I have one 1841 routes with 2 internet providers (ADSL routers connected to 1841 FE interfaces).
One of those is primary and other serves as backup connection. Default route is 192.168.1.1 and secondary is 192.168.2.1
I want to route all traffic from specific local hosts to secondary ISP, while maintaining all the rest through primary ISP. Used route-map based ip policy.
My problem is that policy seems to work OK for all traffic except POP3 and some IM applications.
Any clue about where may be the problem? My configuration follows:
ip address 192.168.1.2 255.255.255.0
ip nat outside
zone-member security out-zone
ip address 192.168.2.2 255.255.255.0
ip nat outside
zone-member security out-zone
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security in-zone
ip policy route-map ALPI
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 123
ip route 0.0.0.0 0.0.0.0 192.168.2.1 250
access-list 109 permit ip host 192.168.0.66 any
route-map ALPI permit 10
match ip address 109
set ip next-hop 192.168.2.1
Thanks in advance for your help,
Your policy based routing selects traffic from a specific host (192.168.0.66) and redirects it. From your description I would have assumed that you were looking for certain traffic types rather than looking at a specific host. If some POP3 is not being policy routed it is because that POP3 traffic was not sourced from 192.168.0.66.
Thanks for your indications. I tried policy routing all POP3 traffic (from all hosts) through secondary ISP, but still does not work.
Also, I found that some mail accounts are able to connect and some others (different providers) do not. I will check the clients configuration, just in case.
Anyway, any other advice will be welcome.
Perhaps you can post the changed configs. If you do that and especially if you can provide any more detail about what is not working as expected then we might be able to identify the problem.
I would suggest you take a look at 'sh ip nat trans' output during an POP3 connection attempt, as long as you have a entry to the correct outside IP address (as per your nat config vs secondary outgoing interface), you have proved your policy routing and NAT. Having proved this, your next move is to check your firewall config ensuring correct rules for POP3 from both outside interface IP address (primary & secondary).
Have a look at http://www.cisco.com/warp/public/556/5.html for order of packet operations to create troubleshooting steps based on packet operation, the zone based FW policy is the old CBAC as mentioned on the page.
Without seeing a more complete config, its hard to predict where the issue may be. But based on the above config with the access-list being focused on a POP3 client (as per other post), i would suggest there is no configuration error in the output you have shown.
Sorry about my lack of answer, but I've been ill for a couple of weeks.
Now, again at work. I have checked NAT translations and they look correct, translates host ip and port 110 to secondary outgoing interface IP address.
I think firewall config is also correct. Both outside interfaces are in same zone and have the same FW policies. When going through primary interface, all works OK.
I made another test: Disabled policy routing, disconnected primary ISP line (FE0/0) and checked. When all traffic goes through secondary ISP interface (FE0/1) POP3 works OK. Is only when policy routing is enabled that host is unable to make POP3 connections.
Also, 'debug ip policy' output shows what looks like duplicated policy routing for POP3 packets, one to interface and other to IP address:
s=192.168.0.65 (Vlan1), d=22.214.171.124 (FastEthernet0/1), len 52, policy routed
s=192.168.0.65 (Vlan1), d=126.96.36.199, g=192.168.2.1, len 52, FIB policy routed
What is this 'FIB policy' about? Any other suggestion?
Thanks in advance,
The FIB is the CEF table which IOS uses to lookup the next hop for a packet. What you have shown with the debug you pasted is correct, It does actually show the same interface (g0/1 and 192.168.2.1) are the same.
Question about your ISP service. You say your ISP has provided two routers which are connected to the router we are focused on here... Are the ADSL primary and secondary ccts and routers provided by the same ISP and is it a primary and back up service you have purchased ? What I am getting at it is... your ISP maybe routing all traffic back to your site via the primary unless the primary fails... maybe worth while checking with them to find out.
Sorry, maybe I didn't make it clear in my first post. I have 2 different ISP. Have two ADSL routers connected to my Cisco 1841, but they belong to independent providers.
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(9)T1,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 30-Aug-06 15:13 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
TR13 uptime is 2 weeks, 1 hour, 50 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-9.T1.bin"
Cisco 1841 (revision 6.0) with 235520K/26624K bytes of memory.
Processor board ID FCZ110973AS
6 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102