01-12-2010 02:31 PM - edited 03-11-2019 09:56 AM
Hi All,
I have two Routers running HSRP on the inside interfaces (LAN interfaces) tracking the outside interfaces (ISP interfaces). I have both routers handling both connections (two ISPs)
So, basically the configuration is as follows (for the primary router, the secondary router is the same):
######################################################################
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW http
ip inspect name FW https
ip inspect name FW dns
ip inspect name FW esmtp
ip inspect name FW pop3
ip inspect name FW imap
ip inspect name FW bootpc
ip inspect name FW bootps
ip inspect name FW ms-sql
ip inspect name FW ftp
ip inspect name FW ipsec-msft
ip inspect name FW isakmp
interface GigabitEthernet0/1
description PRIMARY_ISP
ip address 201.195.231.154 255.255.255.240
ip nat outside
ip inspect FW in
ip inspect FW out
ip access-group METRO_IN
interface GigabitEthernet0/0
description SECONDARY_ISP
ip address 201.195.91.54 255.255.255.240
ip nat outside
ip inspect FW in
ip inspect FW out
ip access-group ACL_GSHDSL_IN
interface FastEthernet0/0/0
ip address 192.168.100.6 255.255.255.0
ip nat inside
ip inspect FW in
ip inspect FW out
standby 1 ip 192.168.100.5
standby 1 priority 115
standby 1 preempt
standby 1 track GigabitEthernet0/1 5
standby 1 track GigabitEthernet0/0 5
ip nat inside source static 192.168.2.175 201.195.91.50
ip nat inside source static 192.168.2.177 201.195.91.51
ip nat inside source static 192.168.2.178 201.195.91.52
ip nat inside source static 192.168.2.179 201.195.91.53
ip nat inside source static 192.168.2.75 201.195.231.150
ip nat inside source static 192.168.2.77 201.195.231.151
ip nat inside source static 192.168.2.78 201.195.231.152
ip nat inside source static 192.168.2.79 201.195.231.153
ip nat inside source route-map METRO interface GigabitEthernet0/1 overload
ip nat inside source route-map SHDSL interface GigabitEthernet0/0 overload
route-map METRO permit 10
match ip address ACL_METRO
match interface GigabitEthernet0/1
route-map SHDSL permit 10
match ip address ACL_SHDSL
match interface GigabitEthernet0/0
ip access-list extended ACL_METRO
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
ip access-list extended ACL_SHDSL
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
ip sla 1
icmp-echo 201.195.231.145
threshold 2000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 3
icmp-echo 201.195.91.49
threshold 2000
frequency 5
ip sla schedule 3 life forever start-time now
track 100 ip sla 1 reachability
track 300 ip sla 3 reachability
ip route 0.0.0.0 0.0.0.0 201.195.231.145 10 track 100
ip route 0.0.0.0 0.0.0.0 201.195.91.49 20 track 300
######################################################################
So, connection to the Internet is fine (no problems)....
Everybody, gets out to the Internet using the primary METRO ISP.
The problem is with clients from the Internet accesing our internal servers.
For example, clients try to reach the servers and they either get a very slow response or no response at all.
If I remove the access-list from the ISP interfaces, and the inspection rules, then everything works fine.
If I add again the access-list it works fine.
When I add the inspection rules, is when the problem starts.
My question is: Would it be possible that since the clients connect from the outside via either ISP, the inspection sessions on the router are causing these problems?
Any suggestions are appreciated!!!
Federico.
01-12-2010 04:32 PM
I am not sure why you would have inspection applied IN and OUT on all interfaces.
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW ftp
Usually it is either applied IN on the inside interface or OUT on the outside interface. Is there a way you can try to remove inspection on the inside interface F0/0/0 and see if that helps?
You can also reduce the inspections and leave it at the minimum above.
-KS
01-12-2010 08:50 PM
I'm not sure why the inspection works only if I applied both inbound and outbound on the same interface.
Actually, I don't intend to inspect the incoming traffic from the Internet, only the outbound traffic.... but if I only apply the inspection in one direction, it won't work (not sure if it's a bug or something).......
That's a good point that I need to figure out.... besides that... do you think that having the inspection for the two ISP connections could be causing the problem for the incoming traffic?
Thank you.
Federico.
01-13-2010 11:20 AM
Hey!
I think I've found the problem (not 100% sure yet)....
Traffic to the Internet is working fine throught the HSRP active router (either the primary or secondary).
But, incoming traffic from the Internet to the servers was the problem.
So, I started to see a lot of duplicate IP addresses messages on both routers (there are no duplicate addresses).....
What is happening is that, traffic coming from the Internet could enter either router to reach the servers.... For instance, I have the following static NAT on both routers:
Router(config)# ip nat inside source static 192.168.2.175 201.195.91.50
So, when clients from the Internet try to reach that server, they can reach it via both routers..... I'm not running BGP with my ISPs or controlling how the traffic enters the network (solely based on DNS). Since both routers have the same static NAT (even though one is the active HSRP one), traffic could enter via both routers.
And there's my problem. As soon as I removed the static NAT statements from the secondary router, everything works perfectly on the primary one.
My question then is..... how do I get to have two routers receiving two ISPs (having one as active HSRP) but controlling how the incoming traffic is handled? Or perhaps not controlling the incoming traffic? But how do I make this work?
Thank you!
Federico.
01-13-2010 12:24 PM
Something called SNAT would work???
Stateful NAT???
Best Regards,
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide