Dual WAN, NAT and webserver problems

Unanswered Question
Oct 28th, 2014
User Badges:

Hello,

 

I have a Cisco 891 router connected to the internet with 2 ISP on different WAN ports.

I can ping each public IP from outside, but I have problems accessing my webserver which is connected directly to the router on one vlan port.

I believe the problem is NAT related: the server is accessed from one WAN interface, but the router replies on the best route, which might not be the same.

 

Here is my configuration:

 

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RgtClujRouter
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$fz.V$Ml1NnnIJUonPOzkr1Gl1C.
!
no aaa new-model
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool cluj_servers
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.1.11
 domain-name cluj_DHCP
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
key chain OER
 key 1
  key-string oerkey
!
!
!
!
!
!
license udi pid C891F-K9 sn FCZ1832C30J
!
!
!
!
!
!
!
track 10 ip sla 1 reachability
 delay down 2 up 2
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ******** address 49.97.**.**
crypto isakmp key ******** address 46.97.**.**
crypto isakmp key ******** address 46.97.**.**
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 3 periodic
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
 mode tunnel
!
!
!
!
crypto map BV_CJ_MAIN_MAP 20 ipsec-isakmp
 set peer 46.97.**.**
 set security-association lifetime seconds 86400
 set transform-set TRANS
 set pfs group2
 match address VPN_TRAFFIC
!
crypto map BV_CJ_MAP 10 ipsec-isakmp
 set peer 46.97.**.**
 set security-association lifetime seconds 86400
 set transform-set TRANS
 set pfs group2
 match address VPN_TRAFFIC
!
!
!
!
interface FastEthernet0
 description #Secondary link UPC.#
 ip address 85.186.7.210 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map BV_CJ_MAP
!
interface GigabitEthernet8
 description #Primary link RTC.#
 ip address 89.121.216.178 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map BV_CJ_MAIN_MAP
!
interface Vlan1
 description #Inside LAN segment.#
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map rtc interface GigabitEthernet8 overload
ip nat inside source route-map upc2 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.11 80 85.186.7.210 80 extendable
ip nat inside source static tcp 192.168.1.11 443 85.186.7.210 443 extendable
ip nat inside source static udp 192.168.1.11 443 85.186.7.210 443 extendable
ip nat inside source static tcp 192.168.1.11 3389 85.186.7.210 3389 extendable
ip nat inside source static udp 192.168.1.11 3389 85.186.7.210 3389 extendable
ip nat inside source static tcp 192.168.1.11 80 89.121.216.178 80 extendable
ip nat inside source static tcp 192.168.1.11 443 89.121.216.178 443 extendable
ip nat inside source static udp 192.168.1.11 443 89.121.216.178 443 extendable
ip nat inside source static tcp 192.168.1.11 3389 89.121.216.178 3389 extendable
ip nat inside source static udp 192.168.1.11 3389 89.121.216.178 3389 extendable
ip route 0.0.0.0 0.0.0.0 89.121.216.177 track 10
ip route 0.0.0.0 0.0.0.0 85.186.7.209 10
!
ip access-list extended NAT_TRAFFIC
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 any
!
ip sla auto discovery
ip sla 1
 icmp-echo 89.121.216.177
 threshold 500
 timeout 2000
 frequency 2
ip sla schedule 1 life forever start-time now
!
route-map upc2 permit 12
 match ip address NAT_TRAFFIC
!
route-map rtc permit 10
 match ip address NAT_TRAFFIC
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner motd ^CThis router is owned and operated by Rail Soft SRL. Visit railsoft.ro for support.^C
!
line con 0
 password 138xab92
 login
 no modem enable
line aux 0
 password 138xab92
 login
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 password 138xab92
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

 

What is wrong with my configuration?

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion