Hi,

      Please see following config, if i allow 80 on 1st ISP (Fa 0/0/0) then browsing works, but it does not work on 2nd ISP (Fa 0/0/1).

track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.3
 description Voice-Vlan
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.4
 description Servers-&-Switches-Vlan
 encapsulation dot1Q 4
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.5
 description NCS-Vlan
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map PBR
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface FastEthernet0/0/0
 description "Nexlinx Fiber Link 2Mbps"
 ip address 116.58.63.34 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
speed auto
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map Nexlinx-nat interface FastEthernet0/0/0 overload
ip nat inside source route-map PTCL-nat interface FastEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 116.58.63.33 track 10
!
ip access-list extended acl_Nexlinx
 deny   tcp any any eq www
 deny   tcp any any eq 443
 deny   tcp any any eq smtp
 deny   tcp any any eq 995
 permit tcp any any
ip access-list extended acl_PTCL
 permit tcp any any eq www
 permit tcp any any eq 443
permit tcp any any eq smtp
 permit tcp any any eq 995
 deny   tcp any any
!
ip sla 1
 icmp-echo 116.58.63.33 source-interface FastEthernet0/0/0
 threshold 500
 timeout 500
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 192.168.1.1 source-interface FastEthernet0/0/1
 threshold 500
 timeout 500
 frequency 3
!
!
!
!
route-map Nexlinx-nat permit 10
 match ip address acl_Nexlinx
 match interface FastEthernet0/0/0
route-map PBR permit 10
 match ip address acl_PTCL
 set ip next-hop verify-availability 192.168.1.1 10 track 10
 set ip next-hop verify-availability 116.58.63.33 20 track 20
!
route-map PBR permit 20
 match ip address acl_Nexlinx
 set ip next-hop verify-availability 116.58.63.33 10 track 20
 set ip next-hop verify-availability 192.168.1.1 20 track 10
 set ip next-hop 116.58.63.33
!
route-map PTCL-nat permit 20
 match ip address acl_PTCL
 match interface FastEthernet0/0/1

Hi Sandy,

                    WOW, its working now. but i could not understand, how separate ACL affected this problem? can you please give me teeny weeny info on this :)

Hi ,

 Look into below post of more understanding . 

https://supportforums.cisco.com/discussion/11555036/difference-between-acl-distribution-list-and-route-map

short about route-map & ACL

• A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces, ...) that are not matchable by an ACL.
• A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can't modify anything about them.

HTH

Sandy 

please make sure to rate all helpful posts.

Thanks Sandy for you kind support.

i cannot access (telnet) router through public ip. is ACL blocking it? i dont see it.

Hi ,

 Share me line vty output . 

HTH

Sandy

line vty 0 4
 no login
 transport input telnet
 transport output none

Hi ,

 I dont see password on  your line vty configuration , have you enabled aaa-new model ??  along with username and password ?? if not configure password on your line vty . 

Meanwhile check have you configured any ACL on  your interface which you are trying to access . 

HTH

Sandy

no i did not enabled aaa-new model on it. i dont have any extra ACL except showing above in my config.

Hi , 

 To which IP address you are trying to do telnet ?? LAN IP/WAN IP . 

Look like NAT is not allowing to login into router . 

Try to do telnet with LAN IP address and let me know if it works 

HTH

Sandy

i can telnet through LAN, but i cannot telnet WAN IP.

Thanks. it is working now. can please tell me how i can block all torrent softwares  and some websites like facebook, youtube, etc.. on cisco router.