Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

We have a router with ADSL modem connection. VPN and browsing works fine with the current setup. Now we are adding serial (Internet Leased Line) mainly for one server to be accessible in the Internet.

What Policy-Based Routing approach I can apply here? I'm not successful so far.

VPN & Internet should continue using ADSL.

One server should be using Internet Leased Line (Serial0/0/0).

Below is the snippets of the config.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key xxxxxxxx address x.x.26.91

crypto isakmp key xxxxxxx address x.x.124.74

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 10 ipsec-isakmp

set peer x.x.124.74

set transform-set ESP-3DES-MD5

match address 100

crypto map SDM_CMAP_1 20 ipsec-isakmp

set peer x.x.26.91

set transform-set ESP-3DES-MD5

match address 101

interface FastEthernet0/0

description $INSIDE$

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

description $OUTSIDE$

ip address 20.20.20.2 255.255.255.0

ip nat outside

crypto map SDM_CMAP_1

!

interface Serial0/0/0

ip address x.x.57.206 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 20.20.20.1

!

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.6 x.x.182.193

!

access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 10

match ip address 105

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

interface FastEthernet0/0

ip policy route-map SERVER

interface Serial0/0/0

ip nat outside

route-map SERVER

match ip address 110

set ip next-hop x.x.57.207

access-list 105 deny ip host server_ip_address any

access-list 110 deny ip host server_ip_address 10.0.1.0 0.0.0.255

access-list 110 deny ip host server_ip_address 90.0.0.0 0.0.0.255

access-list 110 permit ip host server_ip_address any

ip nat inside source list 110 interface s0/0/0 overload

20 REPLIES
Silver

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Policy-based routing is applied to incoming packets. All packets received on an interface with policy-based routing enabled are considered for policy-based routing .

You can apply PBR based upon your user traffic and internet requirements.

http://cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

Thanks for your reply. I already got this document. It's just that I can't figure how it can be applied in our particular scenario. It looks like the next reply by EdisonOrtiz is the solution to my problem.

Grateful for your sharing your knowledge and for your time.

Regards, Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

interface FastEthernet0/0

ip policy route-map SERVER

interface Serial0/0/0

ip nat outside

route-map SERVER

match ip address 110

set ip next-hop x.x.57.207

access-list 105 deny ip host server_ip_address any

access-list 110 deny ip host server_ip_address 10.0.1.0 0.0.0.255

access-list 110 deny ip host server_ip_address 90.0.0.0 0.0.0.255

access-list 110 permit ip host server_ip_address any

ip nat inside source list 110 interface s0/0/0 overload

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi Edison,

Many thanks for sharing your knowledge and time.

And I really appreciate the fact that you provided the exact commands to resolve my issue.

Right now, I'm remotely connecting to the inside interface of the router through VPN. After injecting the PBR, I'm not sure if I would be able to directly connect to the serial interface.

Regards,

Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Those commands shouldn't affect your VPN, however I don't recommend making those changes from remote unless you have another way of getting into the router (via modem, for instance).

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

Unfortunately, your warning came late. I already tested the commands (remotely via VPN) on one server and it works. Thanks.

Do I have to add an "ip route..." command to make the Serial interface accessible remotely?

In other sites, the default gateway is the serial int. next hop and accessing serial is not a problem.

Any idea?

Thanks,

Archie

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

I was wrong in my tests. It still doesn't work. I attached the config for you to see. Months back we hired the services of a Cisco Gold Partner and the engineer can't make it to work.

Hope you'll stay with me.

Regards,

Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

What portion does not work ?

The device 10.0.0.6 is able to get out to the internet ? How about via the tunnel ?

Have you try turning debug on the route-map ?

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

I portqry on the public IP address ports 1352 and SMTP and it says it's filtered instead of listening. I got the same result with NotesConnect tool. The private IP (through the VPN) appears to be responding.

So you can't find anything wrong with the config?

The Domino Server is a VM on ESX but I don't think it makes a difference.

Thanks once again.

Regards, Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

You can't do that unless you statically assign an IP to the internal device via NAT.

Currently, this device is using PAT out to the internet.

If you want to test the route-map works, you need to check the show ip nat trans and see if it's being translated properly.

You can also go to http://www.whatsmyip.org/ from the server and see if it's exiting via the serial 0/0/0 or the fastethernet0/1

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

These lines should take care of the static nat. Isn't it?

ip nat inside source static tcp 10.0.0.6 25 x.x.182.193 25 extendable

ip nat inside source static tcp 10.0.0.6 1352 x.x.182.193 1352 extendable

All I need is to give a static nat to a Domino Server in the private network such that it will be accessible from outside using x.x.182.193. Something similar to ASA/PIX firewall command:static (inside,outside) x.x.182.193 10.0.0.6 netmask 255.255.255.255

I already have the PAT:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

So I think I no longer need the line for PAT:

ip nat inside source list 110 interface Serial0/0/0 overload

Thanks,

Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Correct, you can't have PAT and static NAT on same IP address translation.

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

Static translation looks fine from show ip nat translation but there's still no reply if I portqry on x.x.182.193 from outside.

Pro Inside global Inside local

--- 83.111.182.193 10.0.0.6

10.0.1.0/24 and 90.0.0.0/24 are subnets in other office where VPN is linked.

Don't know what's really wrong with the config below. What if I'll reverse, make my default gateway to x.x.57.205 and PBR on existing setup.

******

interface Serial0/0/0

ip address x.x.57.206 255.255.255.252

ip access-group 107 in

ip route 0.0.0.0 0.0.0.0 20.20.20.1

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static 10.0.0.6 25 x.x.182.193

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

access-list 107 permit tcp any host x.x.182.193 eq 1352

access-list 107 permit tcp any host x.x.182.193 eq smtp

access-list 110 deny ip host 10.0.0.6 10.0.1.0 0.0.0.255

access-list 110 deny ip host 10.0.0.6 90.0.0.0 0.0.0.255

access-list 110 permit ip host 10.0.0.6 any

route-map SERVER permit 10

match ip address 110

set ip next-hop x.x.57.205

route-map SDM_RMAP_1 permit 10

match ip address 105

Regards,

Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Does the ISP connected via S0/0/0 knows to send the route back to you if you source your connection with this address ? (83.111.182.193) ?

Based on the output you've posted, the ISP has a different subnet on s0/0/0.

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

83.111.182.192/29 is the Host subnet and 213.42.57.206/30 is the WAN subnet. That's what the ISP (Etisalat in United Arab Emirates) gave. In our other two office in the same region which has also a serial connection, the WAN subnet is always different. It might be a good idea to statically assign of the hosts IPs in a PC and test the connection. We'll tried it before and it works but we'll try it once again to erase any doubt.

Thanks for your continuously help.

Regards, Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Yes, I suggest testing the connection without the PBR and verify the ISP is routing your LAN subnet back to you.

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

There is reply on the 82.111.182.193 when pinging. I tested it and the Network Operation Center of the ISP confirmed that they are also getting a reply. Could it be possible that the 1352 and 25 ports are not just working or blocked?

If we buy an ASA5505, can I connect an ADSL/router combo box to one of the switch ports and have a dynamic IPSec connection on ASA5505? The serial connection would still be on the 1841. Static NAT for Domino will be in firewall.

This is my plan but I don't if it will work. I can't afford to lose the VPN on ADSL connection.

Thanks a lot.

Regards, Archie

Hall of Fame Super Bronze

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

>Could it be possible that the 1352 and 25 ports are not just working or blocked?

Did you test it without the route-map ?

> If we buy an ASA5505, can I connect an ADSL/router combo box

> to one of the switch ports and have a dynamic IPSec connection on ASA5505?

Yes, it will work.

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

Hi,

It was tested with the route-map.

If you say that it will work then I think we'll just buy an ASA5505 and set them up the way I planned. It's just frustrating that I am not successful with the PBR with the router alone.

Thanks for your continuous help.

Regards, Archie

New Member

Re: PBR help! VPN + Internet on ADSL; static NAT on serial.

I haven't turned on debugging on the route-map yet. I will do that once I'm back to office.

225
Views
0
Helpful
20
Replies
CreatePlease to create content