jeremymjackson
asked on
Policy Based Routing Cisco 2800
Hello all, I have a very simple setup. On the edge of my network I have a 2800 with a DSL and a T1. I want the DSL to be for web traffic only and the T1 for email and vpn and webservers. This was working fine until a few days ago when I was notified that some email was being returned because of a black-listed IP. I did the research and the Email is going out the DSL, not the T1. I have posted my config. Any help would be awesome! Thank you in advance.
bridge irb
!
!
!
!
interface GigabitEthernet0/1
description CONNECTION_TO THE LAN
ip address 10.X.X.X 255.255.255.252
ip access-group 104 in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map INTERNET
duplex auto
speed auto
!
interface Serial0/0/0
description VERIZON_T1_CIRCUIT_ID_87.Y BGA.276889 .NE
bandwidth 1544
no ip address
encapsulation frame-relay
fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.100 point-to-point
description VERIZON_T1_SUBIF
ip address 64.222.100.X 255.255.255.252
ip access-group 102 out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
snmp trap link-status
frame-relay class shaping
frame-relay interface-dlci 100 IETF
!
interface ATM0/1/0
description VERIZON_ADSL
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
interface BVI1
description VERIZON_ADSL_BVI_INTERFACE
mac-address 001f.ca0a.2020
ip address 64.222.2.0 255.255.255.0
ip access-group 100 out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache policy
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 BVI1
!
ip flow-export version 5
ip flow-export destination 172.16.3.3 2055
!
ip http server
ip http access-class 4
ip http secure-server
ip nat inside source list 1 interface BVI1 overload
ip nat inside source static 10.1.1.9 64.222.71.20
!
!
map-class frame-relay shaping
logging trap debugging
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark policy map for internet traffic
access-list 100 remark SDM_ACL Category=16
access-list 100 permit tcp any any eq www
access-list 100 deny ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 208.153.78.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.0.0.0 0.255.255.255 any
access-list 102 remark sends all not www traffic out T1 interface
access-list 102 remark SDM_ACL Category=17
access-list 102 deny tcp any any eq www
access-list 102 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq telnet
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq 22
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq www
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq 443
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq cmd
access-list 104 permit udp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq snmp
access-list 104 deny tcp any host 10.1.1.10 eq telnet
access-list 104 deny tcp any host 10.1.1.10 eq 22
access-list 104 deny tcp any host 10.1.1.10 eq www
access-list 104 deny tcp any host 10.1.1.10 eq 443
access-list 104 deny tcp any host 10.1.1.10 eq cmd
access-list 104 deny udp any host 10.1.1.10 eq snmp
access-list 104 permit ip any any
snmp-server community MD911 RW
!
!
route-map INTERNET permit 10
match ip address 100
set ip next-hop 64.222.2.1
!
route-map INTERNET permit 20
match ip address 102
set ip next-hop 64.222.100.X
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
!
end
bridge irb
!
!
!
!
interface GigabitEthernet0/1
description CONNECTION_TO THE LAN
ip address 10.X.X.X 255.255.255.252
ip access-group 104 in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map INTERNET
duplex auto
speed auto
!
interface Serial0/0/0
description VERIZON_T1_CIRCUIT_ID_87.Y
bandwidth 1544
no ip address
encapsulation frame-relay
fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.100 point-to-point
description VERIZON_T1_SUBIF
ip address 64.222.100.X 255.255.255.252
ip access-group 102 out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
snmp trap link-status
frame-relay class shaping
frame-relay interface-dlci 100 IETF
!
interface ATM0/1/0
description VERIZON_ADSL
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
interface BVI1
description VERIZON_ADSL_BVI_INTERFACE
mac-address 001f.ca0a.2020
ip address 64.222.2.0 255.255.255.0
ip access-group 100 out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache policy
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 BVI1
!
ip flow-export version 5
ip flow-export destination 172.16.3.3 2055
!
ip http server
ip http access-class 4
ip http secure-server
ip nat inside source list 1 interface BVI1 overload
ip nat inside source static 10.1.1.9 64.222.71.20
!
!
map-class frame-relay shaping
logging trap debugging
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark policy map for internet traffic
access-list 100 remark SDM_ACL Category=16
access-list 100 permit tcp any any eq www
access-list 100 deny ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 208.153.78.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.0.0.0 0.255.255.255 any
access-list 102 remark sends all not www traffic out T1 interface
access-list 102 remark SDM_ACL Category=17
access-list 102 deny tcp any any eq www
access-list 102 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq telnet
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq 22
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq www
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq 443
access-list 104 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd
access-list 104 permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.10 eq cmd
access-list 104 permit udp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq snmp
access-list 104 deny tcp any host 10.1.1.10 eq telnet
access-list 104 deny tcp any host 10.1.1.10 eq 22
access-list 104 deny tcp any host 10.1.1.10 eq www
access-list 104 deny tcp any host 10.1.1.10 eq 443
access-list 104 deny tcp any host 10.1.1.10 eq cmd
access-list 104 deny udp any host 10.1.1.10 eq snmp
access-list 104 permit ip any any
snmp-server community MD911 RW
!
!
route-map INTERNET permit 10
match ip address 100
set ip next-hop 64.222.2.1
!
route-map INTERNET permit 20
match ip address 102
set ip next-hop 64.222.100.X
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok I removed the acls from the interfaces. I have the route-map applied to the lan interface of the router. I did not think that you need to apply it to the router outside interfaces. But I did put the policy-map on the other 2 outside interfaces and it brought the outside access down. I quickly removed it and services were restored.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
JFrederick29, this is what I thought so I tried this yesterday and when I try to remove the nat statement it tells me that dynamic mappings are in use and that it can't be done. I read on Cisco's site how do attempt to clear them but the solutions did not work.
Bah your right it does go only on the inside interface which my blind self only saw the global config policy and missed that it is already there on the inside. JFrederick is right now I look at your NAT follow his instructions and you should be good.
You need to do a "clear ip nat translation *" first before you can remove the NAT.
Oh and remove the ip nat inside to disable nat before someone uses the Internet
ASKER
Right the problem is I have an office of 60 people and the internet is constanly in use. If I were to take it off line and shut down both interfaces that should do it I hope. I am going to try it at lunch.
Do the NAT and also the "set ip default next-hop" change in your INTERNET route-map.
ASKER
Ok i'll try that in 45 min and give an update.
ASKER
Thank you very much! It worked like a charm!
Secondly the ip policy route-map commandneeds to be on the interfaces.
Here is an excerpt of Ciscos command reference guide
ip policy route-map
To identify a route map to use for policy routing on an interface, use the ip policy route-map command in interface configuration mode.