Thanks for replying.

I have since created a 2nd set of route-maps for the nat overload statements; no change.

So to understand you, I should change it to this?

route-map ISP_MAP permit 11

match ip address NAT_ACL

match interface GigabitEthernet0/3/0.554

!

route-map ISP2_MAP permit 10

match ip address ATT_NAT

match interface GigabitEthernet0/3/0.1528

Thanks for taking a look and any insight you have

Also, quick question: If I try to ping a not-working host from the router and specify the 2nd ISP (either IP or interface name) I'm not able to ping certain hosts, although others work. The route-maps should not affect this, correct? I'm wondering if I'm dealing with an ISP issue here.

EDIT: I was mistaken, I have now applied the above and things remain the same. Will leave it the way you recommend.

EDIT2: Added ip inspect firewall entries to above. INPUT_ACL shouldn't matter, only allowing some ports for servers external access. Updated config in first post.

I am glad that you took my advice about separate route maps for PBR and for address translation. But apparently my explanation about how to do it was not clear. Assuming that the config in the original post has been updated and is current then I will ask you to change it.

You are still using ISP_MAP and ISP2_MAP for PBR. For this purpose each route map should have a single match clause which matches addresses for a particular subnet and a single set statement which sets the next hop to be the appropriate ISP. What you have done is to remove the set next hop and inserted a second match on interface. To fix this remove the match interface from these two route maps and re-apply the set ip next-hop.

You created new route maps for address translation ICN_MAP and ATT_MAP, which is a good start. Both route maps use the same access list ( LOCAL-LAN )to match addresses. But each of these route maps should have its own unique access list that matches only the traffic for that interface. And it should have a second match statement that matches its appropriate interface. But you have configured them with set statements that set the interfaces.  To fix these route maps change the match address so that each route map has its own unique access list that matches its subnet and change the set address clause to match clauses that match the interface.

HTH

Rick

The below unfortunately breaks internet access for LAN clients, which is restored if I set ICN_MAP and ATT_MAP back to using set instead of match.

route-map ISP_MAP permit 11

match ip address NAT_ACL

set ip next-hop 1.1.1.205

!

route-map ISP2_MAP permit 10

match ip address ATT_NAT

set ip next-hop 2.2.2.53

!

route-map ATT_MAP permit 10

match ip address LOCAL-LAN-ATT

match interface GigabitEthernet0/3/0.1528

!

route-map ICN_MAP permit 10

match ip address LOCAL-LAN-ICN

match interface GigabitEthernet0/3/0.554

!

ip access-list extended LOCAL-LAN-ATT

permit ip 10.0.0.0 0.255.255.255 any

!

ip access-list extended LOCAL-LAN-ICN

permit ip 172.20.0.0 0.0.255.255 any

I am surprised that doing what I suggested breaks internet access. I wonder if the issue in in your LOCAL_LAN_ATT which matches any source address in network 10. I see that you have at least two interfaces with subnet in network 10. Do you mean for both of them to be included here for address translation?

Are you saying that hosts in the 172.20.0.0 subnet were also impacted by this?

Thinking about that question made me go back to the original post to see what was in NAT_ACL and I found this

ip access-list extended NAT_ACL

permit ip 172.0.0.0 0.0.0.255 any

deny ip any any

which will match 172.0.0 but the configured address of the interface is 172.20.1

So maybe that explains part of the issue for that subnet.

HTH

Rick

Interestingly, the 172.20.0.0 network works fine. (The one ACL is for a point to point connection not shown here that goes to this router for NAT. 172.16.0.0 for example). It's only that 2.2.2.53 connection having the issues.

10.78.17.0 255.255.255.0 is our VLAN2 LAN we want the new connection being used on (Which is having the problem where not all hosts are reachable)

10.100.0.0 255.255.0.0 is for that point to point where the 172.16.0.0 resides (Didn't include the static routes in this config for this since I'm only concerned with the local VLAN2/ATT connection at the moment)

I appreciate your help, thank you!

Thanks for the update. Given what I thought I was seeing I am surprised that 172.20.0 network works fine but if it is then I must have misunderstood something. Would it be possible to post an updated version of what is in the config and a description of what currently is working and not working?

As a side note - the things we are talking about here I would expect to have the effect that a subnet works or does not work. I am not convinced that these will explain the symptoms that some hosts are affected. But until we get these things resolved I am not sure how to get to the individual issues.

HTH

Rick

Hey Richard

I found part of the problem.

route-map ISP2_MAP permit 10

match ip address ATT_NAT

set ip next-hop 2.2.2.53

The above was pointing at the wrong default gateway. Now that I have it set to the correct default gateway for that network, internet access does not work in the original config or the above suggestions you made.

I'm going to re-post the config with less stripped out in the hopes something will pop out.

Thanks!

interface GigabitEthernet0/2/0
 description LAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 negotiation auto
!
interface GigabitEthernet0/2/0.1
 description Native Vlan for ProCurve Management
 encapsulation dot1Q 1 native
 ip address 172.20.1.100 255.255.0.0
 ip access-group OUTPUT_ACL in
 ip nat inside
 ip virtual-reassembly
 ip policy route-map ISP_MAP
 no cdp enable
!
interface GigabitEthernet0/2/0.2
 encapsulation dot1Q 2
 ip address 10.78.17.1 255.255.255.0
 ip access-group OUTPUT_ACL in
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip policy route-map ISP2_MAP
!
interface GigabitEthernet0/2/0.666
 encapsulation dot1Q 666
 ip address 172.66.0.1 255.255.0.0
 ip access-group GUEST_ACL out
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/2/0.847
 encapsulation dot1Q 847
 ip address 172.30.1.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/3/0
 description Fibre to ATT
 no ip address
 negotiation auto
!
interface GigabitEthernet0/3/0.554
 description ICN Internet
 encapsulation dot1Q 554
 ip address 1.1.1.206 255.255.255.252
 ip access-group INPUT_ACL in
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/3/0.555
 description OPT-E-MAN
 encapsulation dot1Q 555
 ip address 10.100.20.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map barracuda-redirect
 no cdp enable
!
interface GigabitEthernet0/3/0.1528
 description AT&T Internet
 encapsulation dot1Q 1528
 ip address 2.2.35.54 255.255.255.252
 ip access-group INPUT_ACL in
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.205
ip route 0.0.0.0 0.0.0.0 2.2.34.53
ip route 172.16.0.0 255.255.0.0 10.100.16.1
ip nat inside source route-map ATT_MAP interface GigabitEthernet0/3/0.1528 overload
ip nat inside source route-map ICN_MAP interface GigabitEthernet0/3/0.554 overload


ip access-list extended ATT_NAT
 permit ip 10.78.17.0 0.0.0.255 any
 deny   ip any any
 ip access-list extended LOCAL-LAN
 permit ip 172.20.0.0 0.0.255.255 any
 permit ip 10.78.17.0 0.0.0.255 any
ip access-list extended LOCAL-LAN-ATT
 permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended LOCAL-LAN-ICN
 permit ip 172.20.0.0 0.0.255.255 any
ip access-list extended NAT_ACL
 permit ip 172.20.0.0 0.0.255.255 any
 permit ip 172.19.0.0 0.0.255.255 any
 permit ip 172.18.0.0 0.0.255.255 any
 permit ip 172.17.0.0 0.0.255.255 any
 permit ip 172.16.0.0 0.0.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
 permit ip 172.26.0.0 0.0.255.255 any
 permit ip 172.27.0.0 0.0.255.255 any
 permit ip 172.28.0.0 0.0.255.255 any
 permit ip 172.29.0.0 0.0.255.255 any
 permit ip 172.30.0.0 0.0.255.255 any
 permit ip 192.0.0.0 0.255.255.255 any
 permit ip 10.100.0.0 0.0.255.255 any
 deny   ip any any
ip access-list extended OPT_ACL
 permit ip any 172.30.0.0 0.0.255.255
 permit ip any 172.16.0.0 0.0.255.255
 permit ip any 172.26.0.0 0.0.255.255
 permit ip any 172.17.0.0 0.0.255.255
 permit ip any 172.27.0.0 0.0.255.255
 permit ip any 172.18.0.0 0.0.255.255
 permit ip any 172.28.0.0 0.0.255.255
 permit ip any 172.19.0.0 0.0.255.255
 permit ip any 172.29.0.0 0.0.255.255
 deny   ip any any
ip access-list extended OUTPUT_ACL
 permit tcp host 172.20.4.1 any eq smtp
 permit tcp host 172.20.6.3 any eq smtp
 permit tcp host 172.20.3.11 any eq smtp
 permit tcp host 172.170.1.1 any eq smtp
 deny   tcp any any eq smtp log
 permit ip any any
ip access-list extended VLAN2_ACL
 permit ip any 10.78.17.0 0.0.0.255
ip access-list extended filter_acl
 deny   ip host 172.20.6.5 any
 deny   ip host 10.78.17.254 any
 permit tcp 172.0.0.0 0.255.255.255 any eq www
 permit tcp 172.0.0.0 0.255.255.255 any eq 443
 permit tcp 10.0.0.0 0.0.0.255 any eq 443
ip access-list extended filter_acl_in
 permit udp any eq domain 172.20.0.0 0.0.255.255
 permit tcp any eq 443 172.20.0.0 0.0.255.255
ip access-list extended filter_acl_out
 permit tcp 172.20.0.0 0.0.255.255 any eq www
 permit tcp 172.20.0.0 0.0.255.255 any eq 443
!
access-list 10 permit any
!
route-map barracuda_in permit 10
 match ip address filter_acl_in
 set ip next-hop 10.78.17.254
!
route-map ATT_MAP permit 10
 match ip address LOCAL-LAN-ATT
 set interface GigabitEthernet0/3/0.1528
!
route-map barracuda-redirect permit 10
 match ip address traffic filter_acl
 set ip next-hop 10.78.17.254
!
route-map ICN_MAP permit 10
 match ip address LOCAL-LAN-ICN
 set interface GigabitEthernet0/3/0.554
!
route-map ISP_MAP permit 8
 match ip address VLAN2_ACL
 match interface GigabitEthernet0/2/0.2
!
route-map ISP_MAP permit 9
 match ip address OPT_ACL
 match interface GigabitEthernet0/3/0.555
!
route-map ISP_MAP permit 10
 match ip address filter_acl
 set ip next-hop 10.78.17.254
!
route-map ISP_MAP permit 11
 match ip address NAT_ACL
 set ip next-hop 1.1.1.205
!
route-map ISP2_MAP permit 10
 match ip address ATT_NAT
 set ip next-hop 2.2.34.53
!

Hi,

1)

ip route 0.0.0.0 0.0.0.0 2.2.34.53
interface GigabitEthernet0/3/0.1528
 description AT&T Internet
 encapsulation dot1Q 1528
 ip address 2.2.35.54 255.255.255.252

your second default route is pointing towards a recursive next-hop, is this a typo ? I even wonder if it is installed in the RIB.

2)

ip nat inside source route-map ATT_MAP interface GigabitEthernet0/3/0.1528 overload
ip nat inside source route-map ICN_MAP interface GigabitEthernet0/3/0.554 overload
route-map ATT_MAP permit 10
 match ip address LOCAL-LAN-ATT
 set interface GigabitEthernet0/3/0.1528 >>> this should be a match clause not a set
route-map ICN_MAP permit 10
 match ip address LOCAL-LAN-ICN
 set interface GigabitEthernet0/3/0.554  >>>>> same as above

3)

interface GigabitEthernet0/2/0.2
 encapsulation dot1Q 2
 ip address 10.78.17.1 255.255.255.0
 ip access-group OUTPUT_ACL in
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip policy route-map ISP2_MAP
route-map ISP2_MAP permit 10
 match ip address ATT_NAT
 set ip next-hop 2.2.34.53  >>> typo? recursive next-hop

Can you solve these points and post latest modified config as well as results.

Regards

Alain

Don't forget to rate helpful posts.

I agree with the points that Alain makes. In addition I question these

route-map ISP_MAP permit 8

match ip address VLAN2_ACL

match interface GigabitEthernet0/2/0.2

!

route-map ISP_MAP permit 9

match ip address OPT_ACL

match interface GigabitEthernet0/3/0.555

ISP_MAP is used for PBR and as such I would expect a match clause and a set clause. Having 2 match clauses is the logic used for address translation and is not effective in Policy Based Routing.

I am also somewhat confused about what you are doing in ISP_MAP. The route map is assigned to do PBR in only one interface. But the route map has 4 clauses and every clause uses a different access list (one of which has permits for 13 subnets) to select traffic.

I will offer one other suggestion. I like the names that you use for route maps because they are descriptive of what the route map is going to do. ISP_MAP and ISP2_MAP are for PBR while ATT_MAP and ICN_MAP are for address translation. I wish that the access lists had similar relationship between name and function. When ISP_MAP uses NAT_ACL and when ISP2_MAP uses ATT_NAT access list I tend to get confused.

HTH

Rick