route help couldn't access Internet

srikanth ath · ‎12-20-2011

HI al experts

I couldnt access internet with route specified i know the problem with the route or nat.and please guide me in the config. wr im wrong

i have 2911 router

yourname#sh version

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M5, R

EASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 23-Feb-11 15:41 by prod_rel_team

# sh run

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 25

ip address 10.10.45.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1 ---------ISP 1

ip address 182.74.152.42 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/2 ---------ISP 2

ip address 99.99.99.99 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 10 interface GigabitEthernet0/0 overload

ip route profile

ip route 0.0.0.0 0.0.0.0 182.74.152.41

ip route 0.0.0.0 0.0.0.0 99.99.99.100 250

i could ping from lan Ip's to ISP1 and ISP2 gateway IPS. but when i ping to any site llike example gmail.com packet s not moving out to the ISP1 or ISP2 interfaces.

tracerout form PC.

C:\Users\hema>tracert 72.66.55.133

Tracing route to 72.66.55.133 over a maximum of 30 hops

1 13 ms <1 ms <1 ms 10.10.45.1

2 10.10.45.1 reports: Destination host unreachable.

Trace complete.

attached Route format 2911 prompts. where i cant understad exactly.

Thanks & regards

srikanth

cadet alain · ‎12-20-2011

Hi,

Do this:

no ip nat inside source list 10 interface GigabitEthernet0/0 overload

ip nat inside source list 10 interface GigabitEthernet0/1 overload

With your config if WAN ISP 1 interface goes down you won't be able to communicate through ISP2 as you won' t be natting.

You should do this config instead if you want failover:

ip sla 1

icmp-echo 8.8.8.8 source-interface G0/1

timeout 1000

threshold 2

frequency 3

ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 182.74.152.41 track 1

ip route 0.0.0.0 0.0.0.0 99.99.99.100 25

route-map ISP1

match ip address 10

match interface g0/1

route-map ISP2

match ip address 10

match interface g0/2

ip nat inside source route-map ISP1 interface GigabitEthernet0/1

ip nat inside source route-map ISP2 interface GigabitEthernet0/2

Regards.

Alain

Don't forget to rate helpful posts.

srikanth ath · ‎12-20-2011

Hi alain

i couldnt configure the SLA here .. its prompting some other commands where im not aware of.

yourname(config)#ip sla ?

key-chain Use MD5 authentication for IP SLAs Control Messages

responder Enable IP SLAs Responder

yourname(config)#ip sla res

yourname(config)#ip sla responder

yourname(config)#ip sj

yourname(config)#ip sl

yourname(config)#ip sla ?

key-chain Use MD5 authentication for IP SLAs Control Messages

responder Enable IP SLAs Responder

yourname(config)#ip sla

% Incomplete command.

yourname(config)#ip sla key

yourname(config)#ip sla key-chain ?

WORD Name of key-chain

yourname(config)#ip sla key

yourname(config)#ip sla key-chain ?

WORD Name of key-chain

yourname(config)#ip sla key-chain lucky ?

yourname(config)#ip sla sche

yourname(config)#ip sla schedule ?

% Unrecognized command

yourname(config)#ip sla schedule

thanks & regards

srikanth

cadet alain · ‎12-20-2011

Hi,

I found out that you need the Security or Data License to use this feature so if you've got IP Base it won't work.

Just forget about the tracking for now until you update your IOs then.

Regards.

Alain

Don't forget to rate helpful posts.

srikanth ath · ‎12-20-2011

Hi alain

This is working now i can access the internet ..

the router we are using is For VOIP traffic..this is specifically dedicated to VOIP traffic.

How could i allow the following IPs to allow or communicate on portt 5060 & 5082 and block rest all incomming/outgoing traffic.

source/destination:

77.240.XX.0/255.255.255.0

destination/source: 10.10.45.0/24

port : 5060,5082

this is simply : 10.10.45.0/0<-----------to communicate with only---------------------->77.240.XX.0/24

Thanks & regards

srikanth

cadet alain · ‎12-20-2011

Hi,

so you want 77.240.x.x ip address to communicate with 10.10.45.0/24 subnet on port 5060 and 5082 ?

and for the 2 ISPs ?

Regards.

Alain.

Don't forget to rate helpful posts.

srikanth ath · ‎12-20-2011

No for the time being we neeed only for ISP1.

Yes exactly :

77.240.x.x ip address to communicate with 10.10.45.0/24 subnet on port 5060 and 5082

and rest all should be denied.

TO this router we are connecting Only IP phones so we dont need access for the clents to go and Browse the internet

i mean only two way communication between 77.240.x.x and 10.10.45.0/24 at ports 5060 and 5082. rest all denied

example: client should not acess Ip 72.156.17.33 (facebook IP) should be Blocked at inside interface or Outside interface.

for ISP2 gave a default root with a BIT higher Metric Cost than the ISP1.

This is not need though. If u can share the config. that would be helpful to go head in the near future.

srikanth ath · ‎12-20-2011

Yes exactly :

77.240.x.x ip address to communicate with 10.10.45.0/24 subnet on port 5060 and 5082

and rest all should be denied.

cadet alain · ‎12-20-2011

Hi,

if you want to do a static NAT for a subnet you must have public IP addresses assigned by ISP otherwise you can only do a static PAT for each host natting inside address and service to outside interface address and service.

Regards.

Alain.

Don't forget to rate helpful posts.

srikanth ath · ‎12-20-2011

hi alain/all

we neeed services to run on.as mentioned above.

we have public IP's that should nat to inside subnet(10.10.45.0/24). and we have a aestrik server which should have a public IP server IP 10.10.45.151 to access outside world for only few provided IPs above on port 5060 etc. and rest all should be denied.

Public IP's we have 182.72.xx.xxx/30 ( only two). one should nat to whole subnet and one to a single server or how this has to be done.

1. ISP:

outisde

Lan Ips:

182.74.152.42

255.255.255.248

gateway: 187.74.152.42

WAN IP's: 182.72.XX.XXX and 182.72.XX.XXY

2. Inside :

subnet: 10.10.14.0/24 -----------------------to be natted to single pUb182.72.XX.XXY (here we use only VOIP phones)

aestrik server: 10.10.45.151 --------------------to be natted to public IP 182.72.XX.XXX with service running ex: udp 5060,5085 to allow access to

77.XX.XX.0/255.255.255.0 and restrict access to all other IPs from internet to access aestrik server.

so Whats the better way

Im really poor in understanding how this has to be done. so want to clear out the things.

How to proceed on with this.

thanks & regards

srikanth

srikanth ath · ‎12-21-2011

Hi all

can anyone help me out on this.. any suggestions are appreciated.

thanks

srikanth