Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing between redundant Internet links

I have a situation where I am trying to route traffic through one Internet link (C2600 router connected to Broadwing Communications) to a Web Server on a DMZ located on a redundant Internet link (C1600 router connected to Cable and Wireless - C+W). The C2600 router is running an ACL, NAT, and CBAC.

If I set my default GW internally to point at the C2600 I can access the Internet to retreive Web pages, but I cannot access my own Web server located in the DMZ on the C1600. From my local network, I can't even ping anything associated with the C+W network (the C+W name server or my Web server). If I telnet to my C2600 I can ping anywhere internally or externally.

This doesn't make sense to me since my internal client uses the C2600 as its default gateway and the C2600 has a default route pointing at the service providers GW router. I can see the traffic hitting the C2600 router (CBAC creates temporary ACL entries and the ACL hit counters increment) when I try to URL or ping my own Web server, but I get no response. Ping and trace appear to function properly from the C2600 router to the C+W network and the DMZ Web server.

If I set my default GW to point at the C1600 - where the DMZ is located - I can get to the Web server in the DMZ since it is locally attached to that router.

I'm not sure if the problem has something to do with the redundant Internet connections, CBAC, NAT, or my ACL; I'm baffled. Any assistance would be greatly appreciated.

Dan

6 REPLIES
Silver

Re: Routing between redundant Internet links

Dan,

Could it be that your C2600 does not have route for your DMZ network? Either on your hosts you could set a route to your DMZ network that points to your 1600 (messy). Or possibly you could let your 2600 and 1600 exchange routing information, including your DMZ network so that traffic destined to your 2600 would still get over to your 1600 attached DMZ network.

Hope this helps,

Don

New Member

Re: Routing between redundant Internet links

Don,

Thank you for your input. I had considered putting a static route in the C2600 pointing at the DMZ router. But my gut tells me that the routing should work as is: the 2600 forwards traffic for the DMZ - or any destination - from the internal network out to the Internet, which then finds its way to the destination address. The internal hosts can go through the 2600 to anywhere on the Internet except to their own External Web server. And externally, I can access the Web server (from a dialup or cable network connection). Also, when I'm logged into the 2600 router I can ping and trace any route.

I'm wondering if it has something to do with NAT, CBAC, or the ACL. Below is an excerpt from the running config. Any input would be appreciated . . .

ip inspect name myfw tcp

ip inspect name myfw udp

ip audit notify log

ip audit po max-events 100

!

interface Ethernet0/0

ip address 192.168.0.12 255.255.255.0

ip nat inside

ip inspect myfw in

full-duplex

!

interface Serial0/0

ip address 67.96.254.134 255.255.255.252

ip access-group 101 in

no ip unreachables

ip nat outside

ip inspect myfw in

encapsulation frame-relay IETF

no ip mroute-cache

service-module t1 timeslots 1-24

frame-relay interface-dlci 50

frame-relay lmi-type ansi

!

interface Ethernet0/1

ip address 67.96.93.150 255.255.255.192

shutdown

full-duplex

no cdp enable

!

router rip

version 2

redistribute connected

network 67.0.0.0

network 192.168.0.0

no auto-summary

!

ip nat inside source list 1 interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 67.96.254.133

no ip http server

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 101 permit tcp any eq domain any

access-list 101 permit udp any eq domain any

access-list 101 permit icmp any any echo-reply

!

Silver

Re: Routing between redundant Internet links

Can you ensure that the 2600 has a route (learned through RIp) for the DMZ pointing (assuming back out E0/0 to the 1600). If you do have a route then I was recommend "debup ip nat" when your trying to access this network and see if you get a failed translation.

Here is a link on NAT that I hope help you out as well

http://www.cisco.com/warp/customer/556/index.shtml

You also, if you see the translation problem, might change your access-list that does your NAT'ing to not nat things going to the DMZ network. This should only be done if you see that NAT is your issue.

Hope this helps,

Don

New Member

Re: Routing between redundant Internet links

Thanks again, Don. One of the first I did when I approached this problem was to look for a route to the DMZ router on the C2600. The C2600 doesn't appear to know about the DMZ, but I had assumed that it would route the DMZ traffic out to the Internet through its default router and back to the DMZ. The 2600 is running RIP, but I can't be sure about the C1600 (DMZ router).

I had considered placing a static route on the 2600 to point at the DMZ, but I wasn't fond of this approach. I suppose I can either do that, or gain access to the 1600 router and turn on RIP so it will exchange routing info with the 2600. Then I can create an ACL to avoid NAT when accessing the DMZ from the internal network.

Thanks again for your assistance,

Dan

New Member

Re: Routing between redundant Internet links

Hi Dan, it will be advisable to put in an exclusion on your browser if you are going via a proxy server ...Lincoln

New Member

Re: Routing between redundant Internet links

Thank you for your response, Lincoln. We are not using a proxy server in this case. I plan to modify the routing between these routers either statically or dynamically.

Dan

225
Views
0
Helpful
6
Replies
CreatePlease login to create content