10-24-2007 08:15 AM - edited 03-05-2019 07:17 PM
Hi,
We have a router with ADSL modem connection. VPN and browsing works fine with the current setup. Now we are adding serial (Internet Leased Line) mainly for one server to be accessible in the Internet.
What Policy-Based Routing approach I can apply here? I'm not successful so far.
VPN & Internet should continue using ADSL.
One server should be using Internet Leased Line (Serial0/0/0).
Below is the snippets of the config.
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key xxxxxxxx address x.x.26.91
crypto isakmp key xxxxxxx address x.x.124.74
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 10 ipsec-isakmp
set peer x.x.124.74
set transform-set ESP-3DES-MD5
match address 100
crypto map SDM_CMAP_1 20 ipsec-isakmp
set peer x.x.26.91
set transform-set ESP-3DES-MD5
match address 101
interface FastEthernet0/0
description $INSIDE$
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
description $OUTSIDE$
ip address 20.20.20.2 255.255.255.0
ip nat outside
crypto map SDM_CMAP_1
!
interface Serial0/0/0
ip address x.x.57.206 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static 10.0.0.6 x.x.182.193
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255
access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 105 deny ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 10
match ip address 105
Solved! Go to Solution.
10-30-2007 02:06 PM
interface FastEthernet0/0
ip policy route-map SERVER
interface Serial0/0/0
ip nat outside
route-map SERVER
match ip address 110
set ip next-hop x.x.57.207
access-list 105 deny ip host server_ip_address any
access-list 110 deny ip host server_ip_address 10.0.1.0 0.0.0.255
access-list 110 deny ip host server_ip_address 90.0.0.0 0.0.0.255
access-list 110 permit ip host server_ip_address any
ip nat inside source list 110 interface s0/0/0 overload
10-30-2007 01:22 PM
Policy-based routing is applied to incoming packets. All packets received on an interface with policy-based routing enabled are considered for policy-based routing .
You can apply PBR based upon your user traffic and internet requirements.
http://cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml
10-30-2007 08:44 PM
Hi,
Thanks for your reply. I already got this document. It's just that I can't figure how it can be applied in our particular scenario. It looks like the next reply by EdisonOrtiz is the solution to my problem.
Grateful for your sharing your knowledge and for your time.
Regards, Archie
10-30-2007 02:06 PM
interface FastEthernet0/0
ip policy route-map SERVER
interface Serial0/0/0
ip nat outside
route-map SERVER
match ip address 110
set ip next-hop x.x.57.207
access-list 105 deny ip host server_ip_address any
access-list 110 deny ip host server_ip_address 10.0.1.0 0.0.0.255
access-list 110 deny ip host server_ip_address 90.0.0.0 0.0.0.255
access-list 110 permit ip host server_ip_address any
ip nat inside source list 110 interface s0/0/0 overload
10-30-2007 09:00 PM
Hi Edison,
Many thanks for sharing your knowledge and time.
And I really appreciate the fact that you provided the exact commands to resolve my issue.
Right now, I'm remotely connecting to the inside interface of the router through VPN. After injecting the PBR, I'm not sure if I would be able to directly connect to the serial interface.
Regards,
Archie
10-31-2007 06:27 AM
Those commands shouldn't affect your VPN, however I don't recommend making those changes from remote unless you have another way of getting into the router (via modem, for instance).
10-31-2007 08:04 AM
Hi,
Unfortunately, your warning came late. I already tested the commands (remotely via VPN) on one server and it works. Thanks.
Do I have to add an "ip route..." command to make the Serial interface accessible remotely?
In other sites, the default gateway is the serial int. next hop and accessing serial is not a problem.
Any idea?
Thanks,
Archie
10-31-2007 11:28 AM
10-31-2007 12:01 PM
What portion does not work ?
The device 10.0.0.6 is able to get out to the internet ? How about via the tunnel ?
Have you try turning debug on the route-map ?
10-31-2007 02:41 PM
Hi,
I portqry on the public IP address ports 1352 and SMTP and it says it's filtered instead of listening. I got the same result with NotesConnect tool. The private IP (through the VPN) appears to be responding.
So you can't find anything wrong with the config?
The Domino Server is a VM on ESX but I don't think it makes a difference.
Thanks once again.
Regards, Archie
10-31-2007 04:01 PM
You can't do that unless you statically assign an IP to the internal device via NAT.
Currently, this device is using PAT out to the internet.
If you want to test the route-map works, you need to check the show ip nat trans and see if it's being translated properly.
You can also go to http://www.whatsmyip.org/ from the server and see if it's exiting via the serial 0/0/0 or the fastethernet0/1
11-01-2007 02:25 PM
Hi,
These lines should take care of the static nat. Isn't it?
ip nat inside source static tcp 10.0.0.6 25 x.x.182.193 25 extendable
ip nat inside source static tcp 10.0.0.6 1352 x.x.182.193 1352 extendable
All I need is to give a static nat to a Domino Server in the private network such that it will be accessible from outside using x.x.182.193. Something similar to ASA/PIX firewall command:static (inside,outside) x.x.182.193 10.0.0.6 netmask 255.255.255.255
I already have the PAT:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
So I think I no longer need the line for PAT:
ip nat inside source list 110 interface Serial0/0/0 overload
Thanks,
Archie
11-02-2007 06:20 AM
Correct, you can't have PAT and static NAT on same IP address translation.
11-06-2007 06:55 AM
Hi,
Static translation looks fine from show ip nat translation but there's still no reply if I portqry on x.x.182.193 from outside.
Pro Inside global Inside local
--- 83.111.182.193 10.0.0.6
10.0.1.0/24 and 90.0.0.0/24 are subnets in other office where VPN is linked.
Don't know what's really wrong with the config below. What if I'll reverse, make my default gateway to x.x.57.205 and PBR on existing setup.
******
interface Serial0/0/0
ip address x.x.57.206 255.255.255.252
ip access-group 107 in
ip route 0.0.0.0 0.0.0.0 20.20.20.1
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static 10.0.0.6 25 x.x.182.193
access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 105 deny ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.0.0.255 any
access-list 107 permit tcp any host x.x.182.193 eq 1352
access-list 107 permit tcp any host x.x.182.193 eq smtp
access-list 110 deny ip host 10.0.0.6 10.0.1.0 0.0.0.255
access-list 110 deny ip host 10.0.0.6 90.0.0.0 0.0.0.255
access-list 110 permit ip host 10.0.0.6 any
route-map SERVER permit 10
match ip address 110
set ip next-hop x.x.57.205
route-map SDM_RMAP_1 permit 10
match ip address 105
Regards,
Archie
11-06-2007 07:40 AM
Does the ISP connected via S0/0/0 knows to send the route back to you if you source your connection with this address ? (83.111.182.193) ?
Based on the output you've posted, the ISP has a different subnet on s0/0/0.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide