Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple Default Gateways ~ Multiple zero-routes using PBR

I'm sure this config can be modified to use multiple fastE or GigE interfaces rather than Cell interfaces

the purpose of this was to have multiple servers to access the internet; out it's own 'cell' card depending on which VLAN they are on

Visio.png

VLAN210 goes to Cell0

VLAN211 goes to Cell1

VLAN212 goes to Cell2

VLAN213 goes to Cell3

there is no failover however, if one of the Cell cards fails, the servers on that VLAN will not have a secondary default route out

these servers are in their own DMZ behind the ASA and do not have access to the internal LAN based on ASA firewall rules

The LAN (inside) has full access to the DMZ

The ASA is reistributing into EIGRP the routes to the internal core:

     ip route 192.168.210.0 255.255.255.0 192.168.204.1

     ip route 192.168.211.0 255.255.255.0 192.168.204.1

     ip route 192.168.212.0 255.255.255.0 192.168.204.1

     ip route 192.168.213.0 255.255.255.0 192.168.204.1

Router config:


version 15.2
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service internal
no service dhcp
!
hostname ROUTER
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.152-4.XB10.bin
boot-end-marker
!
!
logging buffered 2097152
!
!
multilink bundle-name authenticated
!
!!!Multiple Cellular cards require their own CHAT script

chat-script ltescript1 "" "AT!CALL1" TIMEOUT 20 "OK"
chat-script ltescript0 "" "AT!CALL1" TIMEOUT 20 "OK"
chat-script ltescript2 "" "AT!CALL1" TIMEOUT 20 "OK"
chat-script ltescript3 "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
license udi pid CISCO2901/K9 sn FTX173684AU
license boot module c2900 technology-package datak9
!
!
!
!
controller Cellular 0/0
!
controller Cellular 0/1
!
controller Cellular 0/2
!
controller Cellular 0/3
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.204
description DMZ_SUBNET
encapsulation dot1Q 204
ip address 192.168.204.1 255.255.254.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map clear-df
!
interface GigabitEthernet0/0.210
description VLAN210_Default_Gateway
encapsulation dot1Q 210
ip address 192.168.210.1 255.255.255.0
ip access-group Outbound_Traffic in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map CELL0_MATCH_ROUTE
!
interface GigabitEthernet0/0.211
description VLAN211_Default_Gateway
encapsulation dot1Q 211
ip address 192.168.211.1 255.255.255.0
ip access-group Outbound_Traffic in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map CELL1_MATCH_ROUTE
!
interface GigabitEthernet0/0.212
description VLAN212_Default_Gateway
encapsulation dot1Q 212
ip address 192.168.212.1 255.255.255.0
ip access-group Outbound_Traffic in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map CELL2_MATCH_ROUTE
!
interface GigabitEthernet0/0.213
description VLAN213_Default_Gateway
encapsulation dot1Q 213
ip address 192.168.213.1 255.255.255.0
ip access-group Outbound_Traffic in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map CELL3_MATCH_ROUTE
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface Cellular0/0/0
description VLAN210_Next_Hop_0.0.0.0_Route
ip address negotiated
ip access-group Inbound_Traffic in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string ltescript0
dialer watch-group 1
dialer-group 1
async mode interactive
!
interface Cellular0/1/0
description VLAN211_Next_Hop_0.0.0.0_Route
ip address negotiated
ip access-group Inbound_Traffic in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string ltescript1
dialer watch-group 2
dialer-group 2
async mode interactive
!
interface Cellular0/2/0
description VLAN212_Next_Hop_0.0.0.0_Route
ip address negotiated
ip access-group Inbound_Traffic in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string ltescript2
dialer watch-group 3
dialer-group 3
async mode interactive
!
interface Cellular0/3/0
description VLAN213_Next_Hop_0.0.0.0_Route
ip address negotiated
ip access-group Inbound_Traffic in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string ltescript3
dialer watch-group 4
dialer-group 4
async mode interactive
!
ip nat inside source route-map CELL0_PAT interface Cellular0/0/0 overload
ip nat inside source route-map CELL1_PAT interface Cellular0/1/0 overload
ip nat inside source route-map CELL2_PAT interface Cellular0/2/0 overload
ip nat inside source route-map CELL3_PAT interface Cellular0/3/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/3/0
ip route 10.0.0.0 255.254.0.0 192.168.205.1 name ASA_to_Internal
!
ip access-list extended Inbound_Traffic
permit tcp any eq 8081 any
permit tcp any eq 5222 any
permit tcp any eq 993 any
remark -- General Deny Statements --
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
remark Deny to the Router from the Outside
deny   tcp any any eq telnet
deny   tcp any any eq 22
deny   tcp any any eq ftp
deny   udp any any eq tftp
deny   tcp any any eq 443
deny   tcp any any eq www
deny   udp any any eq snmp
remark -- Deny special host IP addresses --
deny   ip host 0.0.0.0 any
deny   ip host 255.255.255.255 any
remark -- Only Allow web based traffic in --
permit tcp any eq www any
permit icmp any any
permit tcp any eq 443 any
deny   ip any any log

ip access-list extended Outbound_Traffic
permit ip any any

ip access-list extended VLAN210->10.dot
permit ip 192.168.210.0 0.0.0.255 10.0.0.0 0.255.255.255
permit icmp 192.168.210.0 0.0.0.255 10.0.0.0 0.255.255.255

ip access-list extended VLAN210->any
deny   ip 192.168.210.0 0.0.0.255 10.0.0.0 0.255.255.255
deny   icmp 192.168.210.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
permit icmp any any

ip access-list extended VLAN211->10.dot
permit ip 192.168.211.0 0.0.0.255 10.0.0.0 0.255.255.255
permit icmp 192.168.211.0 0.0.0.255 10.0.0.0 0.255.255.255

ip access-list extended VLAN211->any
deny   ip 192.168.211.0 0.0.0.255 10.0.0.0 0.255.255.255
deny   icmp 192.168.211.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
permit icmp any any

ip access-list extended VLAN212->10.dot
permit ip 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255
permit icmp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255

ip access-list extended VLAN212->any
deny   ip 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255
deny   icmp 192.168.212.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
permit icmp any any

ip access-list extended VLAN213->10.dot
permit ip 192.168.213.0 0.0.0.255 10.0.0.0 0.255.255.255
permit icmp 192.168.213.0 0.0.0.255 10.0.0.0 0.255.255.255

ip access-list extended VLAN213->any
deny   ip 192.168.213.0 0.0.0.255 10.0.0.0 0.255.255.255
deny   icmp 192.168.213.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
permit icmp any any
!
logging origin-id hostname
logging source-interface GigabitEthernet0/0

access-list 100 permit ip 192.168.210.0 0.0.0.255 any
access-list 101 permit ip 192.168.211.0 0.0.0.255 any
access-list 102 permit ip 192.168.212.0 0.0.0.255 any
access-list 103 permit ip 192.168.213.0 0.0.0.255 any

dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 30
dialer watch-list 1 delay connect 1
dialer watch-list 2 ip 1.2.3.4 0.0.0.0
dialer watch-list 2 delay route-check initial 30
dialer watch-list 2 delay connect 1
dialer watch-list 3 ip 6.7.8.9 0.0.0.0
dialer watch-list 3 delay route-check initial 30
dialer watch-list 3 delay connect 1
dialer watch-list 4 ip 2.3.4.5 0.0.0.0
dialer watch-list 4 delay route-check initial 30
dialer watch-list 4 delay connect 1
!
route-map CELL0_PAT permit 10
match ip address 100
set interface Cellular0/0/0
!
route-map CELL1_PAT permit 10
match ip address 101
set interface Cellular0/1/0
!
route-map CELL2_PAT permit 10
match ip address 102
set interface Cellular0/2/0
!
route-map CELL3_PAT permit 10
match ip address 103
set interface Cellular0/3/0
!
route-map CELL0_MATCH_ROUTE permit 10
match ip address VLAN210->any
set ip df 0
set interface Cellular0/0/0
!
route-map CELL0_MATCH_ROUTE permit 20
match ip address VLAN210->10.dot
set ip next-hop 192.168.205.1
!
route-map CELL1_MATCH_ROUTE permit 10
match ip address VLAN211->any
set ip df 0
set interface Cellular0/1/0
!
route-map CELL1_MATCH_ROUTE permit 20
match ip address VLAN211->10.dot
set ip next-hop 192.168.205.1
!
route-map CELL2_MATCH_ROUTE permit 10
match ip address VLAN212->any
set ip df 0
set interface Cellular0/2/0
!
route-map CELL2_MATCH_ROUTE permit 20
match ip address VLAN212->10.dot
set ip next-hop 192.168.205.1
!
route-map CELL3_MATCH_ROUTE permit 10
match ip address VLAN213->any
set ip df 0
set interface Cellular0/3/0
!
route-map CELL3_MATCH_ROUTE permit 20
match ip address VLAN213->10.dot
set ip next-hop 192.168.205.1
!
route-map clear-df permit 10
set ip df 0
!
!
alias exec cellreboot1 test cellular 0/1/0 modem-power
alias exec cellreboot0 test cellular 0/0/0 modem-power
alias exec cellreboot2 test cellular 0/2/0 modem-power
alias exec cellreboot3 test cellular 0/3/0 modem-power
alias exec cell0 sh cell 0/0/0 all
alias exec cell1 sh cell 0/1/0 all
alias exec cell2 sh cell 0/2/0 all
alias exec cell3 sh cell 0/3/0 all
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1

line 0/0/0
script dialer ltescript0
modem InOut
no exec
rxspeed 100000000
txspeed 50000000
line 0/1/0
script dialer ltescript1
modem InOut
no exec
rxspeed 100000000
txspeed 50000000
line 0/2/0
script dialer ltescript2
modem InOut
no exec
rxspeed 100000000
txspeed 50000000
line 0/3/0
script dialer ltescript3
modem InOut
no exec
rxspeed 100000000
txspeed 50000000

line vty 0 15
session-timeout 600
exec-timeout 600 0
privilege level 15
password 0 cisco
logging synchronous
transport preferred ssh
transport input ssh

Version history
Revision #:
1 of 1
Last update:
‎12-16-2013 07:42 AM
Updated by:
 
Labels (1)
Comments
New Member

Please notes that where we are creating route-map to be used in NAT statement. There we will use match statement for interface also so that if both the conditions match only then traffic will be natted.

 

Set statement is not needed there. Set is needed only when route-map is used to policy route traffic

ip nat inside source route-map CELL3_PAT interface Cellular0/3/0 overload

Inconrrect:

!
route-map CELL3_PAT permit 10
match ip address 103
set interface Cellular0/3/0
!

Correct:

!
route-map CELL3_PAT permit 10
match ip address 103
match interface Cellular0/3/0
!