1stopit
asked on
"Load Balance" / Dual ADSL Configuration on Cisco 1841 using same ISP.
Folks,
I have noticed several EE posts on this topic (and others outside EE) but I cannot seem to find a definitive answer on the topic of running a "load balanced / split load" setup using two seperate ADSL feeds from the same ISP (or different ISP's for that matter).
I have followed the suggestions of enabling "ip cef" on the box, creating and testing both ADSL links (both work fine as a standalone ADSL setup) and then trying to setup two default routes to the seperate line interfaces as many have discussed - but this is where I get stuck.
Once I enable this dual 0.0.0.0 entry using the same weighting, nothing flows. I suspect this is down to the NAT'ing which I cannot seem to get to work with both the lines - only one at a time and with one default route. I've read elsewhere about possibly using route-maps which I'm not 100% conversant with to be honest, or using OER (I think that's correct?) to correct this setup - some suggesting to use the Cisco for the dual part and NAT'ing on another backend box.
Can anyone supply a copy of a working config in this scenario or point me in the direction of other info to look at, as I would prefer to try and keep it all on the same box if at all possible - greedy I know! :o)
Thanks
I have noticed several EE posts on this topic (and others outside EE) but I cannot seem to find a definitive answer on the topic of running a "load balanced / split load" setup using two seperate ADSL feeds from the same ISP (or different ISP's for that matter).
I have followed the suggestions of enabling "ip cef" on the box, creating and testing both ADSL links (both work fine as a standalone ADSL setup) and then trying to setup two default routes to the seperate line interfaces as many have discussed - but this is where I get stuck.
Once I enable this dual 0.0.0.0 entry using the same weighting, nothing flows. I suspect this is down to the NAT'ing which I cannot seem to get to work with both the lines - only one at a time and with one default route. I've read elsewhere about possibly using route-maps which I'm not 100% conversant with to be honest, or using OER (I think that's correct?) to correct this setup - some suggesting to use the Cisco for the dual part and NAT'ing on another backend box.
Can anyone supply a copy of a working config in this scenario or point me in the direction of other info to look at, as I would prefer to try and keep it all on the same box if at all possible - greedy I know! :o)
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, substitute your LAn IP range for the 10.1.3.3.
As far as inbound ports to servers, yes, use the IP NAT command, however be careful here.
I would use a seperate IP for outside global address instead of the interface IP used for the overload.
harbor235 ;}
As far as inbound ports to servers, yes, use the IP NAT command, however be careful here.
I would use a seperate IP for outside global address instead of the interface IP used for the overload.
harbor235 ;}
You would also need to change the ip nat inside command from the loopback to the correct interface.
harbor235 ;}
harbor235 ;}
ASKER
Thanks, but can you elaborate a little more on the last comment re: the loopback to correct interface?
For example, if I had a server on 192.168.100.1 doing SMTP email and I wanted to route inbound mails from an external interface to this, what would I need to include in terms of ip nat command?
For example, if I had a server on 192.168.100.1 doing SMTP email and I wanted to route inbound mails from an external interface to this, what would I need to include in terms of ip nat command?
I have a how to from the ground up that you can read here
www.inacom-sby.net/shawn
The loopback is not needed just an Inside NAT interface. I walk through how to do dual NAT and the "load balancing" with OER. It is pretty easy to follow and I can help you adjust your current config if you post it here. Please remove any reference to your public IP addresses though.
www.inacom-sby.net/shawn
The loopback is not needed just an Inside NAT interface. I walk through how to do dual NAT and the "load balancing" with OER. It is pretty easy to follow and I can help you adjust your current config if you post it here. Please remove any reference to your public IP addresses though.
The NAT can easily run on the same router so don't run out and buy any new hardware yet
In my config, which I know works, and has been tested in my lab, I specifiy the internal network as the router's looback interface. In your scenario you will have another interface on the router which is the source of the traffic you want to NAT. The interface must have the "ip nat inside" command like I have on the routers loopback ijnterface.
harbor235 ;}
harbor235 ;}
@harbor; I was not saying that it would not work, just that he did not have to use a loopback.
wingatesl, gotcha, and I agree with you.
thanx
harbor235 ;}
thanx
harbor235 ;}
ASKER
OK... just so I get things straight in my head (I don't want to be a simple copy-paster!) I'd like to ask a few questions re: the config you have suggested wingatesl....
Part 2:
Why do we need to assign dual IP's to our servers in this config - is this to help the Cisco do routing between the WAN side and the servers depending on the WAN link used, or to prevent packets being processed in the wrong order if they are split up across the two WAN's during transmission etc?
There is an IP address of 192.168.32.0 listed in the section for "ip forward-protocol nd" section - where does this tie-in/link to/relate to, as none of the other interfaces have a similar subnet configured. Is this some sort of loopback or other "middleman" in the config for routing purposes - or just a typo?
In the route-map director section - why is one set to permit 9 and the other permit 10? Again should these not be both set to the same or a typo/other?
Also in the
Overall:
If this box was to be used for VPN termination - what issues or other concerns would there be to take care of/ be aware of?
Part 2:
Why do we need to assign dual IP's to our servers in this config - is this to help the Cisco do routing between the WAN side and the servers depending on the WAN link used, or to prevent packets being processed in the wrong order if they are split up across the two WAN's during transmission etc?
There is an IP address of 192.168.32.0 listed in the section for "ip forward-protocol nd" section - where does this tie-in/link to/relate to, as none of the other interfaces have a similar subnet configured. Is this some sort of loopback or other "middleman" in the config for routing purposes - or just a typo?
In the route-map director section - why is one set to permit 9 and the other permit 10? Again should these not be both set to the same or a typo/other?
Also in the
Overall:
If this box was to be used for VPN termination - what issues or other concerns would there be to take care of/ be aware of?
The dual IPs on the servers are to keep the NAT on the router sane.
The port forward to a specific IP address means the server will respond with that address. When it makes it to the router, the director route map sets the next-hop to the correct ISP gateway based upon this ip address. (exactly what you were thinking)
The permit 9 and permit 10 are just to hold two different match statements. The order is not important.
The 192.168.32.0 network was my internal LAN and the route was put there to allow me to telnet to the router only.
The box can terminate VPNs but this can get really messy if they are not static peers
The port forward to a specific IP address means the server will respond with that address. When it makes it to the router, the director route map sets the next-hop to the correct ISP gateway based upon this ip address. (exactly what you were thinking)
The permit 9 and permit 10 are just to hold two different match statements. The order is not important.
The 192.168.32.0 network was my internal LAN and the route was put there to allow me to telnet to the router only.
The box can terminate VPNs but this can get really messy if they are not static peers
ASKER
Excellent! I'll give this a whirl tomorrow in the office and see how I get on.
Two questions though before I go... is there a typo in this part of the config?
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.254 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.254 10 <---- does this line need a track inserted as line above?
ip route 192.168.32.0 255.255.255.0 192.168.99.254
Also, do I just add the part 3 code to the end of the existing part 2 code, or is there any special order I need to follow?
Two questions though before I go... is there a typo in this part of the config?
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.254 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.254 10 <---- does this line need a track inserted as line above?
ip route 192.168.32.0 255.255.255.0 192.168.99.254
Also, do I just add the part 3 code to the end of the existing part 2 code, or is there any special order I need to follow?
There is no type in that line I am only tracking the primary ISP. The ip forward-protocol nd is not needed no is the ip route 192.168.32.0 255.255.255.0 192.168.99.254
Do them in order and test the failover by unpluggin one ISP before you move to step 3 and all should be good.
ASKER
Guys,
I've looked into the changes suggested, but I think I may need some further assistance in implementing (either) of your solutions. One of the problems I have is that the WAN cards are ADSL units which are picking up an IP address from our ISP (I do have the static IP address, but our ISP says the subnet should be 255.255.255.255 which the Cisco doesn't like in SDM). The IP's picked up are the actual static IP's assigned to our accounts but set by the ISP on connection using a dynamic setting - if this makes sense, so some of the routing and next hop statements may be different I suspect from the examples you have both shown.
The other issue is the actual requirement - I think I need to clarify exactly what I'm trying to achieve... ideally I would like the WAN's setup to split the outbound load across both WAN links but only to accept inbound SMTP and SSL ports on the first WAN port, so I assume I would only need to have a single IP address on our internal servers, as we are not trying to do a load split inbound as both WAN's are provided by the same ISP/Exchange so if one line went down, the other would too. I purely need the outbound load "balanced".
Do you follow?
The current config of our box is as follows (as generated using SDM)...
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gatekeeper
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 ---- secret bit withheld -----
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name onestopit.com
ip name-server 10.10.10.230
!
!
crypto pki trustpoint TP-self-signed-3659007435
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3659007435
!
!
crypto pki certificate chain TP-self-signed-3659007435
certificate self-signed 01
------ certificate details withheld ------
quit
username admin privilege 15 secret 5 ----- withheld------
!
!
!
!
!
!
interface FastEthernet0/0
description LAN$FW_INSIDE$$ES_LAN$$ETH
ip address 10.10.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description WAN1
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
description WAN2
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ---- withheld ----
ppp chap password 7 --- withheld ----
ppp pap sent-username ----- withheld -----
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ---- withheld ----
ppp chap password 7 --- withheld ----
ppp pap sent-username ----- withheld -----
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end
I've looked into the changes suggested, but I think I may need some further assistance in implementing (either) of your solutions. One of the problems I have is that the WAN cards are ADSL units which are picking up an IP address from our ISP (I do have the static IP address, but our ISP says the subnet should be 255.255.255.255 which the Cisco doesn't like in SDM). The IP's picked up are the actual static IP's assigned to our accounts but set by the ISP on connection using a dynamic setting - if this makes sense, so some of the routing and next hop statements may be different I suspect from the examples you have both shown.
The other issue is the actual requirement - I think I need to clarify exactly what I'm trying to achieve... ideally I would like the WAN's setup to split the outbound load across both WAN links but only to accept inbound SMTP and SSL ports on the first WAN port, so I assume I would only need to have a single IP address on our internal servers, as we are not trying to do a load split inbound as both WAN's are provided by the same ISP/Exchange so if one line went down, the other would too. I purely need the outbound load "balanced".
Do you follow?
The current config of our box is as follows (as generated using SDM)...
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gatekeeper
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 ---- secret bit withheld -----
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name onestopit.com
ip name-server 10.10.10.230
!
!
crypto pki trustpoint TP-self-signed-3659007435
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3659007435
!
!
crypto pki certificate chain TP-self-signed-3659007435
certificate self-signed 01
------ certificate details withheld ------
quit
username admin privilege 15 secret 5 ----- withheld------
!
!
!
!
!
!
interface FastEthernet0/0
description LAN$FW_INSIDE$$ES_LAN$$ETH
ip address 10.10.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description WAN1
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
description WAN2
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ---- withheld ----
ppp chap password 7 --- withheld ----
ppp pap sent-username ----- withheld -----
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ---- withheld ----
ppp chap password 7 --- withheld ----
ppp pap sent-username ----- withheld -----
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end
ASKER
I should also add that the current config has both WAN links up and running, but only set to use a single one at present.
ASKER
...and no NAT is shown as being configured at present. Although I have tested this config with both Dialer interfaces in turn with no problems with a single NAT statement for one or other other in turn.
ASKER
OK folks, got my 1841 doing load balance/split load outbound and working welll. Now need to sort out inbound NAT routing for servers behind the firewall for SMTP and SSL webmail etc.
In my current setup, I can only get one WAN connection at a time to NAT correctly from external IP to internal server IP - while the other external IP connection attempt timesout. If I drop/re-establish the non-working WAN NAT connection, then it jumps over to that one and stops workng on the other side. Do you follow? (ie: using an outside server, I can telnet back in on port 25 say and get a server response on WAN1 external IP, but doing same on WAN2 external IP is a no go.)
I've followed advice to use two seperate internal IP's on my server box to route the different sides to so it keeps everything clean... and managed to get this working fine on a test setup, but in a live setup it fails to connect on both sides even though the existing working NAT statements have simply been altered to reflect live IP's and ports.
Attached is a copy of the current config... is something amiss or is there a better way to do what I'm trying to do?
Building configuration...
Current configuration : 12153 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 <secret>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name onestopit.com
ip name-server 10.10.10.230
ip ssh time-out 60
ip ssh authentication-retries 2
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
crypto pki trustpoint TP-self-signed-3659007435
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3659007435
!
!
crypto pki certificate chain TP-self-signed-3659007435
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363539 30303734 3335301E 170D3037 31323034 31363535
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36353930
30373433 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C780 1CC83C90 9A0210C6 8C77DD2E 9328DFAE 669C23F2 23A401FF F57243DB
1C6DF8AE A6588072 78DA7988 9045C215 C6B02CA1 61F3D95C 8017699C 6E465ECD
31A533FE B1B1376D D73D31DA EA41D5D5 922A155F 771D5FD3 FB92758B CC61C470
58AC1A87 C8CFB5D0 AF934E00 89E3591F 289950C9 399AA73C 0DD63080 69D6DF72
CAD50203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18676174 656B6565 7065722E 6F6E6573 746F7069 742E636F
6D301F06 03551D23 04183016 8014D920 AEDDBA20 0F3BCFDF 9120F13E AE8D5040
28DD301D 0603551D 0E041604 14D920AE DDBA200F 3BCFDF91 20F13EAE 8D504028
DD300D06 092A8648 86F70D01 01040500 03818100 4F21BE9A 381CB2AC 963D2C18
D7758488 73D650DB 99DC2AD6 2DEC2C38 017AC4E7 1ADD2395 C6392B86 355054C8
A66B71CE AF2C14C6 99DF8D32 1FB7BC6E 02A86342 7A44434E 7E082A57 04F0BD1B
B553F096 E801D18F A4A60672 022265C9 AEA0CF71 CD3ED0D7 7C8720F1 F5019367
524031B8 108C4571 937CD0A9 FEFDD236 44C6F0AF
quit
username admin privilege 15 secret 5 <secret>
!
!
track 101 rtr 1 reachability
!
track 102 rtr 2 reachability
!
class-map match-any SDM-Transactional-2
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-any SDM-Transactional-1
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-any SDM-Routing-2
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDM-Scavenger-2
match protocol napster
match protocol fasttrack
match protocol gnutella
class-map match-any SDM-Signaling-1
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any SDM-Signaling-2
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any SDM-Scavenger-1
match protocol napster
match protocol fasttrack
match protocol gnutella
class-map match-any SDM-Routing-1
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDM-Voice-1
match protocol rtp audio
class-map match-any SDM-Voice-2
match protocol rtp audio
class-map match-any SDM-Streaming-Video-2
match protocol cuseeme
match protocol netshow
match protocol rtsp
match protocol streamwork
match protocol vdolive
class-map match-any SDM-Streaming-Video-1
match protocol cuseeme
match protocol netshow
match protocol rtsp
match protocol streamwork
match protocol vdolive
class-map match-any SDM-Management-1
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any SDM-Management-2
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any SDM-Interactive-Video-2
match protocol rtp video
class-map match-any SDM-Interactive-Video-1
match protocol rtp video
class-map match-any SDM-BulkData-2
match protocol exchange
match protocol ftp
match protocol irc
match protocol nntp
match protocol pop3
match protocol printer
match protocol secure-ftp
match protocol secure-irc
match protocol secure-nntp
match protocol secure-pop3
match protocol smtp
match protocol tftp
class-map match-any SDM-BulkData-1
match protocol exchange
match protocol ftp
match protocol irc
match protocol nntp
match protocol pop3
match protocol printer
match protocol secure-ftp
match protocol secure-irc
match protocol secure-nntp
match protocol secure-pop3
match protocol smtp
match protocol tftp
!
!
policy-map SDM-QoS-Policy-2
class SDM-Voice-2
set dscp ef
priority percent 33
class SDM-Signaling-2
set dscp cs3
bandwidth percent 5
class SDM-Routing-2
set dscp cs6
bandwidth percent 5
class SDM-Management-2
set dscp cs2
bandwidth percent 5
class SDM-Transactional-2
set dscp af21
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
set dscp ef
priority percent 33
class SDM-Signaling-1
set dscp cs3
bandwidth percent 5
class SDM-Routing-1
set dscp cs6
bandwidth percent 5
class SDM-Management-1
set dscp cs2
bandwidth percent 5
class SDM-Transactional-1
set dscp af21
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description INTERNAL_LAN$ES_LAN$$ETH-S
ip address 10.10.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description PLUSNET1
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
description PLUSNET2
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address 81.1.1.217 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username1@dsl.net
ppp chap password 7 111A0C17111B050B557A7B
ppp pap sent-username username1@dsl.net password 7 <password>
service-policy output SDM-QoS-Policy-1
!
interface Dialer1
description $FW_OUTSIDE$
ip address 81.2.2.81 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username2@dsl.net
ppp chap password 7 111A0C17111B050B557A7B
ppp pap sent-username username2@dsl.net password 7 <password>
service-policy output SDM-QoS-Policy-2
!
ip route 0.0.0.0 0.0.0.0 Dialer0 track 101
ip route 0.0.0.0 0.0.0.0 Dialer1 track 102
!
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http secure-port 8079
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map PLUSNET1 interface Dialer0 overload
ip nat inside source route-map PLUSNET2 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.230 25 81.1.1.81 25 extendable
ip nat inside source static tcp 10.10.10.230 443 81.1.1.81 443 extendable
ip nat inside source static tcp 10.10.10.230 444 81.1.1.81 444 extendable
ip nat inside source static tcp 10.10.10.230 4125 81.1.1.81 4125 extendable
ip nat inside source static tcp 10.10.10.231 25 81.2.2.217 25 extendable
ip nat inside source static tcp 10.10.10.231 443 81.2.2.217 443 extendable
ip nat inside source static tcp 10.10.10.231 444 81.2.2.217 444 extendable
ip nat inside source static tcp 10.10.10.231 4125 81.2.2.217 4125 extendable
!
ip sla 1
icmp-echo 81.1.1.217
threshold 3
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 81.2.2.81
threshold 3
frequency 5
ip sla schedule 2 life forever start-time now
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.10.10.0 0.0.0.255
access-list 3 deny any
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.10.0 0.0.0.255
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
route-map PLUSNET1 permit 10
match ip address 10
match interface Dialer0
!
route-map PLUSNET2 permit 10
match ip address 20
match interface Dialer1
!
!
!
!
control-plane
!
!
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 101 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 101 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
end
In my current setup, I can only get one WAN connection at a time to NAT correctly from external IP to internal server IP - while the other external IP connection attempt timesout. If I drop/re-establish the non-working WAN NAT connection, then it jumps over to that one and stops workng on the other side. Do you follow? (ie: using an outside server, I can telnet back in on port 25 say and get a server response on WAN1 external IP, but doing same on WAN2 external IP is a no go.)
I've followed advice to use two seperate internal IP's on my server box to route the different sides to so it keeps everything clean... and managed to get this working fine on a test setup, but in a live setup it fails to connect on both sides even though the existing working NAT statements have simply been altered to reflect live IP's and ports.
Attached is a copy of the current config... is something amiss or is there a better way to do what I'm trying to do?
Building configuration...
Current configuration : 12153 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 <secret>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name onestopit.com
ip name-server 10.10.10.230
ip ssh time-out 60
ip ssh authentication-retries 2
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
crypto pki trustpoint TP-self-signed-3659007435
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3659007435
!
!
crypto pki certificate chain TP-self-signed-3659007435
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363539 30303734 3335301E 170D3037 31323034 31363535
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36353930
30373433 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C780 1CC83C90 9A0210C6 8C77DD2E 9328DFAE 669C23F2 23A401FF F57243DB
1C6DF8AE A6588072 78DA7988 9045C215 C6B02CA1 61F3D95C 8017699C 6E465ECD
31A533FE B1B1376D D73D31DA EA41D5D5 922A155F 771D5FD3 FB92758B CC61C470
58AC1A87 C8CFB5D0 AF934E00 89E3591F 289950C9 399AA73C 0DD63080 69D6DF72
CAD50203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18676174 656B6565 7065722E 6F6E6573 746F7069 742E636F
6D301F06 03551D23 04183016 8014D920 AEDDBA20 0F3BCFDF 9120F13E AE8D5040
28DD301D 0603551D 0E041604 14D920AE DDBA200F 3BCFDF91 20F13EAE 8D504028
DD300D06 092A8648 86F70D01 01040500 03818100 4F21BE9A 381CB2AC 963D2C18
D7758488 73D650DB 99DC2AD6 2DEC2C38 017AC4E7 1ADD2395 C6392B86 355054C8
A66B71CE AF2C14C6 99DF8D32 1FB7BC6E 02A86342 7A44434E 7E082A57 04F0BD1B
B553F096 E801D18F A4A60672 022265C9 AEA0CF71 CD3ED0D7 7C8720F1 F5019367
524031B8 108C4571 937CD0A9 FEFDD236 44C6F0AF
quit
username admin privilege 15 secret 5 <secret>
!
!
track 101 rtr 1 reachability
!
track 102 rtr 2 reachability
!
class-map match-any SDM-Transactional-2
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-any SDM-Transactional-1
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-any SDM-Routing-2
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDM-Scavenger-2
match protocol napster
match protocol fasttrack
match protocol gnutella
class-map match-any SDM-Signaling-1
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any SDM-Signaling-2
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any SDM-Scavenger-1
match protocol napster
match protocol fasttrack
match protocol gnutella
class-map match-any SDM-Routing-1
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDM-Voice-1
match protocol rtp audio
class-map match-any SDM-Voice-2
match protocol rtp audio
class-map match-any SDM-Streaming-Video-2
match protocol cuseeme
match protocol netshow
match protocol rtsp
match protocol streamwork
match protocol vdolive
class-map match-any SDM-Streaming-Video-1
match protocol cuseeme
match protocol netshow
match protocol rtsp
match protocol streamwork
match protocol vdolive
class-map match-any SDM-Management-1
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any SDM-Management-2
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any SDM-Interactive-Video-2
match protocol rtp video
class-map match-any SDM-Interactive-Video-1
match protocol rtp video
class-map match-any SDM-BulkData-2
match protocol exchange
match protocol ftp
match protocol irc
match protocol nntp
match protocol pop3
match protocol printer
match protocol secure-ftp
match protocol secure-irc
match protocol secure-nntp
match protocol secure-pop3
match protocol smtp
match protocol tftp
class-map match-any SDM-BulkData-1
match protocol exchange
match protocol ftp
match protocol irc
match protocol nntp
match protocol pop3
match protocol printer
match protocol secure-ftp
match protocol secure-irc
match protocol secure-nntp
match protocol secure-pop3
match protocol smtp
match protocol tftp
!
!
policy-map SDM-QoS-Policy-2
class SDM-Voice-2
set dscp ef
priority percent 33
class SDM-Signaling-2
set dscp cs3
bandwidth percent 5
class SDM-Routing-2
set dscp cs6
bandwidth percent 5
class SDM-Management-2
set dscp cs2
bandwidth percent 5
class SDM-Transactional-2
set dscp af21
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
set dscp ef
priority percent 33
class SDM-Signaling-1
set dscp cs3
bandwidth percent 5
class SDM-Routing-1
set dscp cs6
bandwidth percent 5
class SDM-Management-1
set dscp cs2
bandwidth percent 5
class SDM-Transactional-1
set dscp af21
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description INTERNAL_LAN$ES_LAN$$ETH-S
ip address 10.10.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description PLUSNET1
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
description PLUSNET2
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address 81.1.1.217 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username1@dsl.net
ppp chap password 7 111A0C17111B050B557A7B
ppp pap sent-username username1@dsl.net password 7 <password>
service-policy output SDM-QoS-Policy-1
!
interface Dialer1
description $FW_OUTSIDE$
ip address 81.2.2.81 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username2@dsl.net
ppp chap password 7 111A0C17111B050B557A7B
ppp pap sent-username username2@dsl.net password 7 <password>
service-policy output SDM-QoS-Policy-2
!
ip route 0.0.0.0 0.0.0.0 Dialer0 track 101
ip route 0.0.0.0 0.0.0.0 Dialer1 track 102
!
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http secure-port 8079
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map PLUSNET1 interface Dialer0 overload
ip nat inside source route-map PLUSNET2 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.230 25 81.1.1.81 25 extendable
ip nat inside source static tcp 10.10.10.230 443 81.1.1.81 443 extendable
ip nat inside source static tcp 10.10.10.230 444 81.1.1.81 444 extendable
ip nat inside source static tcp 10.10.10.230 4125 81.1.1.81 4125 extendable
ip nat inside source static tcp 10.10.10.231 25 81.2.2.217 25 extendable
ip nat inside source static tcp 10.10.10.231 443 81.2.2.217 443 extendable
ip nat inside source static tcp 10.10.10.231 444 81.2.2.217 444 extendable
ip nat inside source static tcp 10.10.10.231 4125 81.2.2.217 4125 extendable
!
ip sla 1
icmp-echo 81.1.1.217
threshold 3
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 81.2.2.81
threshold 3
frequency 5
ip sla schedule 2 life forever start-time now
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.10.10.0 0.0.0.255
access-list 3 deny any
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.10.0 0.0.0.255
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
route-map PLUSNET1 permit 10
match ip address 10
match interface Dialer0
!
route-map PLUSNET2 permit 10
match ip address 20
match interface Dialer1
!
!
!
!
control-plane
!
!
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 101 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 101 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
end
ASKER
I assume if my internal LAN address of my cisco is say 192.168.100.254, then this would be inserted instead of the 10.1.3.3 address in your example?
Also - if I wanted to do inbound ports to servers behind the Cisco such as webmail or other web based servers, then I would just add the appropriate "ip nat" commands - or would this not work with this setup... or will I get weird results using this?