I've got a problem with routing between 2 interfaces or only I think so.
I've got a 1812 router with 2 WAN's FE connectors. I would like to use both of them and I've done it, but the problem is, when I try to connect from the one network to another which is connected to the same router. One connection is used for one network which is behind NAT, the second one is some kind of DMZ. Public network where the server is.
When I ping the server from NAT-ed (?) network I don`t have any reply. When I tracert it, I see the packet goes out through correct interface, then through operators routers and come back to my router and then... die. On server I saw in iptraf that the packet comes on, but when server reply on it, the reply is lost. Server's network uses static path (default), LAN network uses route-map. The config is shown in attachment. I don`t know where can be a problem. Even I don`t need to have any internet connection active because router should route paths and should know that host I need to ping is on his interface so the replies should work even without internet connections.
READ THE CONFIG HERE PLEASE :).
And after that, LAN has got an internet access, NAT is working, but when I try to get to the server, I can`t :(. If I do it from any other host (not connected to that router) everything is ok.
Where is the problem ?
Very much thanks for help.
Really nobody knows ? :).
Or maybe it is so easy that You don`t want to help me ? :P.
I still doesn`t solve my problem. I figured out one thing, that I exactly don`t have Vlan1. It exists but is not configured. As I know vlan1 is a basics to communicate between other interfaces or devices and it is reserved for them by default.
What do you think about it ?
Thank You for any advice.
I have looked at the config that you posted. We can not tell at this point whether it is an issue about not having VLAN 1 configured. The ports that are configured as access ports are assigned to VLANs other than VLAN 1. But there are several ports not configured, so they do belong to VLAN 1. Is anything connected on those ports? If so then not having VLAN 1 configured may be a problem. If there is not anything connected to those ports then it does not matter whether VLAN 1 is configured or not.
It is difficult to determine whether your problem is a routing problem or is an address translation problem and I do not believe that we have enough information yet to figure out which. If you would tell us where the source is (what address and what interface) and where the server destination is (what address and through which interface) we could come closer to figuring this out.
I see that you have several public IP addresses (it is unclear but I assume that the address you learn on dialer 0 is public, there is a public address on FAstEthernet1, and on VLAN 666). I would expect address translation on each of the public address interfaces. But the only interface translating addresses is the dialer interface. And the static default route is pointing out FastEthernet1. If the source is in VLAN2 with a 192.168.0 address and it is going out FastEthernet1 and not being translated that would seem like a problem to me.
Thank You for Your reply.
Answering on the first section of your post I need to tell you, that there is nothing else connected to unconfigured ports. There is only used port number 2 and 9. There is also configured port number 3 and 8 but there is nothing connected. Second is used as a LAN connector, and ninth (? - 9th) is used as a public server connection. I suppose that to VLAN1 is used for all unused LAN ports (what exactly sh vlan-switch shows) but now when I don`t have any conception to solve my problem I try to look for a problem everywhere ;).
I thought that everything the configuration file will show. But if it is not so clear I will try to explain everything some.
As I wrote upon, the LAN is connected to 2nd port to the swich, what is exactly VLAN2 with IP address 192.168.0.1 and netmask /24. LAN comes through the interface DIALER0 using route-map and in all of that LAN is behind nat.
Server is connected to port number 9 and has public IP so it is seen directly in the internet. Server comes through fastethernet1 (default gateway), and gets address x.x.x.177. Default gateway for it is IP address of VLAN666 so x.x.x.178. The network x.x.x.176/40 is routed on x.x.x.30 by my ISP. That connection is not behind nat, it is a direct connection.
Everything works fine. Route map do its work, and nat also work fine. LAN got access to the internet, server works and everything is all right... but... when I try to get access from LAN to server I got timeouts. Why ? I don`t exactly know why :(.
As I saw on IPTRAF on my server(Linux Traffic Packets Tool), the tcp packets reach a server but don`t come back. When I ping the server from a LAN, server got a ICMP message, reply on it, but the packets don`t come back to LAN.
And that is a problem. Any connection from LAN to server don`t reach it. From any other external network I can ping server or get on it, but from my LAN I can`t.
When I come back to the old router which only is used for a DSL connection, everything is OK. When I got 2 ISP plugged into my router, it happens something strange what I tried to describe upon.
I hope now my situation and problem is clear.
Thanks for your help.
There are still some things about your configuration that I do not understand. But if you say that the LAN works ok and has access to the Internet then I will accept that this part work, even if I do not understand it.
I still think that the symptoms that clients from your LAN can not access the server sound like an address translation problem. You say that you can see traffic from the clients get to the server. Can you confirm that the traffic from the clients has addresses in 192.168.0.x? And can you post the output of route print from the server?
Thank you for a next try :).
Tell me what is unclear in my configuration for you and I will try to get you any information you need.
I don`t be so sure if that is a NAT problem.
You see... I didn`t check if the address was from the private pool 192.168.0.x because it was before I added to my ACL that line:
deny ip 192.168.0.0 0.0.0.255 x.x.x.176 0.0.0.15. But what if it was ?
I didn`t have it before so I thought that was a problem and modified my ACL.
NAT works good with that line in ACL and without it.
But without that line above when I ran IPTRAF I saw then IP address assigned to the interface Dialer0, so NAT works fine, but result was the same. Inside LAN I got timeouts to the server :(.
Tomorow I will do for you that test and check if now the source address is from LAN pool and if it reaches the server.
What kind of route print you want to see ? From the server to ... what ? Or you meant from LAN to server ?
If you meant from LAN to server I can tell you that when I run tracert to the server I got timeouts on first hop (I don`t remember what was the address of the first hop :(). When I run tracert to the server's gateway I got only one line of output like x.x.x.178 <1ms.
And to x.x.x.30 was exactly the same result as above (damn on my lastest post I wrote upon instead of above :)) - sorry).
Now I have an idea. Tell me if am I right.
If I got configured route-map which exactly tells how the LAN should behave when goes out and comes in when the ACL's tells that:
1. Route from LAN to the network x.x.x.167/28 must be denied.
2. Route from LAN to 0.0.0.0 must come through dialer0.
So... what happens with the packet ?
If route is accepted the packet will go through Dialer0, if not... what happens with it ? Should go throuh default path which is configured to FE1 ? It can not do it because it is behind NAT and FE1 is not nat outside interface.
And what now ? :D. Now I need to tell him that if the packet doesn`t match with ACL or is denied by ACL it should go through alternative path... but which one ?
I can not use something like that:
ip route 192.168.0.0 255.255.255.0 vlan2
because router knew it that subnet is connected to vlan2. So what kind of IP route should I use ?
I also can not use something like that:
ip route 192.168.0.0 255.255.255.0 192.168.0.1
because router will show me an error about the destination (next-hop) address (router address).
I should create the second route-map with ACL with set that if packet comes from LAN to server should go f.e. by interface VLAN666. But where should I assign that route map ? What interface to ?
Hard for me to understand that all mechanisms. And the worst is that I can not understand why my configuration doesn`t work :(.
Your config is not working because your PBR is misconfigured. The match statement in the route-map is "match policy-list" rather than "match ip address". Change this and lets see if it works.
See the following link for configuring PBR
My guess is that because the Policy-list ROUTE_MAP_LAN does not exist (policy-list is different from access-list), all packets are matched and sent to the dialer interface. This should explain why you see the packets going into the network, before it is now forwarded back to the router.
After being forwarded back to the router, because there is no route-map on the dialer interface, it is forwarded correctly to the server. However, I guess that the source address would have been translated. As the router would recieve the packet on a non nat interface, it can not be translated back, hence the timeout.
Please keep us posted as this is an interesting case.
Thank for your reply. But I got bad news. I did what you wrote and... still doesn`t work.
I don`t have any idea. I tried to do some things from the link you posted and nothing changed. I think that this is more simpliest (more simple ?) problem. Now I will try to turn off NAT, route-maps, access-lists and see if then I will see what I want. If not it will mean that there is a problem with ip address masks or something, am I right ? Maybe we will try to solve my problem from the bad way ?
After turning off NAT and others, nothing was changed. Am I right if I think that all devices connected to one router should see themselfs each other ? Or not ?
Sorry if I have a stupid ideas but I`m realy hopeless and I don`t know what to do now ;/.
you will need (Local Policy) in order to tell the router perform PBR Locally.
this would be accomplished by configuring:
(ip local policy route-map LAN_DSL) global config mode.
Pls try this and feedback,
When I've done it, I could only ping x.x.x.178 (gateway for the server). I've had PPPoE disconnected then, but it should not affect on PBR, because routing should be done localy.
I tried to do it on router simulator, and simulated situation on boson worked with configuration similar to mine.