Configure Dynamic/Static Nat with route-maps

Answered Question
Aug 5th, 2009

Hi All,

I would like some help in completing my configuration. Basically I have an internet router (1841ISR) with 1 internal (LAN) connection and 2 internet connections. What I want to do is route specific traffic for 3 of my internally hosted services (smtp, https, etc) through one internet connection (fa0/0) and then route all other traffic through the unmanaged/dynamic IP ADSL connection (Dialer 0)....

I have attached the relevant areas of my config your review... I have tried some stuff with route-maps but I think i'm hung up at the area where you attach the route-maps to the NAT statement.

Tks..

Donavan

I have this problem too.
0 votes
Correct Answer by yagnesh_tel about 4 years 8 months ago

Do you see hits on your ACL?

I think it's because of the ACLs you are using to identify traffic.

Normally a client connects to the server on its wellknown ports(smtp,http etc), but the server talks back to the client on a port which the client used to initiate traffic. Client processes don't use well-known or registered ports as source ports instead client process use a temporary port number.

So assuming 10.10.1.203 is your smtp server, ACL should be something like this:

access-list 100 deny tcp host 10.10.1.203 eq smtp any

instead of

access-list 100 deny tcp host 10.10.1.203 eq smtp any eq smtp

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.8 (7 ratings)
Edison Ortiz Fri, 08/07/2009 - 05:39

You need Policy-Based Routing to modify the destination based routing based on the source.

1) Configure an ACL for the source:

General traffic;

access-list 100 deny tcp host 10.10.1.203 eq 25 any eq 25

access-list 100 deny tcp host 10.10.1.217 eq 443 any eq 443

access-list 100 deny tcp host 10.10.1.214 eq 3101 any eq 3101

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

SMTP, HTTPS trafic;

access-list 101 permit tcp host 10.10.1.203 eq 25 any eq 25

access-list 101 permit tcp host 10.10.1.217 eq 443 any eq 443

access-list 101 permit tcp host 10.10.1.214 eq 3101 any eq 3101

2) Configure Route-map for the PBR

route-map NETPRO permit 10

match ip address 100

set interface dialer 0

route-map NETPRO permit 20

match ip address 101

set interface f0/0

3) Apply the PBR to the interface

Interface f0/1

ip policy route-map NETPRO

4) Modify the current PAT

ip nat inside source list 100 interface dialer0 overload

HTH,

__

Edison.

phlitservices Fri, 08/07/2009 - 07:41

Hello Edison,

Thanks for taking the timeout to assist.. when I applied the configuration all traffic including the internally hosted services such as smtp, https etc seems to be using the dialer 0 connection to reach the internet.... not sure what is wrong here... It should be noted that I get the following message when applying the route-map for the fa0/0 interface.

rtr(conf)#route-map NETPRO permit 20

match ip address 101

set interface f0/0

rtr(config-route-map)#set interface FastEthernet0/0

%Warning:Use P2P interface for routemap set

interface clause

*****************

Interface fa0/0 has an ip of 2*.*.*.50 255.255.255.248 where 2*.*.*.49 is the gateway

Edison Ortiz Fri, 08/07/2009 - 07:45

I forgot about that caveat, my apologies.

Try 'set ip next-hop 2*.*.*.49' instead of 'set interface'.

HTH,

__

Edison

Please remember to rate helpful posts

phlitservices Fri, 08/07/2009 - 16:51

Hello again Edison,

I've been banging away at this for a couple hours now with no luck after applying the final change you suggested.. ('set ip next-hop 2*.*.*.49' )

After adding the route-map and making the necessary config changes all traffice including smpt, https etc still seems to be only using dialer0 for internet access. I'm not giving up, just a bit lost at the moment :)i have attached my configs for your review... I have an ASA that sits directly behind the internet router so i've attached some excerpts from that cfg as well.....

Donavan

Attachment: 
Correct Answer
yagnesh_tel Fri, 08/07/2009 - 20:31

Do you see hits on your ACL?

I think it's because of the ACLs you are using to identify traffic.

Normally a client connects to the server on its wellknown ports(smtp,http etc), but the server talks back to the client on a port which the client used to initiate traffic. Client processes don't use well-known or registered ports as source ports instead client process use a temporary port number.

So assuming 10.10.1.203 is your smtp server, ACL should be something like this:

access-list 100 deny tcp host 10.10.1.203 eq smtp any

instead of

access-list 100 deny tcp host 10.10.1.203 eq smtp any eq smtp

Edison Ortiz Fri, 08/07/2009 - 20:44

Yagnesh bring up a good point as you need to determine if the source is a server or client and if it's communicating to another server or client.

A client source port will be 1024 and above - random. A server source port will be the known port - for instance 443, smtp, etc.

Can you identify this port information for us? Once you do, you will get a match on the route-map and ACLs.

HTH,

__

Edison.

phlitservices Sat, 08/08/2009 - 11:54

Edison/Yagnesh,

It was definitely the ACL that was causing the problem. The issue has been resolved :)

Thank you both for your time and patience in resloving this issue..

Donavan

zeuscyril Sat, 03/24/2012 - 05:09

hi donavan,

can you post you final working config.

i am also facing same issue my port forwarding not working.

and i am trying additionally one more thing remote access vpn from same in fa0/0 interface

is it possible i am adding default route for static ip with metric 100

thanks

cyril

zeuscyril Sat, 03/24/2012 - 10:45

hi edison,

i am trying the same commands which you mentioned in this discussion,

my internet is passing through dialer0 and my PAT also working with static ip as second isp

what i need is once dialer interface goes down the second isp one has to take care internet automatically . i am trying remote access vpn also in static ip. is it possible or any changes we need to do?

here is my config

track 123 interface Dialer0 ip routing

delay down 15 up 10

!

crypto ctcp port 10000

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group ADIRemote

key %Cisco123%

dns 192.168.1.2

domain adintl.local

pool SDM_POOL_1

acl 102

--More--                            split-dns adintl.local

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group ADIRemote

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

crypto map VPN 1 ipsec-isakmp profile CiscoCP_Profile1

!

!

!

!

--More--                           !

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-LAN$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip inspect WEBINSPECT in

ip virtual-reassembly in

ip policy route-map STATIC-NAT

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-WAN$

no ip address

--More--                            duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/2

description $ETH-WAN$

ip address 213.x.x.130 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip local-proxy-arp

ip flow egress

ip nat outside

ip virtual-reassembly in

ip route-cache same-interface

ip tcp adjust-mss 1412

duplex auto

speed auto

crypto map VPN

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/2

--More--                            tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname adidxb

ppp chap password 7 03050D5A540B771847

ppp pap sent-username adidxb password 7 15135D5D562E7D7021

!

ip local policy route-map STATIC-NAT

ip local pool SDM_POOL_1 80.0.0.10 80.0.0.150

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

--More--                           ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 110 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.2 25 interface GigabitEthernet0/2 25

ip nat inside source static tcp 192.168.1.2 443 interface GigabitEthernet0/2 443

ip nat inside source static tcp 192.168.1.2 1723 interface GigabitEthernet0/2 1723

ip nat inside source static tcp 192.168.1.2 987 interface GigabitEthernet0/2 987

ip nat inside source list 111 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 123

ip route 0.0.0.0 0.0.0.0 213.x.x.x 254

ip route 80.0.0.0 255.255.255.0 GigabitEthernet0/2

!

ip sla 1

icmp-echo 4.2.2.2 source-interface Dialer0

threshold 40

timeout 1000

frequency 5

ip sla schedule 1 life forever start-time now

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 80.0.0.0 0.0.0.255

access-list 110 deny   tcp host 192.168.1.2 eq smtp any

--More--                           access-list 110 deny   tcp host 192.168.1.2 eq 443 any

access-list 110 deny   tcp host 192.168.1.2 eq 987 any

access-list 110 deny   tcp host 192.168.1.2 eq 1723 any

access-list 110 deny   ip 192.168.1.0 0.0.0.255 80.0.0.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 deny   ip 192.168.1.0 0.0.0.255 80.0.0.0 0.0.0.255

access-list 111 permit tcp host 192.168.1.2 eq smtp any

access-list 111 permit tcp host 192.168.1.2 eq 443 any

access-list 111 permit tcp host 192.168.1.2 eq 987 any

access-list 111 permit tcp host 192.168.1.2 eq 1723 any

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map STATIC-NAT permit 10

match ip address 110

set interface Dialer0 Null0

!

route-map STATIC-NAT permit 20

match ip address 111

set ip next-hop 213.x.x.x

set interface Null0

!

!

--More--                           snmp-server ifindex persist

snmp-server enable traps entity-sensor threshold

!

!

!

control-plane

Actions

Login or Register to take actions

This Discussion

Posted August 5, 2009 at 9:09 AM
Stats:
Replies:9 Avg. Rating:4.75
Views:3109 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard