06-18-2003 08:39 AM - edited 03-02-2019 08:14 AM
We are having a routing issue on our office 2621. I have configured the router to nat the local office subinterface F0/1.15 network out through a Cable modem connection E1/0. I have the a number of servers sitting on a subinterface of the router f0/1.14. The servers are going out through F0/0 through a point to point DSL link and to our 3640 which has a T1 connection to the Internet. I have a couple of different route maps created, but they do not work like I expect them to.
interface FastEthernet0/0
description Connection to Cisco 3640 in ABN Closet
ip address 209.161.173.2 255.255.255.128
no ip redirects
no ip mroute-cache
speed 10
full-duplex
interface FastEthernet0/1.14
description DNS Roadkill, Roadrash, VLAN 14, Catalyst Port 4
encapsulation isl 14
ip address 10.1.114.1 255.255.255.0
ip access-group 114 out
no ip redirects
no ip mroute-cache
ip policy route-map abn_traffic
!
interface FastEthernet0/1.15
description , Narwhal local office subnet VLAN 15, Catalyst Port 5
encapsulation isl 15
ip address 10.1.115.1 255.255.255.0
ip access-group 115 out
no ip redirects
ip nat inside
no ip mroute-cache
ip policy route-map normal_traffic
interface Ethernet1/0
description GCI cable modem
ip address 24.237.24.215 255.255.248.0
ip nat outside
ip audit audit-1 in
no ip mroute-cache
ip policy route-map nonat
no cdp enable
crypto map FAIL2D
ip nat pool gci 24.237.24.214 24.237.24.214 netmask 255.255.248.0
ip nat inside source route-map nonat pool gci overload
access-list 100 deny ip 209.161.173.0 0.0.0.128 host 24.237.24.215
access-list 100 permit ip 10.1.115.0 0.0.0.255 any
access-list 100 deny ip 0.0.0.0 255.0.0.0 host 24.237.24.215
access-list 102 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 102 permit ip any any
access-list 114 permit udp any host 209.161.173.48 eq domain
access-list 114 permit udp any host 209.161.173.24 eq domain
access-list 114 permit udp any host 209.161.173.45 eq domain
access-list 114 permit udp any host 209.161.173.74 eq domain
access-list 114 permit tcp any host 209.161.173.46 eq pop3
access-list 114 permit tcp any host 209.161.173.46 eq smtp
access-list 114 permit tcp any host 209.161.173.46 eq www
access-list 114 permit tcp any host 209.161.173.50 eq smtp
access-list 114 permit tcp any host 209.161.173.123 eq smtp
access-list 114 permit tcp 209.161.173.0 0.0.0.255 host 209.161.173.48 eq smtp
access-list 114 permit tcp 10.0.0.0 0.255.255.255 host 209.161.173.48 eq smtp
access-list 114 deny tcp any host 209.161.173.48 eq smtp log
access-list 114 permit udp any eq domain any
access-list 114 permit tcp any any established
access-list 114 permit tcp any any eq domain log
access-list 114 deny ip any any log
access-list 115 permit tcp any any established
access-list 115 permit udp any eq domain any
access-list 115 permit icmp any any echo-reply
access-list 115 permit icmp any any echo
access-list 115 permit udp any any eq echo
access-list 115 permit udp any eq echo any
access-list 115 permit gre any any
access-list 115 permit esp any any
access-list 115 permit ip 10.10.10.0 0.0.0.255 host 10.1.115.20
access-list 115 permit ip 10.0.0.0 0.255.255.255 host 10.1.115.20
access-list 115 permit udp any host 10.1.115.105 eq syslog
access-list 115 permit icmp any any
Trace complete.route-map normal_traffic permit 10
match ip address 100
set ip next-hop 24.237.24.1
!
route-map abn_traffic permit 10
set ip next-hop 209.161.173.1
!
route-map nonat permit 10
match ip address 102
Lines 1 and 3 of access-list 100 were added to try and solve the problem.
The problem is that when an attempt to connect to a service on one of the ABN servers from a computer on the 10.1.115.0 network, it fails. A traceroute from a computer on the local network goes out through GCI.
C:\>tracert 209.161.173.46
Tracing route to roadkill.nettech-inc.com [209.161.173.46]
over a maximum of 30 hops:
1 <10 ms 10 ms <10 ms 10.1.115.1
2 40 ms 20 ms 10 ms 1-24-237-24.gci.net [24.237.24.1]
3 20 ms 20 ms 20 ms 1-140-165-209.gci.net [209.165.140.1]
4 60 ms 60 ms 50 ms 190-129-165-209.gci.net [209.165.129.190]
5 60 ms 70 ms 51 ms 221-129-165-209.gci.net [209.165.129.221]
6 50 ms 60 ms 50 ms bpr1-so-6-1-0.SeattleSwitchDesign.cw.net [208.173.49.5]
7 60 ms 70 ms 70 ms acr1-so-6-0-0.Seattle.cw.net [208.172.83.186]
8 80 ms 81 ms 80 ms dcr1-loopback.SantaClara.cw.net [208.172.146.99]
9 130 ms 190 ms * bpr1-so-0-0-0.SanJoseEquinix.cw.net [208.173.54.65]
10 381 ms 90 ms 80 ms 208.173.53.130
11 80 ms 80 ms 70 ms p1-0.border1.rap.sjc.transedge.com [216.217.3.10]
12 81 ms 90 ms 80 ms a6-0-128.border2.rap.pdx.transedge.com [216.171.28.189]
13 120 ms 110 ms 111 ms unassigned.transedge.com [216.171.145.2]
14 110 ms 120 ms 110 ms anch7576b.akfiberstar.net [209.161.175.89]
15 240 ms 341 ms 370 ms mdg.akfiberstar.net [209.161.175.218]
16 230 ms 311 ms 260 ms abn2.nettech-inc.com [209.161.173.2]
17 abn2.nettech-inc.com [209.161.173.2] reports: Destination net unreachable.
Trace complete.
A trace coming back to the source goes directly through the 2621 router with one hop. I can see there is a NAT translation open when I make the attempt on the 2621.
Pro Inside global Inside local Outside local Outside global
tcp 24.237.24.214:1122 10.1.115.105:1122 209.161.173.46:80 209.161.173.46:80
06-18-2003 09:45 AM
ok On interface FastEthernet0/1.15 you have ip nat inside that references
'ip nat inside source route-map nonat pool gci overload '
that references route-map 'nonat ' what is the purpose of this route-map .
Your config is extremely complicated , I would try to simplify it a litte , get it working then complicate in in steps so you can determine exactly what statement is making it fail.
06-18-2003 10:32 AM
First thing you have to do is remove all the access-list you have created, I don't have enough room to go into detail but a couple of your acls are wrong. After you remove them see if your route maps work and send me a print out of your results
06-18-2003 01:59 PM
Here is my full configuration. There is an ipsec VPN endpoint on E1/0 and this is why there is a route-map nonat.
FAI-2621#sh conf
Using 9198 out of 29688 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname FAI-2621
!
logging buffered 4096 debugging
no logging console
enable secret 5 *****
!
!
!
memory-size iomem 10
ip subnet-zero
no ip finger
no ip domain-lookup
ip name-server 209.161.173.24
ip name-server 209.161.173.74
ip name-server 208.138.130.16
ip name-server 206.96.62.16
!
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name standard smtp
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard http
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive
ip audit attack action drop
ip audit notify log
ip audit po max-events 100
ip audit name audit-1 info action alarm
ip audit name audit-1 attack action drop
ip accounting-threshold 1024
cns event-service server
!
!
!
!
!
!
!
crypto isakmp policy 12
hash md5
authentication pre-share
crypto isakmp key ********* address 24.237.168.235
!
!
crypto ipsec transform-set L2D esp-des esp-md5-hmac
!
crypto map FAIL2D 12 ipsec-isakmp
set peer 24.237.168.235
set transform-set L2D
match address 151
!
!
!
!
interface FastEthernet0/0
description Connection to Cisco 3640 in ABN Closet
ip address 209.161.173.2 255.255.255.128
no ip redirects
ip audit audit-1 in
no ip mroute-cache
speed 10
full-duplex
!
interface FastEthernet0/1
no ip address
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/1.1
description Connection to Catalyst 1912, VLAN1, Catalyst Port A
encapsulation isl 1
ip address 10.1.101.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.10
description Trunk 2, VLAN10, PortB
encapsulation isl 10
ip address 10.1.110.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.11
description AK Bird Observitory, vlan11, port1
encapsulation isl 11
ip address 10.1.111.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.12
description MDGI Network, VLAN 12, Catalyst Port 2
encapsulation isl 12
ip address 10.1.112.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.13
description VLAN 13, Catalyst Port 3
encapsulation isl 13
ip address 10.1.113.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.14
description DNS, VLAN 14, Catalyst Port 4
encapsulation isl 14
ip address 10.1.114.1 255.255.255.0
ip access-group 114 out
no ip redirects
no ip mroute-cache
ip policy route-map abn_traffic
!
interface FastEthernet0/1.15
description Roadkill, Roadrash, VLAN 15, Catalyst Port 5
encapsulation isl 15
ip address 10.1.115.1 255.255.255.0
ip access-group 115 out
no ip redirects
ip nat inside
no ip mroute-cache
ip policy route-map normal_traffic
!
interface FastEthernet0/1.16
description DCS, S. Shepard, VLAN 16 Port 6
encapsulation isl 16
ip address 10.1.116.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.17
description Game Server, VLAN 17, Catalyst Port 7
encapsulation isl 17
ip address 10.1.117.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.18
description Cohost Clay, VLAN 18 Catalyst Port 8
encapsulation isl 18
ip address 10.1.118.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.19
description CRCTAG.COM, Oxford Mining, VLAN19
encapsulation isl 19
ip address 10.1.119.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.20
description Cohost, VLAN 20, Catalyst Port 10
encapsulation isl 20
ip address 10.1.120.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.21
description Cohost, VLAN 21, Catalyst Port 11
encapsulation isl 21
ip address 10.1.121.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface FastEthernet0/1.22
description MxMailGuard.nettech-inc.com
encapsulation isl 22
ip address 10.1.122.1 255.255.255.0
no ip redirects
no ip mroute-cache
!
interface Ethernet1/0
description GCI cable modem
ip address 24.237.24.215 255.255.248.0
ip nat outside
ip audit audit-1 in
no ip mroute-cache
ip policy route-map nonat
no cdp enable
crypto map FAIL2D
!
ip nat pool gci 24.237.24.214 24.237.24.214 netmask 255.255.248.0
ip nat inside source route-map nonat pool gci overload
ip classless
ip route 0.0.0.0 0.0.0.0 209.161.173.1
ip route 10.1.20.252 255.255.255.255 FastEthernet0/0
ip route 10.10.10.0 255.255.255.0 Ethernet1/0
ip route 10.11.12.0 255.255.255.0 Ethernet1/0
ip route 209.161.173.24 255.255.255.255 FastEthernet0/1.14
ip route 209.161.173.45 255.255.255.255 FastEthernet0/1.14
ip route 209.161.173.46 255.255.255.255 FastEthernet0/1.14
ip route 209.161.173.47 255.255.255.255 FastEthernet0/1.13
ip route 209.161.173.48 255.255.255.255 FastEthernet0/1.14
ip route 209.161.173.49 255.255.255.255 FastEthernet0/1.13
ip route 209.161.173.50 255.255.255.255 FastEthernet0/1.14
ip route 209.161.173.57 255.255.255.255 FastEthernet0/1.16
ip route 209.161.173.58 255.255.255.255 FastEthernet0/1.17
ip route 209.161.173.59 255.255.255.255 FastEthernet0/1.16
ip route 209.161.173.60 255.255.255.255 FastEthernet0/1.11
ip route 209.161.173.61 255.255.255.255 FastEthernet0/1.11
ip route 209.161.173.62 255.255.255.255 FastEthernet0/1.15
ip route 209.161.173.67 255.255.255.255 FastEthernet0/1.16
ip route 209.161.173.74 255.255.255.255 FastEthernet0/1.14
ip route 209.161.173.89 255.255.255.255 FastEthernet0/1.18
ip route 209.161.173.90 255.255.255.255 FastEthernet0/1.18
ip route 209.161.173.93 255.255.255.255 FastEthernet0/1.22
ip route 209.161.173.98 255.255.255.255 FastEthernet0/1.17
ip route 209.161.173.123 255.255.255.255 FastEthernet0/0
no ip http server
!
logging 209.161.173.109
logging 10.1.115.105
access-list 1 permit 10.1.0.0 0.0.255.255
access-list 101 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.1.115.0 0.0.0.255 any
access-list 102 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip 209.161.173.0 0.0.0.128 any
access-list 103 permit ip 10.1.115.0 0.0.0.255 any
access-list 111 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit ip any any
access-list 112 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 112 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 112 permit ip 10.1.115.0 0.0.0.255 any
access-list 113 deny ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 113 deny ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 113 deny ip host 10.1.20.1 host 10.10.10.22
access-list 113 permit ip any any
access-list 114 permit udp any host 209.161.173.48 eq domain
access-list 114 permit udp any host 209.161.173.24 eq domain
access-list 114 permit udp any host 209.161.173.45 eq domain
access-list 114 permit udp any host 209.161.173.74 eq domain
access-list 114 permit tcp any host 209.161.173.46 eq pop3
access-list 114 permit tcp any host 209.161.173.46 eq smtp
access-list 114 permit tcp any host 209.161.173.46 eq www
access-list 114 permit tcp any host 209.161.173.50 eq smtp
access-list 114 permit tcp any host 209.161.173.123 eq smtp
access-list 114 permit tcp 209.161.173.0 0.0.0.255 host 209.161.173.48 eq smtp
access-list 114 permit tcp 10.0.0.0 0.255.255.255 host 209.161.173.48 eq smtp
access-list 114 deny tcp any host 209.161.173.48 eq smtp log
access-list 114 permit udp any eq domain any
access-list 114 permit tcp any any established
access-list 114 permit tcp any any eq domain log
access-list 114 deny ip any any log
access-list 115 permit tcp any any established
access-list 115 deny ip 209.161.173.0 0.0.0.255 any
access-list 115 permit udp any eq domain any
access-list 115 permit icmp any any echo-reply
access-list 115 permit icmp any any echo
access-list 115 permit udp any any eq echo
access-list 115 permit udp any eq echo any
access-list 115 permit gre any any
access-list 115 permit esp any any
access-list 115 permit ip 10.10.10.0 0.0.0.255 host 10.1.115.20
access-list 115 permit ip 10.0.0.0 0.255.255.255 host 10.1.115.20
access-list 115 permit udp any host 10.1.115.105 eq syslog
access-list 115 permit icmp any any
access-list 151 permit ip 10.1.115.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 151 permit ip 10.1.115.0 0.0.0.255 10.11.12.0 0.0.0.255
access-list 151 permit ip host 10.1.20.1 host 10.10.10.22
route-map normal_traffic permit 10
match ip address 103
set ip next-hop 24.237.24.1
!
route-map abn_traffic permit 10
set ip next-hop 209.161.173.1
!
route-map nonat permit 10
match ip address 102
!
!
snmp-server engineID local
snmp-server community RO
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 *******
login
!
end
FAI-2621#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide