Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing problems with the cisco 1841

Here at our office we're using a cisco 1841 with both a SDSL connection as an ADSL connection. This is all working great actually, the ADSL connection provides our LAN the internet and the SDSL connection is completely seperate and hosts our webserver with it's own IP (so no LAN configured for that connection). Obviously, the ADSL connection has NAT enabled and the SDSL connection is completely NAT disabled. Our problem was like this: At our LAN we couln't connect to our website (so basically we couldn't connect to the IP-range of the SDSL connection). Now we discovered where the problem lies. In the cisco router there are 2 ACL rules defined: Rule #150 has 2 subrules which are

1) Permit, source=any, destination=IP range from SDSL connection.

2) Permit, source=IP range from SDSL connection, destination=any

Now, when we delete the second rule we can connect from our LAN to the SDSL IP's but the rest of the world can't connect to it anymore. When we have both this rules enabled, the rest of the world can connect to the SDSL IP's but we can't connect from our LAN. Also i should mention that when we look with tcpdump we see packages arriving at the SDSL IP's and the replies are there as well, but the route back to the LAN seems to be disabled. There is no firewall installed whatsoever btw. Please give us any information you can think of, because we are totally stunned of how this can happen.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Routing problems with the cisco 1841

Maarten

I agree with Peter that your problem is that the Policy Based Routing that is configured is matching responses which should go back to your LAN and sending them out the dialer interface. I would suggest that you need to modify access-list 150 to deny traffic to your LAN before you permit other traffic. I would suggest that you paste this into your router:

no access-list 150

!

access-list 150 remark SDM_ACL Category=1

access-list 150 deny ip 192.168.0.0 0.0.0.255 80.127.207.192 0.0.0.15

access-list 150 deny ip 80.127.207.192 0.0.0.15 192.168.0.0 0.0.0.255

access-list 150 permit ip any 80.127.207.192 0.0.0.15

access-list 150 permit ip 80.127.207.192 0.0.0.15 any

Give this a try and let us know if it fixes your problem.

HTH

Rick

7 REPLIES
New Member

Re: Routing problems with the cisco 1841

Could you please add configuration of this router.Network diagram is also welcome.

From your description, I don't known where acl 150 is applied.

Regards

Shaik ASSANA

New Member

Re: Routing problems with the cisco 1841

I have attached the running configuration of the router. I do not have a network diagram readily available, but i'll try my ASCII art on it:

SDSL ADSL

| |

| |

| |

----------

Cisco 1841

----------

| |Lan with NAT enabled

|

|Completely seperated SDSL IP's

EDIT: the forums fubars my little drawing, but the diagram can be derived from my description i think.

New Member

Re: Routing problems with the cisco 1841

If I understand it correctly, accesslist 150 is used in route-map sdsl to set the outgoing interface to the DSL port. But that acl matches with 80.127.bla both as source and destination address, so it will also send return traffic (from the DSL interface) back into the DSL interface.... Basically blackholing the traffic that way. Seems to me that this may be one of the reasons why it wont work.

If this is the case, if you turn on debugging on the interface you would see encapsulation errors and so on.

New Member

Re: Routing problems with the cisco 1841

Okay, that makes sense. Where can i configure that "route-map sdsl"? I have looked everywhere but i can't find it anywhere.

New Member

Re: Routing problems with the cisco 1841

I'm pretty sure now that the policy routing on FastEth 0/1 is the source of your problems. Best way to proceed would be to clearly redefine how you want the routing policy to be (which flows from where to where), and then decide where you will enforce it (applying policies to interfaces). In any event, you will need two policies instead of one, to route traffic to/from the LAN and to/from the Internet.

By the way: The route-map is all the way down in the config, and the ip policy map is applied on FasEth0/1

Hall of Fame Super Silver

Re: Routing problems with the cisco 1841

Maarten

I agree with Peter that your problem is that the Policy Based Routing that is configured is matching responses which should go back to your LAN and sending them out the dialer interface. I would suggest that you need to modify access-list 150 to deny traffic to your LAN before you permit other traffic. I would suggest that you paste this into your router:

no access-list 150

!

access-list 150 remark SDM_ACL Category=1

access-list 150 deny ip 192.168.0.0 0.0.0.255 80.127.207.192 0.0.0.15

access-list 150 deny ip 80.127.207.192 0.0.0.15 192.168.0.0 0.0.0.255

access-list 150 permit ip any 80.127.207.192 0.0.0.15

access-list 150 permit ip 80.127.207.192 0.0.0.15 any

Give this a try and let us know if it fixes your problem.

HTH

Rick

New Member

Re: Routing problems with the cisco 1841

Allright, this works beautifully. Thank you so much for your solution, it really is awsome!

315
Views
0
Helpful
7
Replies