Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

policy-based routing with cisco 1811

Posted on 2008-10-19
6
925 Views
Last Modified: 2011-10-19
Hi
I'm working on a cisco 1811/k8 with 2x fe ports and 8 built-in ports.
the diagram will explain more than my word.
fe0 has public IP 64.62xxxx. Our DNS point domain.com to this IP.
vlan1 has 2 load-balanced web servers and being NAT'd to fe0.

fe1 has public IP 65.49xxxx. Our DNS point sub1.domain.com to this IP
vlan2 has 1 web server, 1 ftp server and being NAT'd to fe1.

I'd like to setup PBR so that HTTP requests to http://www.domain.com and http://sub1.domain.com can be processed by appropriate web servers.

I came up with an IOS version for this task, but have not tested it yet since the router is uplinked.
(simply change ip route statement)

Can you please show me how to achieve this task correctly?
thanks so much!
!!!2 NAMESERVERS PROVIDED BY ISP
ip name-server 65.19.175.2
ip name-server 216.218.196.2
!!
ip route 192.168.0.0 0.0.0.0 64.62.240.65 !!default gateway for 64.62.xxx network
ip route 192.168.1.0 0.0.0.0 65.49.22.193 !!default gateway for 65.49.xxx network
 
 
!!THIS RULE WILL ALLOW OUTBOUND CONNECTIONS FROM MY INTERNAL NET
ip inspect name firewall http
ip inspect name firewall https
.........
!
 
interface FastEthernet0
 ip address 64.62.240.66 255.255.255.240
 ip access-group inbound0 in
 ip nat outside1
 ip inspect firewall out
 ip virtual-reassembly
 shutdown
 speed auto
 full-duplex
!
interface FastEthernet1
 ip address 65.49.22.194 255.255.255.224
 ip access-group inbound1 in
 ip nat outside2
 ip inspect firewall out
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside1
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside2
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
!
!
no ip http server
no ip http secure-server
 
ip nat pool LocalNet1 64.62.240.66 64.62.240.66 prefix-length 24
ip nat pool LocalNet2 65.49.22.194 65.49.22.194 prefix-length 24
 
ip nat inside source list 1 pool LocalNet1 overload
ip nat inside source list 2 pool LocalNet2 overload
 
ip nat inside1 source static tcp 192.168.0.80 80 interface FastEthernet0 80
....MORE NAT RULES HERE
 
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21
 
!
ip access-list extended inbound0
 permit tcp any host 64.62.240.66 eq www
 permit tcp any host 64.62.240.66 eq ftp
 permit tcp any host 64.62.240.66 eq ftp-data
 permit tcp any host 64.62.240.66 eq 443
 permit tcp any host 64.62.240.66 eq smtp
 permit tcp any host 64.62.240.66 eq 3389
 permit tcp any host 64.62.240.66 eq 3390
 permit tcp any host 64.62.240.66 eq 3391
 permit tcp any host 64.62.240.66 eq 3392
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   ip 172.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   tcp any host 64.62.250.66 log
 deny   udp any host 64.62.250.66 log
!
!
!
ip access-list extended inbound1
 permit tcp any host 65.49.22.194 eq www
 permit tcp any host 65.49.22.194 eq ftp
 permit tcp any host 65.49.22.194 eq ftp-data
 permit tcp any host 65.49.22.194 eq 3389
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   ip 172.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   tcp any host 65.49.22.194
 deny   udp any host 65.49.22.194
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!

Open in new window

net1.jpg
0
Comment
Question by:valleytech
  • 3
  • 3
6 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22754958
valleytech,

PBR isn't required in your case, since you have 2 different domains, pointing to 2 different IPs, going to 2 different FastEthernet interfaces.

The attached code makes both FastEthernet (0 and 1) perform NAT for each respective Vlan (1 and 2), while retaining DNS->IP->WWW server bindings.

! Removed Name servers, its best to just leave your Cisco to perform routing
! not provide DNS forwarding as well. Plus DNS resolution will be quicker.
!
! [REMOVED]
! This tells the router that to get to the 192.168.0.0 network, forward packets to your default ISP gateway
! But really, to get to the 192.168.0.0 network, it needs to go to Vlan1, same thing applies to the next line.
!ip route 192.168.0.0 0.0.0.0 64.62.240.65 !!default gateway for 64.62.xxx network
!ip route 192.168.1.0 0.0.0.0 65.49.22.193 !!default gateway for 65.49.xxx network
!
![WWW Security should be implemented on the Web server]
!ip inspect name firewall http
!ip inspect name firewall https
!
!
interface FastEthernet0
 ip address 64.62.240.66 255.255.255.240
 ! "outside" is a keyword, not a NAT table name.
 ip nat outside
 ! Removed SPI, not required.
 ! ip inspect firewall out
 ip virtual-reassembly
 ! dont forget the "no shutdown"
 no shutdown
 speed 100
 full-duplex
!
interface FastEthernet1
 ip address 65.49.22.194 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ! "inside" is a keyword, not a NAT table name.
 ip nat inside
 ip virtual-reassembly
 no shutdown
!
interface Vlan2
 ip address 192.168.1.1 255.255.255.0
 ! "inside" is a keyword, not a NAT table name.
 ip nat inside
 ip virtual-reassembly
 no shutdown
!
interface Async1
 no ip address
 encapsulation slip
!
!
!
no ip http server
no ip http secure-server
!
!
! Putting both gateway's in here with the same metric will load
! balance between the two.
! 
ip route 0.0.0.0 0.0.0.0 64.62.240.65 30
ip route 0.0.0.0 0.0.0.0 65.49.22.193 30
!
ip nat inside source list 110 interface FastEthernet0 overload
ip nat inside source list 111 interface FastEthernet1 overload
!
! Forward HTTP + HTTPS to 192.168.0.80
ip nat inside source static tcp 192.168.0.80 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.0.80 443 interface FastEthernet0 443
!
! Forward HTTP,HTTPS,FTP to 192.168.1.2
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet1 443
ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21
!
! Got rid of access policy maps, not requried.
!
access-list 110 permit 192.168.0.0 0.0.0.255
access-list 111 permit 192.168.1.0 0.0.0.255
!

Open in new window

0
 

Author Comment

by:valleytech
ID: 22754994
Thanks!!
I have couple question though

1. when you put gateway as "ip route 0.0.0.0. 0.0.0.0. xxxxxxx", will it confuse the router? i.e. packet will know which route to follow?

2. NAT doesn't provide any mean of protection right? that's why I added ACL.

thanks again for any info!
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22755063
1.
When a pc from either Vlan1 or Vlan2 want to access the internet, the Cisco router can tell which Vlan needs to go out which FastEthernet because of the "ip nat source list" command.

2.
NAT is a defence in itself, and Cisco are very much established in networking so their NAT engine will be secure. NAT basically only allows your local computers to access internet resources... Internet "hackers" cannot initiate an attack on your

In any case, your ACLs that I removed didn't do much, because you were blocking address ranges that do not exists on the internet - only in private LAN's that would never be found on the WAN side of your router.

""
 deny   ip 192.168.0.0 0.0.255.255 any log <-- Private LAN range, not required.
 deny   ip 0.0.0.0 0.255.255.255 any log <-- Bad syntax
 deny   ip host 255.255.255.255 any log <-- this would kill broadcasts, not particularly necessary.
 deny   ip 172.0.0.0 0.255.255.255 any log <-- Private LAN, actually blocks some real world IPs as well.
 deny   ip 224.0.0.0 15.255.255.255 any log <-- Multicast, not required
 deny   ip 240.0.0.0 7.255.255.255 any log <--  As above
 deny   ip 10.0.0.0 0.255.255.255 any log <-- Private LAN
 deny   ip 172.16.0.0 0.15.255.255 any log <-- Private LAN
""

As long as your web servers are up to date, with AV etc... and your port forwarding isn't out of control you don't have much to worry about.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 10

Expert Comment

by:kyleb84
ID: 22755093
NOTE:
I mentioned that it would load balance, this isn't correct as both the WAN interfaces are NAT OUTSIDE interfaces (Routes are governed by that command "ip nat source list").

0
 

Author Comment

by:valleytech
ID: 22769505
sorry for the late replies! grad school is killing me lolzz..

so, overall, I can just keep my old configuration plus the editing that you suggested right?
The "deny" commands I used are to prevent IP spoofing. what do you think/

thanks!!

0
 

Author Comment

by:valleytech
ID: 22780635
I was able to try out the new setup today.
Vlan1 seems to be working okay.
But vlan2 doesn't work so well. I cannot ping vlan2 interface from the router itself.
So I switch to use vlan1 instead, but with 2 statements of "ip route" the router seems to be confused. Thus, connection is really slow, unless i removed one of the "ip route" statements.

Can you help??
thanks!!
interface FastEthernet0
 ip address 209.172.108.20 255.255.255.224
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface FastEthernet1
 ip address 209.172.108.194 255.255.255.248
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
!!209.172.108.1 is gateway for network of 209.172.108.1/30
ip route 0.0.0.0 0.0.0.0 209.172.108.1 
!!193 is gateway for network of 209.172.108.194/30
ip route 0.0.0.0 0.0.0.0 209.172.108.193

Open in new window

0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question