PBR with ADSL and LL

Unanswered Question
Aug 14th, 2009

Hi ALL

I have a Internet Router with ADSL and Serial Module , I want that only SMTP traffic will go through the Lease Line and rest i.e. http ftp https etc should go out from ADSL.

Regards/Asfar

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
asfar.zaidi Fri, 08/14/2009 - 21:49

Hi

I am configuring my router like this

!

interface FastEthernet0/0

ip address 192.168.200.1 255.255.255.0

ip policy route-map ADSL

ip nat inside

duplex auto

speed auto

!

interface Serial0/1/0

ip address xx.xx.xx.xx 255.255.255.252

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

!

interface ATM0/3/0

no ip address

ip virtual-reassembly

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/50

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface Dialer1

ip address negotiated

ip virtual-reassembly

encapsulation ppp

ip nat outside

dialer pool 1

dialer idle-timeout 2147483

dialer-group 1

no cdp enable

ppp authentication pap callin

!

ip nat inside source route-map ADSL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

!

!

access-list 1 permit any

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 8080

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

!

route-map ADSL permit 10

match ip address 102

set interface Dialer1

Check if i am doing any thing wrong

Regards/Asfar

Lucien Avramov Fri, 08/14/2009 - 22:10

This is a little different than what you initially said.

The configuration should work in terms of PBR. But any non matching traffic on the ACL 102 will be going over your leased line and that will not only be SMTP.

If you want to send ONLY smtp traffic over serial, match only this one in an ACL and set the interface to serial, and all the other ones, send it to the dialer (as default route)?

ip route 0.0.0.0 0.0.0.0 dialer 1

access-list 102 permit tcp any any eq smtp

route-map ADSL permit 10

match ip address 102

set interface s0/1/0

route-map ADSL permit 20

set default interface dialer 1

If you log your acl, you will see if this works or not, and you can debug it if anything is missing.

asfar.zaidi Fri, 08/14/2009 - 22:15

Thanks Iavramov for your reply

Sorry for the confusion , let me make my question in this way

I want to send http https ftp traffic to ADSL and rest to LL . what willbe the configuration now.

Can you please check my NAT statements , is it right.

Thanks

Lucien Avramov Fri, 08/14/2009 - 22:17

You only need 1 nat statement for interface overload as you have probably one ip from your ISP.

With this NAT statement you should be able to go outside your ADSL.

asfar.zaidi Fri, 08/14/2009 - 22:29

You mean to say my configuration for NAT looks like this

interface FastEthernet0/0

ip address 192.168.200.1 255.255.255.0

ip policy route-map ADSL

ip nat inside

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

ip virtual-reassembly

encapsulation ppp

ip nat outside

dialer pool 1

dialer idle-timeout 2147483

dialer-group 1

no cdp enable

ppp authentication pap callin

!

ip nat inside source route-map ADSL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

!

!

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 8080

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

!

route-map ADSL permit 10

match ip address 102

set interface Dialer1

Lucien Avramov Fri, 08/14/2009 - 22:32

you can keep ip nat inside source interface Dialer1 overload, you already match the route-map on the f0/0 interface, dont use a route-map with the nat statement.

asfar.zaidi Fri, 08/14/2009 - 22:38

Can you please explain whats the difference in my scenarion if i will use any of the following

access-list 1 permit any

ip nat inside source list 1 interface dialer1 overload

and

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq 8080

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq ftp-data

access-list 102 permit udp any any eq domain

access-list 102 permit tcp any any eq domain

route-map ADSL permit 10

match ip address 102

set interface Dialer1

ip nat inside source route-map ADSL interface Dialer1 overload

Regards/Asfar

Lucien Avramov Fri, 08/14/2009 - 22:55

1. its an equivalent command, you add an access list but you permit any, so it's useless.

2. you dont need to call this route-map in nat as you already do in the f0/0 interface.

read more about nat to understand:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6441_TSD_Products_Configuration_Guide_Chapter.html

and more generally:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_natrodmap_ps6441_TSD_Products_Configuration_Guide_Chapter.html

this should resolve your post

Actions

This Discussion