Solved

policy-based routing with cisco 1811

Posted on 2008-10-19
6
920 Views
Last Modified: 2011-10-19
Hi
I'm working on a cisco 1811/k8 with 2x fe ports and 8 built-in ports.
the diagram will explain more than my word.
fe0 has public IP 64.62xxxx. Our DNS point domain.com to this IP.
vlan1 has 2 load-balanced web servers and being NAT'd to fe0.

fe1 has public IP 65.49xxxx. Our DNS point sub1.domain.com to this IP
vlan2 has 1 web server, 1 ftp server and being NAT'd to fe1.

I'd like to setup PBR so that HTTP requests to http://www.domain.com and http://sub1.domain.com can be processed by appropriate web servers.

I came up with an IOS version for this task, but have not tested it yet since the router is uplinked.
(simply change ip route statement)

Can you please show me how to achieve this task correctly?
thanks so much!
!!!2 NAMESERVERS PROVIDED BY ISP

ip name-server 65.19.175.2

ip name-server 216.218.196.2

!!

ip route 192.168.0.0 0.0.0.0 64.62.240.65 !!default gateway for 64.62.xxx network

ip route 192.168.1.0 0.0.0.0 65.49.22.193 !!default gateway for 65.49.xxx network
 
 

!!THIS RULE WILL ALLOW OUTBOUND CONNECTIONS FROM MY INTERNAL NET

ip inspect name firewall http

ip inspect name firewall https

.........

!
 

interface FastEthernet0

 ip address 64.62.240.66 255.255.255.240

 ip access-group inbound0 in

 ip nat outside1

 ip inspect firewall out

 ip virtual-reassembly

 shutdown

 speed auto

 full-duplex

!

interface FastEthernet1

 ip address 65.49.22.194 255.255.255.224

 ip access-group inbound1 in

 ip nat outside2

 ip inspect firewall out

 ip virtual-reassembly

 speed auto

 full-duplex

!

interface Vlan1

 ip address 192.168.0.1 255.255.255.0

 ip nat inside1

 ip virtual-reassembly

!

interface Vlan2

 ip address 192.168.1.1 255.255.255.0

 ip nat inside2

 ip virtual-reassembly

!

interface Async1

 no ip address

 encapsulation slip

!

!

!

no ip http server

no ip http secure-server
 

ip nat pool LocalNet1 64.62.240.66 64.62.240.66 prefix-length 24

ip nat pool LocalNet2 65.49.22.194 65.49.22.194 prefix-length 24
 

ip nat inside source list 1 pool LocalNet1 overload

ip nat inside source list 2 pool LocalNet2 overload
 

ip nat inside1 source static tcp 192.168.0.80 80 interface FastEthernet0 80

....MORE NAT RULES HERE
 

ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80

ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21
 

!

ip access-list extended inbound0

 permit tcp any host 64.62.240.66 eq www

 permit tcp any host 64.62.240.66 eq ftp

 permit tcp any host 64.62.240.66 eq ftp-data

 permit tcp any host 64.62.240.66 eq 443

 permit tcp any host 64.62.240.66 eq smtp

 permit tcp any host 64.62.240.66 eq 3389

 permit tcp any host 64.62.240.66 eq 3390

 permit tcp any host 64.62.240.66 eq 3391

 permit tcp any host 64.62.240.66 eq 3392

 deny   ip 192.168.0.0 0.0.255.255 any log

 deny   ip 0.0.0.0 0.255.255.255 any log

 deny   ip host 255.255.255.255 any log

 deny   ip 172.0.0.0 0.255.255.255 any log

 deny   ip 224.0.0.0 15.255.255.255 any log

 deny   ip 240.0.0.0 7.255.255.255 any log

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   tcp any host 64.62.250.66 log

 deny   udp any host 64.62.250.66 log

!

!

!

ip access-list extended inbound1

 permit tcp any host 65.49.22.194 eq www

 permit tcp any host 65.49.22.194 eq ftp

 permit tcp any host 65.49.22.194 eq ftp-data

 permit tcp any host 65.49.22.194 eq 3389

 deny   ip 192.168.0.0 0.0.255.255 any log

 deny   ip 0.0.0.0 0.255.255.255 any log

 deny   ip host 255.255.255.255 any log

 deny   ip 172.0.0.0 0.255.255.255 any log

 deny   ip 224.0.0.0 15.255.255.255 any log

 deny   ip 240.0.0.0 7.255.255.255 any log

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   tcp any host 65.49.22.194

 deny   udp any host 65.49.22.194

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 192.168.1.0 0.0.0.255

!

Open in new window

net1.jpg
0
Comment
Question by:valleytech
  • 3
  • 3
6 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22754958
valleytech,

PBR isn't required in your case, since you have 2 different domains, pointing to 2 different IPs, going to 2 different FastEthernet interfaces.

The attached code makes both FastEthernet (0 and 1) perform NAT for each respective Vlan (1 and 2), while retaining DNS->IP->WWW server bindings.


! Removed Name servers, its best to just leave your Cisco to perform routing

! not provide DNS forwarding as well. Plus DNS resolution will be quicker.

!

! [REMOVED]

! This tells the router that to get to the 192.168.0.0 network, forward packets to your default ISP gateway

! But really, to get to the 192.168.0.0 network, it needs to go to Vlan1, same thing applies to the next line.

!ip route 192.168.0.0 0.0.0.0 64.62.240.65 !!default gateway for 64.62.xxx network

!ip route 192.168.1.0 0.0.0.0 65.49.22.193 !!default gateway for 65.49.xxx network

!

![WWW Security should be implemented on the Web server]

!ip inspect name firewall http

!ip inspect name firewall https

!

!

interface FastEthernet0

 ip address 64.62.240.66 255.255.255.240

 ! "outside" is a keyword, not a NAT table name.

 ip nat outside

 ! Removed SPI, not required.

 ! ip inspect firewall out

 ip virtual-reassembly

 ! dont forget the "no shutdown"

 no shutdown

 speed 100

 full-duplex

!

interface FastEthernet1

 ip address 65.49.22.194 255.255.255.224

 ip nat outside

 ip virtual-reassembly

 speed 100

 full-duplex

!

interface Vlan1

 ip address 192.168.0.1 255.255.255.0

 ! "inside" is a keyword, not a NAT table name.

 ip nat inside

 ip virtual-reassembly

 no shutdown

!

interface Vlan2

 ip address 192.168.1.1 255.255.255.0

 ! "inside" is a keyword, not a NAT table name.

 ip nat inside

 ip virtual-reassembly

 no shutdown

!

interface Async1

 no ip address

 encapsulation slip

!

!

!

no ip http server

no ip http secure-server

!

!

! Putting both gateway's in here with the same metric will load

! balance between the two.

! 

ip route 0.0.0.0 0.0.0.0 64.62.240.65 30

ip route 0.0.0.0 0.0.0.0 65.49.22.193 30

!

ip nat inside source list 110 interface FastEthernet0 overload

ip nat inside source list 111 interface FastEthernet1 overload

!

! Forward HTTP + HTTPS to 192.168.0.80

ip nat inside source static tcp 192.168.0.80 80 interface FastEthernet0 80

ip nat inside source static tcp 192.168.0.80 443 interface FastEthernet0 443

!

! Forward HTTP,HTTPS,FTP to 192.168.1.2

ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet1 80

ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet1 443

ip nat inside source static tcp 192.168.1.2 21 interface FastEthernet1 21

!

! Got rid of access policy maps, not requried.

!

access-list 110 permit 192.168.0.0 0.0.0.255

access-list 111 permit 192.168.1.0 0.0.0.255

!

Open in new window

0
 

Author Comment

by:valleytech
ID: 22754994
Thanks!!
I have couple question though

1. when you put gateway as "ip route 0.0.0.0. 0.0.0.0. xxxxxxx", will it confuse the router? i.e. packet will know which route to follow?

2. NAT doesn't provide any mean of protection right? that's why I added ACL.

thanks again for any info!
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22755063
1.
When a pc from either Vlan1 or Vlan2 want to access the internet, the Cisco router can tell which Vlan needs to go out which FastEthernet because of the "ip nat source list" command.

2.
NAT is a defence in itself, and Cisco are very much established in networking so their NAT engine will be secure. NAT basically only allows your local computers to access internet resources... Internet "hackers" cannot initiate an attack on your

In any case, your ACLs that I removed didn't do much, because you were blocking address ranges that do not exists on the internet - only in private LAN's that would never be found on the WAN side of your router.

""
 deny   ip 192.168.0.0 0.0.255.255 any log <-- Private LAN range, not required.
 deny   ip 0.0.0.0 0.255.255.255 any log <-- Bad syntax
 deny   ip host 255.255.255.255 any log <-- this would kill broadcasts, not particularly necessary.
 deny   ip 172.0.0.0 0.255.255.255 any log <-- Private LAN, actually blocks some real world IPs as well.
 deny   ip 224.0.0.0 15.255.255.255 any log <-- Multicast, not required
 deny   ip 240.0.0.0 7.255.255.255 any log <--  As above
 deny   ip 10.0.0.0 0.255.255.255 any log <-- Private LAN
 deny   ip 172.16.0.0 0.15.255.255 any log <-- Private LAN
""

As long as your web servers are up to date, with AV etc... and your port forwarding isn't out of control you don't have much to worry about.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Expert Comment

by:kyleb84
ID: 22755093
NOTE:
I mentioned that it would load balance, this isn't correct as both the WAN interfaces are NAT OUTSIDE interfaces (Routes are governed by that command "ip nat source list").

0
 

Author Comment

by:valleytech
ID: 22769505
sorry for the late replies! grad school is killing me lolzz..

so, overall, I can just keep my old configuration plus the editing that you suggested right?
The "deny" commands I used are to prevent IP spoofing. what do you think/

thanks!!

0
 

Author Comment

by:valleytech
ID: 22780635
I was able to try out the new setup today.
Vlan1 seems to be working okay.
But vlan2 doesn't work so well. I cannot ping vlan2 interface from the router itself.
So I switch to use vlan1 instead, but with 2 statements of "ip route" the router seems to be confused. Thus, connection is really slow, unless i removed one of the "ip route" statements.

Can you help??
thanks!!
interface FastEthernet0

 ip address 209.172.108.20 255.255.255.224

 ip nat outside

 ip inspect firewall out

 ip virtual-reassembly

 speed auto

 full-duplex

!

interface FastEthernet1

 ip address 209.172.108.194 255.255.255.248

 ip nat outside

 ip inspect firewall out

 ip virtual-reassembly

 speed auto

 full-duplex

!

interface Vlan1

 ip address 192.168.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Vlan2

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Async1

 no ip address

 encapsulation slip

!

!!209.172.108.1 is gateway for network of 209.172.108.1/30

ip route 0.0.0.0 0.0.0.0 209.172.108.1 

!!193 is gateway for network of 209.172.108.194/30

ip route 0.0.0.0 0.0.0.0 209.172.108.193

Open in new window

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now