12-20-2011 12:53 AM - edited 03-07-2019 03:59 AM
HI al experts
I couldnt access internet with route specified i know the problem with the route or nat.and please guide me in the config. wr im wrong
i have 2911 router
yourname#sh version
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M5, R
EASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 23-Feb-11 15:41 by prod_rel_team
# sh run
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 25
ip address 10.10.45.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1 ---------ISP 1
ip address 182.74.152.42 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/2 ---------ISP 2
ip address 99.99.99.99 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route profile
ip route 0.0.0.0 0.0.0.0 182.74.152.41
ip route 0.0.0.0 0.0.0.0 99.99.99.100 250
i could ping from lan Ip's to ISP1 and ISP2 gateway IPS. but when i ping to any site llike example gmail.com packet s not moving out to the ISP1 or ISP2 interfaces.
tracerout form PC.
C:\Users\hema>tracert 72.66.55.133
Tracing route to 72.66.55.133 over a maximum of 30 hops
1 13 ms <1 ms <1 ms 10.10.45.1
2 10.10.45.1 reports: Destination host unreachable.
Trace complete.
attached Route format 2911 prompts. where i cant understad exactly.
Thanks & regards
srikanth
12-20-2011 01:29 AM
Hi,
Do this:
no ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/1 overload
With your config if WAN ISP 1 interface goes down you won't be able to communicate through ISP2 as you won' t be natting.
You should do this config instead if you want failover:
ip sla 1
icmp-echo 8.8.8.8 source-interface G0/1
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 182.74.152.41 track 1
ip route 0.0.0.0 0.0.0.0 99.99.99.100 25
route-map ISP1
match ip address 10
match interface g0/1
route-map ISP2
match ip address 10
match interface g0/2
ip nat inside source route-map ISP1 interface GigabitEthernet0/1
ip nat inside source route-map ISP2 interface GigabitEthernet0/2
Regards.
Alain
12-20-2011 01:52 AM
Hi alain
i couldnt configure the SLA here .. its prompting some other commands where im not aware of.
yourname(config)#ip sla ?
key-chain Use MD5 authentication for IP SLAs Control Messages
responder Enable IP SLAs Responder
yourname(config)#ip sla res
yourname(config)#ip sla responder
yourname(config)#ip sj
yourname(config)#ip sl
yourname(config)#ip sla ?
key-chain Use MD5 authentication for IP SLAs Control Messages
responder Enable IP SLAs Responder
yourname(config)#ip sla
% Incomplete command.
yourname(config)#ip sla key
yourname(config)#ip sla key-chain ?
WORD Name of key-chain
yourname(config)#ip sla key
yourname(config)#ip sla key-chain ?
WORD Name of key-chain
yourname(config)#ip sla key-chain lucky ?
yourname(config)#ip sla sche
yourname(config)#ip sla schedule ?
% Unrecognized command
yourname(config)#ip sla schedule
thanks & regards
srikanth
12-20-2011 02:55 AM
Hi,
I found out that you need the Security or Data License to use this feature so if you've got IP Base it won't work.
Just forget about the tracking for now until you update your IOs then.
Regards.
Alain
12-20-2011 03:33 AM
Hi alain
This is working now i can access the internet ..
the router we are using is For VOIP traffic..this is specifically dedicated to VOIP traffic.
How could i allow the following IPs to allow or communicate on portt 5060 & 5082 and block rest all incomming/outgoing traffic.
source/destination:
77.240.XX.0/255.255.255.0
77.240.XX.0/255.255.255.0
destination/source: 10.10.45.0/24
port : 5060,5082
this is simply : 10.10.45.0/0<-----------to communicate with only---------------------->77.240.XX.0/24
Thanks & regards
srikanth
12-20-2011 03:43 AM
Hi,
so you want 77.240.x.x ip address to communicate with 10.10.45.0/24 subnet on port 5060 and 5082 ?
and for the 2 ISPs ?
Regards.
Alain.
12-20-2011 03:46 AM
No for the time being we neeed only for ISP1.
Yes exactly :
77.240.x.x ip address to communicate with 10.10.45.0/24 subnet on port 5060 and 5082
and rest all should be denied.
TO this router we are connecting Only IP phones so we dont need access for the clents to go and Browse the internet
i mean only two way communication between 77.240.x.x and 10.10.45.0/24 at ports 5060 and 5082. rest all denied
example: client should not acess Ip 72.156.17.33 (facebook IP) should be Blocked at inside interface or Outside interface.
for ISP2 gave a default root with a BIT higher Metric Cost than the ISP1.
This is not need though. If u can share the config. that would be helpful to go head in the near future.
12-20-2011 04:29 AM
Yes exactly :
77.240.x.x ip address to communicate with 10.10.45.0/24 subnet on port 5060 and 5082
and rest all should be denied.
12-20-2011 05:10 AM
Hi,
if you want to do a static NAT for a subnet you must have public IP addresses assigned by ISP otherwise you can only do a static PAT for each host natting inside address and service to outside interface address and service.
Regards.
Alain.
12-20-2011 09:15 PM
hi alain/all
we neeed services to run on.as mentioned above.
we have public IP's that should nat to inside subnet(10.10.45.0/24). and we have a aestrik server which should have a public IP server IP 10.10.45.151 to access outside world for only few provided IPs above on port 5060 etc. and rest all should be denied.
Public IP's we have 182.72.xx.xxx/30 ( only two). one should nat to whole subnet and one to a single server or how this has to be done.
1. ISP:
outisde
Lan Ips:
182.74.152.42
255.255.255.248
gateway: 187.74.152.42
WAN IP's: 182.72.XX.XXX and 182.72.XX.XXY
2. Inside :
subnet: 10.10.14.0/24 -----------------------to be natted to single pUb182.72.XX.XXY (here we use only VOIP phones)
aestrik server: 10.10.45.151 --------------------to be natted to public IP 182.72.XX.XXX with service running ex: udp 5060,5085 to allow access to
77.XX.XX.0/255.255.255.0 and restrict access to all other IPs from internet to access aestrik server.
so Whats the better way
Im really poor in understanding how this has to be done. so want to clear out the things.
How to proceed on with this.
thanks & regards
srikanth
12-21-2011 02:49 AM
Hi all
can anyone help me out on this.. any suggestions are appreciated.
thanks
srikanth
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: