Solved

Cisco router - different gateways for different links

Posted on 2006-11-13
7
225 Views
Last Modified: 2010-04-17
We have multiple Point-to-Point T-1's coming back to our HQ and connect to our Core Router.  The default gateway on the Core Router is our Internet T-1.

We have one remote site (Remote Site A) that has specific bandwidth requirements.  We purchased a DSL line and connected it (via a Cisco 800) to our Core Router.

Now, I need to configure the Core Router to route Internet traffic from Remote Site A out the DSL link, while continuing to route all other Internet traffic out the T-1.

I appreciate your assistance.
0
Comment
Question by:blotto99
  • 4
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 17931678
You can use route maps...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm

For example,

On the core router:
int s0/0 (interface from Remote site A)
 ip policy route-map REMOTE

access-list 1 permit any

route-map REMOTE permit 10
 mathch ip address 1
 set interface s1/0 (DSL interface)
0
 

Author Comment

by:blotto99
ID: 17939839
I'm getting close, but not there yet.  I need traffic from RemoteA to get to the internal network (F0/1) and go out through the DSL link F0/0).  All other Internet traffic should be routed out S1/0:0.

Traffic from RemoteA is correctly being NAT'd to 99.109.244.122...BUT, the traffic is still going out through S1/0:0.  How do I force it out the DSL link?

The trace ip from a client at RemoteA looks like this:
192.168.39.x (RemoteA internal network)
172.16.39.1 (RemoteA router inside)
172.16.39.129 (S3/0:0 on Core router)
99.109.224.173 (remote end of Internet T-1)


Below is the relevant config:

interface FastEthernet0/0
 description Internet to Cisco 800 DSL
 ip address 99.109.244.122 255.255.255.252
 ip nat outside
 ip policy route-map DSL
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Interface to internal network
 ip address 99.109.248.105 255.255.255.248
 ip nat inside
 duplex full
 speed 100
!
interface Serial1/0:0
 description Link to Internet T-1
 ip address 99.109.224.174 255.255.255.252
 ip nat outside
 ip audit AUDIT.1 in
!
interface Serial3/0:0
 description T-1 to RemoteA
 ip address 172.16.39.129 255.255.255.128
 ip nat inside
 ip policy route-map REMOTE
!
ip nat inside source list 1 interface Serial1/0:0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0:0
ip route 172.16.39.0 255.255.255.128 Serial3/0:0
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 2 permit 172.16.39.0 0.0.0.127
access-list 112 permit ip 172.16.39.0 0.0.0.128 99.109.248.104 0.0.0.6
access-list 113 permit ip 172.16.39.0 0.0.0.128 any
!
route-map REMOTE permit 10
 match ip address 112
 set ip next-hop 99.109.248.106
!
route-map REMOTE permit 20
 match ip address 113
 set ip default next-hop 99.109.244.121
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 17940240
Ahh... Okay. Here's one way to do it.

int s3/0:0
 ip policy route-map REMOTE

route-map REMOTE permit 10
 match ip address 120
 set interface f0/1

route-map REMOTE permit 20
 match ip address 121
 set interface f0/0

access-list 120 permit ip any 99.109.248.96 0.0.0.15
access-list 121 permit ip any any

Traffic from any address coming in the s3/0:0 interface that is going to the internal network will be forwarded out F0/1

Traffic from any address coming in the s3/0:0 interface going anywhere (else) will be forwarded out f0/0

What the route-map DSL do?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:blotto99
ID: 17949540
I think we're getting closer.  I made the suggested changes, but Internet traffic dies at S3/0:0.

I set up three ping tests on a machine in RemoteA.  I ping an Internet site, F0/0 on the Core Router and the inside interface on the Cisco 800.  All three run successfully.  I then apply the policy to S3/0:0 on the Core Router.  The Internet ping times out, but the other two keep running.

I know NAT is working because if I verified through a website that the client in RemoteA shows the IP on F0/0.

Access-list 121 is working because when I "sh access-list 121" I see the traffic being counted.

I connected to the console on the Cisco 800 and made sure it had Internet connectivity.

Any ideas on how to narrow it down further?



0
 

Author Comment

by:blotto99
ID: 17949552
BTW, the "DSL" route-map is gone.  I was just trying different things in attempts to get it working.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 17949653
You know, I didn't even think about the NAT side of this...

You don't need route maps. Your NAT config should do what you want without them.

Just get rid of all the route maps and let NAT do what's supposed to.
0
 

Author Comment

by:blotto99
ID: 17956784
It is now working.  I need actually need the route-maps because while the traffic was getting NAT'd with the F0/0 address, it was still routing out the T-1.

I was originally trying to use a /25 subnet mask to identify traffic in access-list 121.  I found that was not working, so when I made the change you suggested to "any any", it was being properly identified.

The next trick was under "route-map REMOTE permit 20".  As a test, I changed "set ip interface f0/0" back to "set ip next-hop 99.109.244.121" and it started working.

It is kind of odd that the "set interface" works find under the first part of the route-map, but not the second.

Here is the final working config:

int s3/0:0
 ip policy route-map REMOTE

route-map REMOTE permit 10
 match ip address 120
 set interface f0/1

route-map REMOTE permit 20
 match ip address 121
 set ip next-help 99.109.244.121

access-list 120 permit ip any 99.109.248.96 0.0.0.15
access-list 121 permit ip any any

THANK YOU!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Traffic monitoring on Tunnel 7 69
loop Guard /UDLD 5 35
Asymmetric Routing (Firewall) 3 61
Error on login Cisco RV016 1 14
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now