06-11-2014 06:19 AM - edited 03-04-2019 11:08 PM
Hey.. Got a really weird situation which is driving me crazy. Please help
2 Subnets - Vlan1- 192.168.100.0/24 , Vlan2 - 192.168.0.0/24
2 ISPS - Verizon,Optimum
Email server host 192.168.100.7 set through route-map policy to go out through Verizon. Always has worked. Still works
When I internally ping to/from subnet 192.168.0.0 - I cant hit this machine or vice/versa. Anything from subnet 192.168.100.0 pings/communicates/routes properly
Attached is the config pieces for the routemap.
interface FastEthernet0
description Verizon T1
bandwidth 1544
ip address ISP1_IP
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description Optimum
ip address ISP2_IP
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SITETOSITE
interface Vlan1
description Internal
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map EMAILSERVER
!
interface Vlan2
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip route 0.0.0.0 0.0.0.0 ISP2_DEFAULT_GATEWAY
ip route 0.0.0.0 0.0.0.0 ISP1_DEFAULT_GATEWAY 254
ip nat inside source route-map OPTIMUM interface FastEthernet1 overload
ip nat inside source static tcp 192.168.100.7 23 interface FastEthernet0 23
ip nat inside source static tcp 192.168.100.7 110 interface FastEthernet0 110
ip nat inside source static tcp 192.168.100.7 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.100.7 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.100.7 1352 interface FastEthernet0 1352
ip nat inside source route-map EMAILSERVER interface FastEthernet0 overload
ip nat inside source route-map VERIZON interface FastEthernet0 overload
ip nat inside source static tcp 192.168.100.7 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.100.9 47 interface FastEthernet1 47
ip nat inside source static udp 192.168.100.9 47 interface FastEthernet1 47
ip nat inside source static tcp 192.168.100.9 1723 interface FastEthernet1 1723
!
ip access-list extended VERIZON-ACL
permit ip host 192.168.100.7 any
!
logging trap debugging
logging 192.168.0.31
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.110.0 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit gre any any
access-list 101 permit udp any any eq ntp
access-list 101 permit tcp any any eq 1723
access-list 101 permit udp any any eq 1723
access-list 101 permit tcp any any eq 1352
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 deny ip 192.168.100.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit udp host 64.115.0.9 eq domain any
access-list 101 permit udp host 64.115.0.10 eq domain any
access-list 101 permit udp host 67.206.254.2 eq domain any
access-list 101 permit udp host 207.172.3.8 eq domain any
access-list 101 permit udp host 167.206.112.138 eq domain any
access-list 101 permit udp host 167.206.7.4 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 8.8.8.8 eq domain any
access-list 101 permit udp host 8.8.4.4 eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 102 remark VERIZON ROUTEMAP ACL
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 103 deny ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 103 deny ip host 192.168.100.7 any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 permit ip 10.0.0.0 0.0.0.255 any
route-map EMAILSERVER permit 9
match ip address VERIZON-ACL
match interface FastEthernet0
set ip next-hop ISP1_DEFAULT_GATEWAY
!
route-map VERIZON permit 1
match ip address 102
match interface FastEthernet0
!
route-map OPTIMUM permit 1
match ip address 103
match interface FastEthernet1
!
06-11-2014 06:41 AM
Can you share the logs of show access-list 103 and show access-list 102?
06-11-2014 06:44 AM
Absolutely
#show access-list 102
Extended IP access list 102
10 deny ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
20 permit ip 192.168.100.0 0.0.0.255 any (1 match)
30 permit ip 192.168.0.0 0.0.0.255 any
40 permit ip 10.0.0.0 0.0.0.255 any
R1#show access-list 103
Extended IP access list 103
10 deny ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
20 deny ip host 192.168.100.7 any (2775 matches)
30 permit ip 192.168.100.0 0.0.0.255 any (44855 matches)
40 permit ip 192.168.0.0 0.0.0.255 any (3561 matches)
50 permit ip 10.0.0.0 0.0.0.255 any
06-16-2014 04:37 AM
Any update on this ? Thanks
06-18-2014 04:39 AM
Hi,
Sorry for late response...I was stuck somewhere else.
Can you make the following change and I believe,you will be able to access from 192.168.0.0/24 network to 192.168.100.7.
IP access-list extended VERIZON-ACL
no 10 permit ip host 192.168.100.7 any
10 deny ip host 192.168.100.7 192.168.0.0 0.0.0.255
20 permit ip host 192.168.100.7 any.
06-19-2014 12:29 AM
Hi,
did you make the change? Please let me know the result. I simulated the same scenario and the acl change solved the issue.
06-19-2014 04:46 AM
Hello Rahul,
I just applied this and it did indeed fix the problem. Thank you very much.
Can you please explain why this was needed to make this work?
Thanks!
06-19-2014 04:57 AM
Hi,
As per Route-map "EMAILSERVER" traffic from 192.168.100.7 to any destination will be forwarded to "ISP1_DEFAULT_GATEWAY" and "ISP1_DEFAULT_GATEWAY" will send an icmp destination unreachable message to 192.168.100.7. With change in acl configuration for this route-map now traffic to 192.168.0.0/24 network will not be forwarded to "ISP1_DEFAULT_GATEWAY" however it will be forwarded per local routing table.
Can you please rate me if I solved your problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide