Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
3
Replies

Route-map problems

gguhin
Level 1
Level 1

‎06-18-2003 08:39 AM - edited ‎03-02-2019 08:14 AM

We are having a routing issue on our office 2621. I have configured the router to nat the local office subinterface F0/1.15 network out through a Cable modem connection E1/0. I have the a number of servers sitting on a subinterface of the router f0/1.14. The servers are going out through F0/0 through a point to point DSL link and to our 3640 which has a T1 connection to the Internet. I have a couple of different route maps created, but they do not work like I expect them to.

interface FastEthernet0/0

description Connection to Cisco 3640 in ABN Closet

ip address 209.161.173.2 255.255.255.128

no ip redirects

no ip mroute-cache

speed 10

full-duplex

interface FastEthernet0/1.14

description DNS Roadkill, Roadrash, VLAN 14, Catalyst Port 4

encapsulation isl 14

ip address 10.1.114.1 255.255.255.0

ip access-group 114 out

no ip redirects

no ip mroute-cache

ip policy route-map abn_traffic

!

interface FastEthernet0/1.15

description , Narwhal local office subnet VLAN 15, Catalyst Port 5

encapsulation isl 15

ip address 10.1.115.1 255.255.255.0

ip access-group 115 out

no ip redirects

ip nat inside

no ip mroute-cache

ip policy route-map normal_traffic

interface Ethernet1/0

description GCI cable modem

ip address 24.237.24.215 255.255.248.0

ip nat outside

ip audit audit-1 in

no ip mroute-cache

ip policy route-map nonat

no cdp enable

crypto map FAIL2D

ip nat pool gci 24.237.24.214 24.237.24.214 netmask 255.255.248.0

ip nat inside source route-map nonat pool gci overload

access-list 100 deny ip 209.161.173.0 0.0.0.128 host 24.237.24.215

access-list 100 permit ip 10.1.115.0 0.0.0.255 any

access-list 100 deny ip 0.0.0.0 255.0.0.0 host 24.237.24.215

access-list 102 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 102 permit ip any any

access-list 114 permit udp any host 209.161.173.48 eq domain

access-list 114 permit udp any host 209.161.173.24 eq domain

access-list 114 permit udp any host 209.161.173.45 eq domain

access-list 114 permit udp any host 209.161.173.74 eq domain

access-list 114 permit tcp any host 209.161.173.46 eq pop3

access-list 114 permit tcp any host 209.161.173.46 eq smtp

access-list 114 permit tcp any host 209.161.173.46 eq www

access-list 114 permit tcp any host 209.161.173.50 eq smtp

access-list 114 permit tcp any host 209.161.173.123 eq smtp

access-list 114 permit tcp 209.161.173.0 0.0.0.255 host 209.161.173.48 eq smtp

access-list 114 permit tcp 10.0.0.0 0.255.255.255 host 209.161.173.48 eq smtp

access-list 114 deny tcp any host 209.161.173.48 eq smtp log

access-list 114 permit udp any eq domain any

access-list 114 permit tcp any any established

access-list 114 permit tcp any any eq domain log

access-list 114 deny ip any any log

access-list 115 permit tcp any any established

access-list 115 permit udp any eq domain any

access-list 115 permit icmp any any echo-reply

access-list 115 permit icmp any any echo

access-list 115 permit udp any any eq echo

access-list 115 permit udp any eq echo any

access-list 115 permit gre any any

access-list 115 permit esp any any

access-list 115 permit ip 10.10.10.0 0.0.0.255 host 10.1.115.20

access-list 115 permit ip 10.0.0.0 0.255.255.255 host 10.1.115.20

access-list 115 permit udp any host 10.1.115.105 eq syslog

access-list 115 permit icmp any any

Trace complete.route-map normal_traffic permit 10

match ip address 100

set ip next-hop 24.237.24.1

!

route-map abn_traffic permit 10

set ip next-hop 209.161.173.1

!

route-map nonat permit 10

match ip address 102

Lines 1 and 3 of access-list 100 were added to try and solve the problem.

The problem is that when an attempt to connect to a service on one of the ABN servers from a computer on the 10.1.115.0 network, it fails. A traceroute from a computer on the local network goes out through GCI.

C:\>tracert 209.161.173.46

Tracing route to roadkill.nettech-inc.com [209.161.173.46]

over a maximum of 30 hops:

1 <10 ms 10 ms <10 ms 10.1.115.1

2 40 ms 20 ms 10 ms 1-24-237-24.gci.net [24.237.24.1]

3 20 ms 20 ms 20 ms 1-140-165-209.gci.net [209.165.140.1]

4 60 ms 60 ms 50 ms 190-129-165-209.gci.net [209.165.129.190]

5 60 ms 70 ms 51 ms 221-129-165-209.gci.net [209.165.129.221]

6 50 ms 60 ms 50 ms bpr1-so-6-1-0.SeattleSwitchDesign.cw.net [208.173.49.5]

7 60 ms 70 ms 70 ms acr1-so-6-0-0.Seattle.cw.net [208.172.83.186]

8 80 ms 81 ms 80 ms dcr1-loopback.SantaClara.cw.net [208.172.146.99]

9 130 ms 190 ms * bpr1-so-0-0-0.SanJoseEquinix.cw.net [208.173.54.65]

10 381 ms 90 ms 80 ms 208.173.53.130

11 80 ms 80 ms 70 ms p1-0.border1.rap.sjc.transedge.com [216.217.3.10]

12 81 ms 90 ms 80 ms a6-0-128.border2.rap.pdx.transedge.com [216.171.28.189]

13 120 ms 110 ms 111 ms unassigned.transedge.com [216.171.145.2]

14 110 ms 120 ms 110 ms anch7576b.akfiberstar.net [209.161.175.89]

15 240 ms 341 ms 370 ms mdg.akfiberstar.net [209.161.175.218]

16 230 ms 311 ms 260 ms abn2.nettech-inc.com [209.161.173.2]

17 abn2.nettech-inc.com [209.161.173.2] reports: Destination net unreachable.

Trace complete.

A trace coming back to the source goes directly through the 2621 router with one hop. I can see there is a NAT translation open when I make the attempt on the 2621.

Pro Inside global Inside local Outside local Outside global

tcp 24.237.24.214:1122 10.1.115.105:1122 209.161.173.46:80 209.161.173.46:80

Labels:
0 Helpful
3 Replies 3

deilert
Level 6
Level 6

‎06-18-2003 09:45 AM

ok On interface FastEthernet0/1.15 you have ip nat inside that references

'ip nat inside source route-map nonat pool gci overload '

that references route-map 'nonat ' what is the purpose of this route-map .

Your config is extremely complicated , I would try to simplify it a litte , get it working then complicate in in steps so you can determine exactly what statement is making it fail.

0 Helpful

kbodie
Level 1
Level 1

‎06-18-2003 10:32 AM

First thing you have to do is remove all the access-list you have created, I don't have enough room to go into detail but a couple of your acls are wrong. After you remove them see if your route maps work and send me a print out of your results

0 Helpful

gguhin
Level 1
Level 1
In response to kbodie

‎06-18-2003 01:59 PM

Here is my full configuration. There is an ipsec VPN endpoint on E1/0 and this is why there is a route-map nonat.

FAI-2621#sh conf

Using 9198 out of 29688 bytes

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname FAI-2621

!

logging buffered 4096 debugging

no logging console

enable secret 5 *****

!

!

!

memory-size iomem 10

ip subnet-zero

no ip finger

no ip domain-lookup

ip name-server 209.161.173.24

ip name-server 209.161.173.74

ip name-server 208.138.130.16

ip name-server 206.96.62.16

!

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name standard smtp

ip inspect name standard cuseeme

ip inspect name standard ftp

ip inspect name standard h323

ip inspect name standard http

ip inspect name standard rcmd

ip inspect name standard realaudio

ip inspect name standard sqlnet

ip inspect name standard streamworks

ip inspect name standard tcp

ip inspect name standard tftp

ip inspect name standard udp

ip inspect name standard vdolive

ip audit attack action drop

ip audit notify log

ip audit po max-events 100

ip audit name audit-1 info action alarm

ip audit name audit-1 attack action drop

ip accounting-threshold 1024

cns event-service server

!

!

!

!

!

!

!

crypto isakmp policy 12

hash md5

authentication pre-share

crypto isakmp key ********* address 24.237.168.235

!

!

crypto ipsec transform-set L2D esp-des esp-md5-hmac

!

crypto map FAIL2D 12 ipsec-isakmp

set peer 24.237.168.235

set transform-set L2D

match address 151

!

!

!

!

interface FastEthernet0/0

description Connection to Cisco 3640 in ABN Closet

ip address 209.161.173.2 255.255.255.128

no ip redirects

ip audit audit-1 in

no ip mroute-cache

speed 10

full-duplex

!

interface FastEthernet0/1

no ip address

no ip mroute-cache

speed 100

full-duplex

!

interface FastEthernet0/1.1

description Connection to Catalyst 1912, VLAN1, Catalyst Port A

encapsulation isl 1

ip address 10.1.101.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.10

description Trunk 2, VLAN10, PortB

encapsulation isl 10

ip address 10.1.110.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.11

description AK Bird Observitory, vlan11, port1

encapsulation isl 11

ip address 10.1.111.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.12

description MDGI Network, VLAN 12, Catalyst Port 2

encapsulation isl 12

ip address 10.1.112.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.13

description VLAN 13, Catalyst Port 3

encapsulation isl 13

ip address 10.1.113.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.14

description DNS, VLAN 14, Catalyst Port 4

encapsulation isl 14

ip address 10.1.114.1 255.255.255.0

ip access-group 114 out

no ip redirects

no ip mroute-cache

ip policy route-map abn_traffic

!

interface FastEthernet0/1.15

description Roadkill, Roadrash, VLAN 15, Catalyst Port 5

encapsulation isl 15

ip address 10.1.115.1 255.255.255.0

ip access-group 115 out

no ip redirects

ip nat inside

no ip mroute-cache

ip policy route-map normal_traffic

!

interface FastEthernet0/1.16

description DCS, S. Shepard, VLAN 16 Port 6

encapsulation isl 16

ip address 10.1.116.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.17

description Game Server, VLAN 17, Catalyst Port 7

encapsulation isl 17

ip address 10.1.117.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.18

description Cohost Clay, VLAN 18 Catalyst Port 8

encapsulation isl 18

ip address 10.1.118.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.19

description CRCTAG.COM, Oxford Mining, VLAN19

encapsulation isl 19

ip address 10.1.119.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.20

description Cohost, VLAN 20, Catalyst Port 10

encapsulation isl 20

ip address 10.1.120.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.21

description Cohost, VLAN 21, Catalyst Port 11

encapsulation isl 21

ip address 10.1.121.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface FastEthernet0/1.22

description MxMailGuard.nettech-inc.com

encapsulation isl 22

ip address 10.1.122.1 255.255.255.0

no ip redirects

no ip mroute-cache

!

interface Ethernet1/0

description GCI cable modem

ip address 24.237.24.215 255.255.248.0

ip nat outside

ip audit audit-1 in

no ip mroute-cache

ip policy route-map nonat

no cdp enable

crypto map FAIL2D

!

ip nat pool gci 24.237.24.214 24.237.24.214 netmask 255.255.248.0

ip nat inside source route-map nonat pool gci overload

ip classless

ip route 0.0.0.0 0.0.0.0 209.161.173.1

ip route 10.1.20.252 255.255.255.255 FastEthernet0/0

ip route 10.10.10.0 255.255.255.0 Ethernet1/0

ip route 10.11.12.0 255.255.255.0 Ethernet1/0

ip route 209.161.173.24 255.255.255.255 FastEthernet0/1.14

ip route 209.161.173.45 255.255.255.255 FastEthernet0/1.14

ip route 209.161.173.46 255.255.255.255 FastEthernet0/1.14

ip route 209.161.173.47 255.255.255.255 FastEthernet0/1.13

ip route 209.161.173.48 255.255.255.255 FastEthernet0/1.14

ip route 209.161.173.49 255.255.255.255 FastEthernet0/1.13

ip route 209.161.173.50 255.255.255.255 FastEthernet0/1.14

ip route 209.161.173.57 255.255.255.255 FastEthernet0/1.16

ip route 209.161.173.58 255.255.255.255 FastEthernet0/1.17

ip route 209.161.173.59 255.255.255.255 FastEthernet0/1.16

ip route 209.161.173.60 255.255.255.255 FastEthernet0/1.11

ip route 209.161.173.61 255.255.255.255 FastEthernet0/1.11

ip route 209.161.173.62 255.255.255.255 FastEthernet0/1.15

ip route 209.161.173.67 255.255.255.255 FastEthernet0/1.16

ip route 209.161.173.74 255.255.255.255 FastEthernet0/1.14

ip route 209.161.173.89 255.255.255.255 FastEthernet0/1.18

ip route 209.161.173.90 255.255.255.255 FastEthernet0/1.18

ip route 209.161.173.93 255.255.255.255 FastEthernet0/1.22

ip route 209.161.173.98 255.255.255.255 FastEthernet0/1.17

ip route 209.161.173.123 255.255.255.255 FastEthernet0/0

no ip http server

!

logging 209.161.173.109

logging 10.1.115.105

access-list 1 permit 10.1.0.0 0.0.255.255

access-list 101 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 10.1.115.0 0.0.0.255 any

access-list 102 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 102 permit ip any any

access-list 103 deny ip 209.161.173.0 0.0.0.128 any

access-list 103 permit ip 10.1.115.0 0.0.0.255 any

access-list 111 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 111 permit ip any any

access-list 112 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 112 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 112 permit ip 10.1.115.0 0.0.0.255 any

access-list 113 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 113 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 113 deny ip host 10.1.20.1 host 10.10.10.22

access-list 113 permit ip any any

access-list 114 permit udp any host 209.161.173.48 eq domain

access-list 114 permit udp any host 209.161.173.24 eq domain

access-list 114 permit udp any host 209.161.173.45 eq domain

access-list 114 permit udp any host 209.161.173.74 eq domain

access-list 114 permit tcp any host 209.161.173.46 eq pop3

access-list 114 permit tcp any host 209.161.173.46 eq smtp

access-list 114 permit tcp any host 209.161.173.46 eq www

access-list 114 permit tcp any host 209.161.173.50 eq smtp

access-list 114 permit tcp any host 209.161.173.123 eq smtp

access-list 114 permit tcp 209.161.173.0 0.0.0.255 host 209.161.173.48 eq smtp

access-list 114 permit tcp 10.0.0.0 0.255.255.255 host 209.161.173.48 eq smtp

access-list 114 deny tcp any host 209.161.173.48 eq smtp log

access-list 114 permit udp any eq domain any

access-list 114 permit tcp any any established

access-list 114 permit tcp any any eq domain log

access-list 114 deny ip any any log

access-list 115 permit tcp any any established

access-list 115 deny ip 209.161.173.0 0.0.0.255 any

access-list 115 permit udp any eq domain any

access-list 115 permit icmp any any echo-reply

access-list 115 permit icmp any any echo

access-list 115 permit udp any any eq echo

access-list 115 permit udp any eq echo any

access-list 115 permit gre any any

access-list 115 permit esp any any

access-list 115 permit ip 10.10.10.0 0.0.0.255 host 10.1.115.20

access-list 115 permit ip 10.0.0.0 0.255.255.255 host 10.1.115.20

access-list 115 permit udp any host 10.1.115.105 eq syslog

access-list 115 permit icmp any any

access-list 151 permit ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 151 permit ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 151 permit ip host 10.1.20.1 host 10.10.10.22

route-map normal_traffic permit 10

match ip address 103

set ip next-hop 24.237.24.1

!

route-map abn_traffic permit 10

set ip next-hop 209.161.173.1

!

route-map nonat permit 10

match ip address 102

!

!

snmp-server engineID local

snmp-server community RO

!

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password 7 *******

login

!

end

FAI-2621#

0 Helpful
Customers Also Viewed These Support Documents