I need that incoming connection to port 3389 come to ISP1, and incoming connection to port 5800 come to ISP2. I configured the follow config, but not working, could you help me?
And i need another config, the IP SLA to configure outbound traffic from inside to any destination ( except ports 3389 and 5800), the ISP1 is the primary link , when this link is down, the ISP2 stay actived to outbound traffic.
interface GigabitEthernet0/0 ip address 184.108.40.206 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map internet duplex auto speed auto ! interface GigabitEthernet0/1 ip address 220.127.116.11 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto
speed auto ! interface GigabitEthernet0/2 ip address 18.104.22.168 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto !
ip nat inside source list nat-isp1 interface GigabitEthernet0/1 overload ip nat inside source list nat-isp2 interface GigabitEthernet0/2 overload
ip access-list extended nat-isp1 permit ip any any
ip access-list extended nat-isp2 permit ip any any
ip route 0.0.0.0 0.0.0.0 22.214.171.124 ip route 0.0.0.0 0.0.0.0 126.96.36.199
ip access-list extended pbr-isp1 permit tcp any any eq 3389
ip access-list extended pbr-isp2 permit tcp any any eq 5800
route-map internet permit 20 match ip address pbr-isp1 set ip next-hop 188.8.131.52 set interface GigabitEthernet0/1 ! route-map internet permit 30 match ip address pbr-isp2 set ip next-hop 184.108.40.206 set interface GigabitEthernet0/2 !
you do have to configure two route-maps for the nat translation
route-map ISP1 permit 10
match interface gig 0/1
match ip address nat-isp1
route-map ISP2 permit 10
match interface gig 0/2
match ip address nat-isp1 <you can reuse the same ACL if there is no need for different entries>
ip nat inside route-map ISP1 interface gig0/1 overload
ip nat inside route-map ISP2 interface gig0/2 overload
The "set interface xy" in the 'internet' route-map are not necessary. however you have to configure a permit 40 sequence (route-map internet permit 40) without any statements to ensure that all other traffic is handled by the normal routing table.
The pbr-isp1 and pbr-isp2 ACLs are wrong, too:
The TCP Ports 3389 and 5800 are in that case the source ports not the destination ports. The ACL should look like
ip access-list extended pbr-isp1 permit tcp any eq 3389 any
ip access-list extended pbr-isp2 permit tcp any eq 5800 any
Interfaces: ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 220.127.116.11 255.255.255.0 ip nat inside ip virtual-reassembly in ip policy route-map internet duplex auto speed auto ! interface GigabitEthernet0/1 ip address 18.104.22.168 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/2 ip address 22.214.171.124 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto ! !
ip access-list extended nat-ISP2 permit ip 126.96.36.199 0.0.0.255 any
ip access-list extended acl-ISP2 permit tcp any eq 5800 any deny ip any any
route-map internet permit 20 match ip address acl-ISP2 match interface GigabitEthernet0/1 set ip next-hop 188.8.131.52 ! route-map ISP2 permit 10 match ip address nat-ISP2 match interface GigabitEthernet0/1 !
the configuration has changed here bit. Default Routes are not equal cost any more. Now you have a preferred route through isp1 while isp2 has a metric of 254 and comes only into play if ISP1 SLA goes into state down.
The IP SLA configuration doesn't make sense to me here. You want to track the state of ISP1 and the default route, but you are using as source interface gig0/2 which is connected to ISP2 (according to the IP addresses). I can't see a static route to 184.108.40.206 either. The SLA should never go into the Up State because there is no route to the google dns.
You should change the source-interface to gig0/0 for ip sla 1 and add a static route to the google dns (ip route 220.127.116.11 255.255.255.255 18.104.22.168)
With the routing table in your recent post you can configure the route-map a bit different. Configure only the tcp port 5800 to use ISP2 and let the routing table handle the rest:
route-map internet permit 10
match ip address acl-ISP2
set ip next-hop 22.214.171.124
route-map internet permit 20
The Line "route-map internet permit 20" with no other statements is important to ensure all other traffic is handled by the normal routing table and go to ISP1.
To clear the NAT Table if ISP1 goes down you can try
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...