05-24-2007 02:47 AM - edited 03-11-2019 03:19 AM
Hello,
I'm using a 2811 with one HWIC-2 DSL module, as router-firewall. I want a failover configuration,
with Fa0/0 as primary WAN interface, Dialer0 as backup and one HWIC-4ESW (designed vlan1) as LAN
interface. Fa0/0 has a fixed public IP, Dialer0 has negotiated IP, and Vlan1 has 10.1.0.1/24.
I'm using SDM 2.4 to configure the firewall, so the firewall created by SDM uses zone based design,
that's the reason because I can`t find much information about my problem. In this configuration
I have a in-zone (trusted) and a out-zone (untrusted), with several ACLs set by SDM.
My problem is with NAT order, or so I think. Here is a log of what happend when I start a ping to
www.google.es from one host in the LAN segment (10.1.0.232).
000089: *May 24 10:00:21.031 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=66.28.0.45 (Dialer0), routed via FIB
000090: *May 24 10:00:21.031 UTC: IP: s=83.63.171.52 (Vlan1), d=66.28.0.45 (Dialer0), len 59, dropped by inspect
000091: *May 24 10:00:22.027 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=80.58.32.97 (Dialer0), routed via FIB
000092: *May 24 10:00:22.027 UTC: IP: s=83.63.171.52 (Vlan1), d=80.58.32.97 (Dialer0), len 59, dropped by inspect
000093: *May 24 10:00:22.255 UTC: IP: tableid=0, s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), routed via RIB
000094: *May 24 10:00:22.255 UTC: IP: s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), len 48, rcvd 3
000095: *May 24 10:00:22.259 UTC: IP: tableid=0, s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), routed via FIB
000096: *May 24 10:00:22.259 UTC: IP: s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), len 40, sending
000097: *May 24 10:00:23.027 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=66.28.0.45 (Dialer0), routed via FIB
000098: *May 24 10:00:23.027 UTC: IP: s=83.63.171.52 (Vlan1), d=66.28.0.45 (Dialer0), len 59, dropped by inspect
000099: *May 24 10:00:23.575 UTC: IP: tableid=0, s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), routed via RIB
000100: *May 24 10:00:23.575 UTC: IP: s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), len 48, rcvd 3
000101: *May 24 10:00:23.579 UTC: IP: tableid=0, s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), routed via FIB
000102: *May 24 10:00:23.579 UTC: IP: s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), len 40, sending
000103: *May 24 10:00:25.031 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=66.28.0.45 (Dialer0), routed via FIB
000104: *May 24 10:00:25.031 UTC: IP: s=83.63.171.52 (Vlan1), d=66.28.0.45 (Dialer0), len 59, dropped by inspect
I'm confused about NAT order, it seems that outbound packets have different source address than the
destination address of the inbound ones, but I'm not sure about this.
NAT table seems to be ok:
udp 83.63.171.52:1024 10.1.0.92:1025 80.58.0.33:53 80.58.0.33:53
udp 83.63.171.52:1025 10.1.0.232:1025 66.28.0.45:53 66.28.0.45:53
udp 83.63.171.52:1025 10.1.0.232:1025 80.58.32.97:53 80.58.32.97:53
The result is no ping, no http, etc from LAN.
What am I doing wrong?
Thanks in advance,
Ignacio Siles.
05-24-2007 02:48 AM
05-24-2007 03:12 AM
One more thing...
DSL line is working properly, ping to www.google.es from inside the router works.
But if I try to ping 66.102.9.147 (www.google.es), or I paste the URL in the browser (in host 10.1.0.232), #debug ip packets detail show nothing!
Where are all of these packets? They are displayed properly in NAT tables, but I can't see what happened to them...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide