?
Solved

policy-based routing with cisco 1811

Posted on 2008-10-19
6
Medium Priority
?
932 Views
Last Modified: 2011-10-19
Hi
I'm working on a cisco 1811/k8 with 2x fe ports and 8 built-in ports.
the diagram will explain more than my word.
fe0 has public IP 64.62xxxx. Our DNS point domain.com to this IP.
vlan1 has 2 load-balanced web servers and being NAT'd to fe0.

fe1 has public IP 65.49xxxx. Our DNS point sub1.domain.com to this IP
vlan2 has 1 web server, 1 ftp server and being NAT'd to fe1.

I'd like to setup PBR so that HTTP requests to http://www.domain.com and http://sub1.domain.com can be processed by appropriate web servers.

I came up with an IOS version for this task, but have not tested it yet since the router is uplinked.
(simply change ip route statement)

Can you please show me how to achieve this task correctly?
thanks so much!
!!!2 NAMESERVERS PROVIDED BY ISP
ip name-server 65.19.175.2
ip name-server 216.218.196.2
!!
ip route 192.168.0.0 0.0.0.0 64.62.240.65 !!default gateway for 64.62.xxx network
ip route 192.168.1.0 0.0.0.0 65.49.22.193 !!default gateway for 65.49.xxx network
 
 
!!THIS RULE WILL ALLOW OUTBOUND CONNECTIONS FROM MY INTERNAL NET
ip inspect name firewall http
ip inspect name firewall https
.........
!
 
interface FastEthernet0
 ip address 64.62.240.66 255.255.255.240
 ip access-group inbound0 in
 ip nat outside1
 ip inspect firewall out
 ip virtual-reassembly
 shutdown
 speed auto
 full-duplex
!
interface FastEthernet1
 ip address 65.49.22.194 255.255.255.224
 ip access-group inbound1 in
 ip nat outside2
 ip inspect firewall out
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside1
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside2
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
!
!
no ip http server
no ip http secure-server
 
ip nat pool LocalNet1 64.62.240.66 64.62.240.66 prefix-length 24
ip nat pool LocalNet2 65.49.22.194 65.49.22.194 prefix-length 24
 
ip nat inside source list 1 pool LocalNet1 overload
ip nat inside source list 2 pool LocalNet2 overload
 
ip nat inside1 source static tcp 192.168.0.80 80 interface FastEthernet0 80
....MORE NAT RULES HERE
 
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21
 
!
ip access-list extended inbound0
 permit tcp any host 64.62.240.66 eq www
 permit tcp any host 64.62.240.66 eq ftp
 permit tcp any host 64.62.240.66 eq ftp-data
 permit tcp any host 64.62.240.66 eq 443
 permit tcp any host 64.62.240.66 eq smtp
 permit tcp any host 64.62.240.66 eq 3389
 permit tcp any host 64.62.240.66 eq 3390
 permit tcp any host 64.62.240.66 eq 3391
 permit tcp any host 64.62.240.66 eq 3392
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   ip 172.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   tcp any host 64.62.250.66 log
 deny   udp any host 64.62.250.66 log
!
!
!
ip access-list extended inbound1
 permit tcp any host 65.49.22.194 eq www
 permit tcp any host 65.49.22.194 eq ftp
 permit tcp any host 65.49.22.194 eq ftp-data
 permit tcp any host 65.49.22.194 eq 3389
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   ip 172.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   tcp any host 65.49.22.194
 deny   udp any host 65.49.22.194
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!

Open in new window

net1.jpg
0
Comment
Question by:valleytech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 2000 total points
ID: 22754958
valleytech,

PBR isn't required in your case, since you have 2 different domains, pointing to 2 different IPs, going to 2 different FastEthernet interfaces.

The attached code makes both FastEthernet (0 and 1) perform NAT for each respective Vlan (1 and 2), while retaining DNS->IP->WWW server bindings.

! Removed Name servers, its best to just leave your Cisco to perform routing
! not provide DNS forwarding as well. Plus DNS resolution will be quicker.
!
! [REMOVED]
! This tells the router that to get to the 192.168.0.0 network, forward packets to your default ISP gateway
! But really, to get to the 192.168.0.0 network, it needs to go to Vlan1, same thing applies to the next line.
!ip route 192.168.0.0 0.0.0.0 64.62.240.65 !!default gateway for 64.62.xxx network
!ip route 192.168.1.0 0.0.0.0 65.49.22.193 !!default gateway for 65.49.xxx network
!
![WWW Security should be implemented on the Web server]
!ip inspect name firewall http
!ip inspect name firewall https
!
!
interface FastEthernet0
 ip address 64.62.240.66 255.255.255.240
 ! "outside" is a keyword, not a NAT table name.
 ip nat outside
 ! Removed SPI, not required.
 ! ip inspect firewall out
 ip virtual-reassembly
 ! dont forget the "no shutdown"
 no shutdown
 speed 100
 full-duplex
!
interface FastEthernet1
 ip address 65.49.22.194 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ! "inside" is a keyword, not a NAT table name.
 ip nat inside
 ip virtual-reassembly
 no shutdown
!
interface Vlan2
 ip address 192.168.1.1 255.255.255.0
 ! "inside" is a keyword, not a NAT table name.
 ip nat inside
 ip virtual-reassembly
 no shutdown
!
interface Async1
 no ip address
 encapsulation slip
!
!
!
no ip http server
no ip http secure-server
!
!
! Putting both gateway's in here with the same metric will load
! balance between the two.
! 
ip route 0.0.0.0 0.0.0.0 64.62.240.65 30
ip route 0.0.0.0 0.0.0.0 65.49.22.193 30
!
ip nat inside source list 110 interface FastEthernet0 overload
ip nat inside source list 111 interface FastEthernet1 overload
!
! Forward HTTP + HTTPS to 192.168.0.80
ip nat inside source static tcp 192.168.0.80 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.0.80 443 interface FastEthernet0 443
!
! Forward HTTP,HTTPS,FTP to 192.168.1.2
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet1 443
ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21
!
! Got rid of access policy maps, not requried.
!
access-list 110 permit 192.168.0.0 0.0.0.255
access-list 111 permit 192.168.1.0 0.0.0.255
!

Open in new window

0
 

Author Comment

by:valleytech
ID: 22754994
Thanks!!
I have couple question though

1. when you put gateway as "ip route 0.0.0.0. 0.0.0.0. xxxxxxx", will it confuse the router? i.e. packet will know which route to follow?

2. NAT doesn't provide any mean of protection right? that's why I added ACL.

thanks again for any info!
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22755063
1.
When a pc from either Vlan1 or Vlan2 want to access the internet, the Cisco router can tell which Vlan needs to go out which FastEthernet because of the "ip nat source list" command.

2.
NAT is a defence in itself, and Cisco are very much established in networking so their NAT engine will be secure. NAT basically only allows your local computers to access internet resources... Internet "hackers" cannot initiate an attack on your

In any case, your ACLs that I removed didn't do much, because you were blocking address ranges that do not exists on the internet - only in private LAN's that would never be found on the WAN side of your router.

""
 deny   ip 192.168.0.0 0.0.255.255 any log <-- Private LAN range, not required.
 deny   ip 0.0.0.0 0.255.255.255 any log <-- Bad syntax
 deny   ip host 255.255.255.255 any log <-- this would kill broadcasts, not particularly necessary.
 deny   ip 172.0.0.0 0.255.255.255 any log <-- Private LAN, actually blocks some real world IPs as well.
 deny   ip 224.0.0.0 15.255.255.255 any log <-- Multicast, not required
 deny   ip 240.0.0.0 7.255.255.255 any log <--  As above
 deny   ip 10.0.0.0 0.255.255.255 any log <-- Private LAN
 deny   ip 172.16.0.0 0.15.255.255 any log <-- Private LAN
""

As long as your web servers are up to date, with AV etc... and your port forwarding isn't out of control you don't have much to worry about.
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 10

Expert Comment

by:kyleb84
ID: 22755093
NOTE:
I mentioned that it would load balance, this isn't correct as both the WAN interfaces are NAT OUTSIDE interfaces (Routes are governed by that command "ip nat source list").

0
 

Author Comment

by:valleytech
ID: 22769505
sorry for the late replies! grad school is killing me lolzz..

so, overall, I can just keep my old configuration plus the editing that you suggested right?
The "deny" commands I used are to prevent IP spoofing. what do you think/

thanks!!

0
 

Author Comment

by:valleytech
ID: 22780635
I was able to try out the new setup today.
Vlan1 seems to be working okay.
But vlan2 doesn't work so well. I cannot ping vlan2 interface from the router itself.
So I switch to use vlan1 instead, but with 2 statements of "ip route" the router seems to be confused. Thus, connection is really slow, unless i removed one of the "ip route" statements.

Can you help??
thanks!!
interface FastEthernet0
 ip address 209.172.108.20 255.255.255.224
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface FastEthernet1
 ip address 209.172.108.194 255.255.255.248
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
!!209.172.108.1 is gateway for network of 209.172.108.1/30
ip route 0.0.0.0 0.0.0.0 209.172.108.1 
!!193 is gateway for network of 209.172.108.194/30
ip route 0.0.0.0 0.0.0.0 209.172.108.193

Open in new window

0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question