08-19-2006 06:00 AM - edited 03-03-2019 01:42 PM
I would like to send FTP traffic over our T1 line and all other traffic over a DSL connection. Our DSL connection is on F0/1 and our T1 is on Vlan1. Nat shows that ftp traffic is translated to the IP on Vlan1 but from there it appears that it doesn't go out as FTP does not work. Web browsing works over F0/1. My config is attached.
show ip nat trans:
tcp x.x.x.70:49513 192.168.1.128:49513 x.x.x.6:80 x.x.x.6:80
tcp x.x.x.34:49752 192.168.1.128:49752 x.x.x.197:21 x.x.x.197:21
udp x.x.x.70:57767 192.168.1.128:57767 x.x.x.122:3544 x.x.x.122:3544
So it is translating, but it stops there. Is there something I need to change with routing?
08-19-2006 06:14 AM
i think your issue can be solve with the help of the router maps or you can say policy based routing:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm
rate this post if it helps
regards
Devang
08-19-2006 06:14 AM
You need to configure PBR, routing won't do it alone.
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data
route-map ftptraffic permit 10
match ip address 101
set ip next-hop [next hop T1 IP]
interface fa0/0
ip policy ftptraffic
Please rate helpful posts.
Thanks
08-19-2006 06:56 AM
I tried that and it still does not work. Is the static route (ip route 0.0.0.0 0.0.0.0 FastEthernet0/1) overriding this?
08-19-2006 07:14 AM
Can you post the new router config ?
Can you also turn debug against ACL 101 and see if the traffic is matching the route-map.
#debug ip packet 101 detail
In addition, change your NAT routine to a standard NAT and let the PBR I posted do its job. You are performing 2 PBRs.
08-19-2006 07:53 AM
08-19-2006 08:18 AM
based on the debug and config, this should work, my only suggestion is removing
set interface Vlan1
from the route-map command.
Post Edit:
I'm thinking the NAT is taking place before the PBR, let's do the following
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
08-19-2006 08:45 AM
I tried that and still a no go. Any other ideas?
08-19-2006 08:56 AM
Sorry to ask the obvious question but is the T1 actually working ? If you remove the PBR and change the default route to VLAN 1, can you connect to anything ?
08-19-2006 08:44 AM
I found some discrepancies in the debug output
1)
IP: s=x.x.x.70 (FastEthernet0/0)
Isn't .70 sourcing from F0/1 ?
2)
d=x.x.x.197 (FastEthernet0/1)
isn't that VLAN 1?
08-19-2006 09:43 AM
.70 is the IP on F0/1
.197 is the IP of the ftp site being accessed.
The T1 does work if I remove all PBR and have just one NAT statement to the T1 along with changing the static route (0.0.0.0 0.0.0.0) to the T1.
08-19-2006 09:49 AM
The debug you posted is not showing this correctly. It's showing .70 is sourcing from Fa0/0 and .197 corresponding to Fa0/1
000127: *Aug 19 16:44:14.487 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB
000128: *Aug 19 16:44:14.491 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward
000129: *Aug 19 16:44:14.491 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN
000130: *Aug 19 16:44:17.399 UTC: IP: tableid=0, s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), routed via FIB
000131: *Aug 19 16:44:17.399 UTC: IP: s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), len 40, sending
000132: *Aug 19 16:44:17.399 UTC: TCP src=50177, dst=21, seq=582833431, ack=0, win=0 RST
000133: *Aug 19 16:44:17.483 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB
000134: *Aug 19 16:44:17.483 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward
000135: *Aug 19 16:44:17.483 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN
000136: *Aug 19 16:44:23.483 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB
000137: *Aug 19 16:44:23.483 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward
000138: *Aug 19 16:44:23.483 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN
000139: *Aug 19 16:44:44.487 UTC: IP: tableid=0, s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), routed via FIB
000140: *Aug 19 16:44:44.487 UTC: IP: s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), len 40, sending
000141: *Aug 19 16:44:44.487 UTC: TCP src=50179, dst=21, seq=209448448, ack=0, win=0 RST
As you can see, once you try to use port 21, it gets forwarded by the PBR, the rest gets routed via FIB.
The packet is leaving the interface, now the question is the return packet.
08-19-2006 10:00 AM
Ah !
What about that ip access-group 151 ?
I don't see you allowing any FTP traffic back in
access-list 151 remark Inbound F0/1
access-list 151 remark SDM_ACL Category=17
access-list 151 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit udp any host x.x.x.70 eq non500-isakmp
access-list 151 permit udp any host x.x.x.70 eq isakmp
access-list 151 permit esp any host x.x.x.70
access-list 151 permit ahp any host x.x.x.70
access-list 151 deny ip 192.168.1.0 0.0.0.255 any
access-list 151 permit udp any eq domain host 66.93.3.70
access-list 151 permit icmp any host x.x.x.70 echo-reply
access-list 151 permit icmp any host x.x.x.70 time-exceeded
access-list 151 deny ip 10.0.0.0 0.255.255.255 any
access-list 151 deny ip 172.16.0.0 0.15.255.255 any
access-list 151 deny ip 192.168.0.0 0.0.255.255 any
access-list 151 deny ip 127.0.0.0 0.255.255.255 any
access-list 151 deny ip host 255.255.255.255 any
access-list 151 deny ip host 0.0.0.0 any
access-list 151 permit icmp any host x.x.x.70 unreachable
access-list 151 deny ip any any log
08-19-2006 10:08 AM
It isn't showing up in the log as being stopped by ACL 151.
If you email me, I can just send you my exact config (minus passwords) with the debug information so you can see everything without me editing all the IPs and pieces of the config. My email is listed in the posting header.
08-19-2006 10:15 AM
Before going into the email exchange, please remove the ip access-group 151, for troubleshooting purposes and reinstate the PBR I posted.
Let me know if it works. If it does, I can look over the ACL better.
You only have a log on the last deny. I believe it's denying the packet before hitting the last entry. Remember, ACLs are read sequentially and yours have denies in the middle. Not an easy flow, there.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: