (fa0/0) and then route all other traffic through the unmanaged/dynamic IP ADSL connection (Dialer 0)....
I have attached the relevant areas of my config your review... I have tried some stuff with route-maps but I think i'm hung up at the area where you attach the route-maps to the NAT statement.
Tks..
Donavan
Solved! Go to Solution.
08-07-2009 08:31 PM
Do you see hits on your ACL?
I think it's because of the ACLs you are using to identify traffic.
Normally a client connects to the server on its wellknown ports(smtp,http etc), but the server talks back to the client on a port which the client used to initiate traffic. Client processes don't use well-known or registered ports as source ports instead client process use a temporary port number.
So assuming 10.10.1.203 is your smtp server, ACL should be something like this:
access-list 100 deny tcp host 10.10.1.203 eq smtp any
instead of
access-list 100 deny tcp host 10.10.1.203 eq smtp any eq smtp
08-07-2009 05:39 AM
You need Policy-Based Routing to modify the destination based routing based on the source.
1) Configure an ACL for the source:
General traffic;
access-list 100 deny tcp host 10.10.1.203 eq 25 any eq 25
access-list 100 deny tcp host 10.10.1.217 eq 443 any eq 443
access-list 100 deny tcp host 10.10.1.214 eq 3101 any eq 3101
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
SMTP, HTTPS trafic;
access-list 101 permit tcp host 10.10.1.203 eq 25 any eq 25
access-list 101 permit tcp host 10.10.1.217 eq 443 any eq 443
access-list 101 permit tcp host 10.10.1.214 eq 3101 any eq 3101
2) Configure Route-map for the PBR
route-map NETPRO permit 10
match ip address 100
set interface dialer 0
route-map NETPRO permit 20
match ip address 101
set interface f0/0
3) Apply the PBR to the interface
Interface f0/1
ip policy route-map NETPRO
4) Modify the current PAT
ip nat inside source list 100 interface dialer0 overload
HTH,
__
Edison.
08-07-2009 07:41 AM
Hello Edison,
Thanks for taking the timeout to assist.. when I applied the configuration all traffic including the internally hosted services such as smtp, https etc seems to be using the dialer 0 connection to reach the internet.... not sure what is wrong here... It should be noted that I get the following message when applying the route-map for the fa0/0 interface.
rtr(conf)#route-map NETPRO permit 20
match ip address 101
set interface f0/0
rtr(config-route-map)#set interface FastEthernet0/0
%Warning:Use P2P interface for routemap set
interface clause
*****************
Interface fa0/0 has an ip of 2*.*.*.50 255.255.255.248 where 2*.*.*.49 is the gateway
08-07-2009 07:45 AM
I forgot about that caveat, my apologies.
Try 'set ip next-hop 2*.*.*.49' instead of 'set interface'.
HTH,
__
Edison
Please remember to rate helpful posts
08-07-2009 04:51 PM
Hello again Edison,
I've been banging away at this for a couple hours now with no luck after applying the final change you suggested.. ('set ip next-hop 2*.*.*.49' )
After adding the route-map and making the necessary config changes all traffice including smpt, https etc still seems to be only using dialer0 for internet access. I'm not giving up, just a bit lost at the moment :)i have attached my configs for your review... I have an ASA that sits directly behind the internet router so i've attached some excerpts from that cfg as well.....
Donavan
08-07-2009 08:31 PM
Do you see hits on your ACL?
I think it's because of the ACLs you are using to identify traffic.
Normally a client connects to the server on its wellknown ports(smtp,http etc), but the server talks back to the client on a port which the client used to initiate traffic. Client processes don't use well-known or registered ports as source ports instead client process use a temporary port number.
So assuming 10.10.1.203 is your smtp server, ACL should be something like this:
access-list 100 deny tcp host 10.10.1.203 eq smtp any
instead of
access-list 100 deny tcp host 10.10.1.203 eq smtp any eq smtp
08-07-2009 08:44 PM
Yagnesh bring up a good point as you need to determine if the source is a server or client and if it's communicating to another server or client.
A client source port will be 1024 and above - random. A server source port will be the known port - for instance 443, smtp, etc.
Can you identify this port information for us? Once you do, you will get a match on the route-map and ACLs.
HTH,
__
Edison.
08-08-2009 11:54 AM
Edison/Yagnesh,
It was definitely the ACL that was causing the problem. The issue has been resolved :)
Thank you both for your time and patience in resloving this issue..
Donavan
03-24-2012 05:09 AM
hi donavan,
can you post you final working config.
i am also facing same issue my port forwarding not working.
and i am trying additionally one more thing remote access vpn from same in fa0/0 interface
is it possible i am adding default route for static ip with metric 100
thanks
cyril
03-24-2012 10:45 AM
hi edison,
i am trying the same commands which you mentioned in this discussion,
my internet is passing through dialer0 and my PAT also working with static ip as second isp
what i need is once dialer interface goes down the second isp one has to take care internet automatically . i am trying remote access vpn also in static ip. is it possible or any changes we need to do?
here is my config
track 123 interface Dialer0 ip routing
delay down 15 up 10
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group ADIRemote
key %Cisco123%
dns 192.168.1.2
domain adintl.local
pool SDM_POOL_1
acl 102
--More-- split-dns adintl.local
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group ADIRemote
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto map VPN 1 ipsec-isakmp profile CiscoCP_Profile1
!
!
!
!
--More-- !
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip inspect WEBINSPECT in
ip virtual-reassembly in
ip policy route-map STATIC-NAT
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-WAN$
no ip address
--More-- duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/2
description $ETH-WAN$
ip address 213.x.x.130 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip local-proxy-arp
ip flow egress
ip nat outside
ip virtual-reassembly in
ip route-cache same-interface
ip tcp adjust-mss 1412
duplex auto
speed auto
crypto map VPN
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/2
--More-- tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname adidxb
ppp chap password 7 03050D5A540B771847
ppp pap sent-username adidxb password 7 15135D5D562E7D7021
!
ip local policy route-map STATIC-NAT
ip local pool SDM_POOL_1 80.0.0.10 80.0.0.150
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
--More-- ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 25 interface GigabitEthernet0/2 25
ip nat inside source static tcp 192.168.1.2 443 interface GigabitEthernet0/2 443
ip nat inside source static tcp 192.168.1.2 1723 interface GigabitEthernet0/2 1723
ip nat inside source static tcp 192.168.1.2 987 interface GigabitEthernet0/2 987
ip nat inside source list 111 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 123
ip route 0.0.0.0 0.0.0.0 213.x.x.x 254
ip route 80.0.0.0 255.255.255.0 GigabitEthernet0/2
!
ip sla 1
icmp-echo 4.2.2.2 source-interface Dialer0
threshold 40
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 80.0.0.0 0.0.0.255
access-list 110 deny tcp host 192.168.1.2 eq smtp any
--More-- access-list 110 deny tcp host 192.168.1.2 eq 443 any
access-list 110 deny tcp host 192.168.1.2 eq 987 any
access-list 110 deny tcp host 192.168.1.2 eq 1723 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 80.0.0.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 deny ip 192.168.1.0 0.0.0.255 80.0.0.0 0.0.0.255
access-list 111 permit tcp host 192.168.1.2 eq smtp any
access-list 111 permit tcp host 192.168.1.2 eq 443 any
access-list 111 permit tcp host 192.168.1.2 eq 987 any
access-list 111 permit tcp host 192.168.1.2 eq 1723 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map STATIC-NAT permit 10
match ip address 110
set interface Dialer0 Null0
!
route-map STATIC-NAT permit 20
match ip address 111
set ip next-hop 213.x.x.x
set interface Null0
!
!
--More-- snmp-server ifindex persist
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide