PBR with ADSL and LL

Unanswered Question
Aug 14th, 2009
User Badges:

Hi ALL


I have a Internet Router with ADSL and Serial Module , I want that only SMTP traffic will go through the Lease Line and rest i.e. http ftp https etc should go out from ADSL.

Regards/Asfar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
asfar.zaidi Fri, 08/14/2009 - 21:49
User Badges:

Hi

I am configuring my router like this


!

interface FastEthernet0/0

ip address 192.168.200.1 255.255.255.0

ip policy route-map ADSL

ip nat inside

duplex auto

speed auto

!

interface Serial0/1/0

ip address xx.xx.xx.xx 255.255.255.252

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

!

interface ATM0/3/0

no ip address

ip virtual-reassembly

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/50

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface Dialer1

ip address negotiated

ip virtual-reassembly

encapsulation ppp

ip nat outside

dialer pool 1

dialer idle-timeout 2147483

dialer-group 1

no cdp enable

ppp authentication pap callin

!

ip nat inside source route-map ADSL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

!

!

access-list 1 permit any

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 8080

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

!

route-map ADSL permit 10

match ip address 102

set interface Dialer1




Check if i am doing any thing wrong


Regards/Asfar



Lucien Avramov Fri, 08/14/2009 - 22:10
User Badges:
  • Red, 2250 points or more

This is a little different than what you initially said.

The configuration should work in terms of PBR. But any non matching traffic on the ACL 102 will be going over your leased line and that will not only be SMTP.


If you want to send ONLY smtp traffic over serial, match only this one in an ACL and set the interface to serial, and all the other ones, send it to the dialer (as default route)?


ip route 0.0.0.0 0.0.0.0 dialer 1

access-list 102 permit tcp any any eq smtp


route-map ADSL permit 10

match ip address 102

set interface s0/1/0

route-map ADSL permit 20

set default interface dialer 1


If you log your acl, you will see if this works or not, and you can debug it if anything is missing.


asfar.zaidi Fri, 08/14/2009 - 22:15
User Badges:

Thanks Iavramov for your reply


Sorry for the confusion , let me make my question in this way


I want to send http https ftp traffic to ADSL and rest to LL . what willbe the configuration now.


Can you please check my NAT statements , is it right.


Thanks



Lucien Avramov Fri, 08/14/2009 - 22:17
User Badges:
  • Red, 2250 points or more

You only need 1 nat statement for interface overload as you have probably one ip from your ISP.


With this NAT statement you should be able to go outside your ADSL.





asfar.zaidi Fri, 08/14/2009 - 22:29
User Badges:

You mean to say my configuration for NAT looks like this


interface FastEthernet0/0

ip address 192.168.200.1 255.255.255.0

ip policy route-map ADSL

ip nat inside

duplex auto

speed auto

!


interface Dialer1

ip address negotiated

ip virtual-reassembly

encapsulation ppp

ip nat outside

dialer pool 1

dialer idle-timeout 2147483

dialer-group 1

no cdp enable

ppp authentication pap callin

!

ip nat inside source route-map ADSL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

!

!

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 8080

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

!

route-map ADSL permit 10

match ip address 102

set interface Dialer1


Lucien Avramov Fri, 08/14/2009 - 22:32
User Badges:
  • Red, 2250 points or more

you can keep ip nat inside source interface Dialer1 overload, you already match the route-map on the f0/0 interface, dont use a route-map with the nat statement.


asfar.zaidi Fri, 08/14/2009 - 22:38
User Badges:

Can you please explain whats the difference in my scenarion if i will use any of the following


access-list 1 permit any

ip nat inside source list 1 interface dialer1 overload



and




access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 8080

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq ftp-data

access-list 102 permit udp any any eq domain

access-list 102 permit tcp any any eq domain

route-map ADSL permit 10

match ip address 102

set interface Dialer1

ip nat inside source route-map ADSL interface Dialer1 overload


Regards/Asfar






Lucien Avramov Fri, 08/14/2009 - 22:55
User Badges:
  • Red, 2250 points or more

1. its an equivalent command, you add an access list but you permit any, so it's useless.


2. you dont need to call this route-map in nat as you already do in the f0/0 interface.


read more about nat to understand:


http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6441_TSD_Products_Configuration_Guide_Chapter.html


and more generally:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_natrodmap_ps6441_TSD_Products_Configuration_Guide_Chapter.html


this should resolve your post

Actions

This Discussion