Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with NAT rules for Webmail Service in Router 2921

 

A/ Description:

In our system environment, we have 03 FTTH internet lines

( internet load balancing in one router 2921

This router have intergrated card EHWVIC-4ESG inside this router)

G0/0 ppoe: line 1

G0/1 ppoe: line 2

G0/2 ppoe: line 3

EHWVIC-4ESG connected to Inside Network

 

B/ Main purpose we want to do

Now we want to define in this router as below:

step 1- define NAT rule for  webmail service, IPSEC VPN,  must run only on line 01.

step 2- define all of 03 internet lines to run internet service.

 

C/ Current Situation which we face now:

After we configured, above step 1 ( in B section) didn't run properly such as:

 

from outside, we access this webmail service(http://webmail@abc.com), after server authourize and reply this session, we have 02 scenarios:

 

1/ the reply to users' session on sometimes right public IP we want on line 1, so user can access the webmail server => OK

 

2/ Sometimes, the reply to users' session on the left 02 lines, so User can not access the webmail server => not OK

 

note: please see more details in below attached configuration file

 

we hope to receive your feedback asap.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hello,ok that is a bit weird.

Hello,

ok that is a bit weird. Check if the IP addresses in WAN-ACL matches the source IP from which you expect the packets.

Is there maybe another NAT operation in the path between ISR 2921 and the Server so that the source ip addresses from the server are modified? I can't see any NAT Rule for 10.222.222.45 in your last attachment for example. I assume one of your internal Router (10.222.226.33)  perform the NAT to the webmail service. ) If 10.222.226.33 does a NAT operation to 10.222.222.45 you have to use the ip address 10.222.226.33 in the WAN-ACL.

With which service did you try to verify the route-map?

 

Best Regards

Lukasz

4 REPLIES
New Member

Hello,the router does equal

Hello,

the router does equal cost load balancing using the three default gateways. To ensure the backward traffic goes over the correct wan line I suggest to create a route-map and attach it to the vlan1 interface.

 

ip access-list extended WAN-ACL
permit tcp host 10.222.222.y eq 80 any
permit tcp host 10.222.222.y eq 443 any
permit udp host 10.222.222.y eq 500 any
permit udp host 10.222.222.y eq 4500 any

 

route-map WAN-RMAP permit 10
match ip address WAN-ACL
set ip next-hop <line 1 next-hop address>
route-map WAN-RMAP permit 20

 

interface vlan1
ip policy route-map WAN-RMAP

 

The last line of the route-map should be an empty permit statement to ensure all other traffic, which doesn't match an ACL using by the route-map is handled by the default routing table.

 

kind regards

 

Lukasz

New Member

Hi Lukasz, Thanks for your

Hi Lukasz,

 

Thanks for your response!

I configured as you suggested. But the issue still remains. The backward traffic doesn't go over the correct wan line.

Please see my config in the attachment.

I post report:

CMC_UC_INTERNET_GATEWAY#show access-lists
Extended IP access list 100
    10 permit ip any any (246325 matches)
Extended IP access list WAN-ACL
    10 permit tcp host 10.222.222.45 eq www any
    20 permit tcp host 10.222.222.45 eq 443 any
    30 permit udp host 10.222.222.33 eq isakmp any
    40 permit udp host 10.222.222.33 eq non500-isakmp any
    50 permit tcp host 10.222.222.33 eq 4500 any
    60 permit udp host 10.222.226.33 eq 10000 any
    70 permit tcp host 10.222.226.33 eq 10000 any

 

 

CMC_UC_INTERNET_GATEWAY#show rou
CMC_UC_INTERNET_GATEWAY#show route-map
route-map VNPT-01, permit, sequence 10
  Match clauses:
    ip address (access-lists): 100
    interface Dialer0
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map CTI-03, permit, sequence 10
  Match clauses:
    ip address (access-lists): 100
    interface Dialer2
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map CTI-02, permit, sequence 10
  Match clauses:
    ip address (access-lists): 100
    interface Dialer1
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map WAN-RMAP, permit, sequence 10
  Match clauses:
    ip address (access-lists): WAN-ACL
  Set clauses:
    interface Dialer2
  Policy routing matches: 0 packets, 0 bytes
CMC_UC_INTERNET_GATEWAY#

The route-map WAN-ACL don't count any packet, it just map with access-list. Please check again ...

 

Thanks & Best Regards,

New Member

Hello,ok that is a bit weird.

Hello,

ok that is a bit weird. Check if the IP addresses in WAN-ACL matches the source IP from which you expect the packets.

Is there maybe another NAT operation in the path between ISR 2921 and the Server so that the source ip addresses from the server are modified? I can't see any NAT Rule for 10.222.222.45 in your last attachment for example. I assume one of your internal Router (10.222.226.33)  perform the NAT to the webmail service. ) If 10.222.226.33 does a NAT operation to 10.222.222.45 you have to use the ip address 10.222.226.33 in the WAN-ACL.

With which service did you try to verify the route-map?

 

Best Regards

Lukasz

New Member

Dear Lukasz,   Your first

Dear Lukasz,

   Your first answer was right. The reason is that ASDM was using port 443 while my webmail was also using the same port. So there was a conflict.

 

   Now i have changed ASDM port on ASA to other port and the backward traffic goes over correct wan line.

 

Thank you.

Best Regards.

94
Views
0
Helpful
4
Replies