I mentioned the http server because if that is disabled then the SDM won't be accessible via http.

I will try that route-map suggestion, thank you.

The HTTP you see on the SDM is to enable web access to the router. It has got nothing to do with the access-list statements you configure.

As suugested use route-maps and force the http & https towards your prefered link and have a default route for the non prefered one

hth

Narayan

I have setup the route-map and the access-list as in your example, however it doesn't appear that any web traffic is being redirected to that interface, FE 0/1.

I also tried applying the route-map to the "inside" interface, FE 0/0, and that simply stopped all web traffic. I'm assuming the route-map need to be applied to the "inside" interface.

It will be much easier to provide effective answers if you will post the config that you have been using. Based on your description of the symptoms but without seeing what is actually configured, we are not likely to find the right answer.

HTH

Rick

why wouldnt you just point a static default route out of that interaface to be used for internet ?

Here is one eg.config which i used and it works fine

STM :- 10.10.10.1/30

DSL :- 20.20.20.1/30

LAN Pool from STM - 100.100.100.0/28

LAN Pool from DSL - 200.200.200.0/28

your router IP's

towards STM - 10.10.10.2/30

towards DSL - 20.20.20.2/30

route-map toDSL permit 1

match ip address 111

set ip next-hop 20.20.20.1

access-list 111 permit tcp any any eq www

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 200.200.200.0 255.255.255.240

interface ethernet 0/1

ip address 100.100.100.1 255.255.255.240

ip policy route-map toDSL

HTH

Narayan

I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.

Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.

FE 0/0 goes to our fw, then to lan

FE 0/1 goes to DSL

S 0/2/0 goes to T1

Here is my config:

router#show run

Building configuration...

Current configuration : 4506 bytes

!

! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin

! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

boot-start-marker

boot system flash c2801-ipbasek9-mz.124-8.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0

!

no aaa new-model

!

resource policy

!

clock timezone MDT -7

clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00

no ip source-route

ip cef

!

!

ip tcp synwait-time 10

!

!

no ip bootp server

ip name-server 198.60.22.2

ip name-server 198.60.22.22

!

username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 199.104.124.210 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-LAN$

ip address 192.168.2.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

ip policy route-map toDSL

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1/0

!

interface FastEthernet0/1/1

!

interface FastEthernet0/1/2

!

interface FastEthernet0/1/3

!

interface Serial0/2/0

ip address 204.228.133.46 255.255.255.252

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip route-cache flow

!

ip route 0.0.0.0 0.0.0.0 204.228.133.45

ip route 192.168.2.0 255.255.255.0 192.168.2.1

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

logging trap debugging

access-list 111 permit tcp any any eq www

no cdp run

route-map toDSL permit 1

match ip address 111

set ip next-hop 192.168.2.1

!

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

exec-timeout 30 0

privilege level 15

login local

transport input ssh

transport output ssh

line vty 5 15

access-class 102 in

privilege level 15

login local

transport input ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178101

ntp update-calendar

ntp server 198.60.22.240 source Serial0/2/0

end

Ron

Thanks for the additional detail. It is helpful.

For Policy Based Routing (which is what you are doing) the route map in the policy is applied to the interface where traffic enters the router. And you have applied it on the interrface where traffic exits the router. So move the:

ip policy route-map toDSL

from fastethernet0/1 to fastethernet0/0.

Try that and let us know what happens.

Also with the route map and Policy Based Routing if you do unplug the DSL it is not that the WWW traffic would be denied, it would simply route out the normal interface. So your attempt to test does not really proove anything.

HTH

Rick

Hi

The policy map has to be applied to the inside interface of the router and to check whether its working by seeing the hit counts in the access-list.

and If you want to deny ur WWW traffic when the DSL goes down you have to put another access-list which denies them and apply it on the interface connecting to T1

Narayan

I think the problem is with the DSL.

I applied the route-map to FE 0/0 (inside), yet I still see no traffic on FE 0/1 (dsl). I unplugged the T1 (S 0/2/0) and all web traffic stopped, so it appears all http is going out the serial interface, not the Fast Ethernet 0/1 connected to the DSL.

What is strange is that I can ping the ethernet side of the DSL at 192.168.0.1 from the cli of the router... If I connect a laptop to the same cable going into FE 0/1 (going to the DSL) I'm online no problem.

Yes, once I get this working I plan on creating a rule to disallow all web traffic via the T1. I just want it going out the DSL.

Oh, I also removed all routes, then created a default route going out FE 0/1 (DSL) and all traffic stopped.

I get link and activity lights on both the 2801 and on the DSL modem when the cable is connected. I can ping the ethernet side of the DSL from the 2801.

What am I missing?

I really don't want to call Qwest, as I'm sure they will just say the router is configured incorrectly.

Hello,

just a thought, but can you check the config of the device with IP address 192.168.2.1, the next hop for your WWW traffic ? Since this is a private space address, I am thinking that NAT must occur on that router, maybe the NAT only applies to private space addresses, and not to 199.104.124.210/28 addresses, which are used on your inside interface.

Regards,

GNT

Ron

I believe that the explanation of what happened when you unplugged the serial is in looking at your routing logic. Your config includes 2 static routes:

ip route 0.0.0.0 0.0.0.0 204.228.133.45

ip route 192.168.2.0 255.255.255.0 192.168.2.1

If you unplug the serial then the default route becomes unworkable and traffic has no way to get out (other than the policy based routing - which is not working).

I believe one thing to explore is whether the next hop from FastEthernet0/1 has a route back to the subnet of your FastEthernet0/1. You say that you can ping the next hop from the router and that if you plug a PC into that DSL it can function well. But both of those will be using 192.168.2.2 as the source address. I suggest that you test using an extended ping. In the extended ping specify the destination as the next hop address of 192.168.2.1 and specify the source address (in the extended commands) as the FastEthernet0/0 address. I suspect that this extended ping may fail. (as a detail your following post is talking about 192.168.0.x addresses but the config that you posted earlier has 192.168.2.x addresses. I hope this was just an oversight in the posting.)

It might also be useful to turn on debug for policy based routing, try a WWW connection from a PC on the FastEthernet0/0 and post the debug output.

HTH

Rick

To answer your questions:

The 2Wire DSL modem has no way to configure NAT. I spoke with their tech support who indicated it is always natted.

I tried the extended ping from S 0/2/0 and from FE 0/0, and it worked.

I enabled debugging for the policy route-map, however there was no output.

While I was speaking with the 2Wire tech, he indicated that I should be using transparent bridging so that the Cisco could connect through the modem via PPPoE. We set the modem to use transparent bridging, and tested it by creating and using a PPPoE connection on a laptop, and it worked fine.

At this point I feel I have a good understanding of policy based routing, and how to filter traffic towards specific interfaces. I really appreciate everyones input on this.

My quandry now is to confirm whether or not the PPPoE connection is working. I applied the changes to my config to enable the PPPoE connection, however when I apply the policy route-map, http traffic stops.

Here is what has been changed/added:

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-LAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no mop enabled

!

!

interface Dialer1

description Qwest DSL

ip address negotiated

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username username password 7 password

!

ip route 0.0.0.0 0.0.0.0 204.228.133.45

!

logging trap debugging

access-list 100 permit tcp any any eq 443

access-list 111 permit tcp any any eq www

no cdp run

route-map toDSL permit 1

match ip address 111

set interface Dialer1