Solved

No Outbound traffic on Broadband Interface on Cisco Router

Posted on 2008-10-30
14
868 Views
Last Modified: 2012-06-27
Good Evening,
I've setup a cisco 2800 with a broadband connection to our local cable provider.
Interface information:
IP a.b.c.130
Mask: 255.255.255.48
Default gateway SHOULD be a.b.c.129

Connected Route for interface:
     a.b.c.0/29 is subnetted, 1 subnets
C       a.b.c.128 is directly connected, GigabitEthernet0/1 (gb0/1 = .129)

Traffic is able to enter the interface without issue however no outbound information is leaving the router for the internet.  I've removed the Firewall and ACL information.  There are multiple connections on this router, the t1's are working fine however when I try to fail the t1's and run on the cable connection only obviously we run into issues.

When the T1's are failed, I can ping a.b.c.129 however a ping to 4.2.2.2 fails and an extended Trace shows * * * from the very first hop.

Any other information I can provide I will!  
Thanks,
Postie
0
Comment
Question by:Posthumous
  • 7
  • 6
14 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22847527
Do you have a flaoting static default route to direct traffic out the broadband interface if the T1's fail?

Do you have any routes directing traffic out the gig0/1 interface.

Also I'm assuming that the following info you provided is a typo, but can you check the interface subnet mask and make sure its 255.255.255.248

"Mask: 255.255.255.48"
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22849435
Good Morning,
Yeah .48 was a type apologies, it is .248.

There are currently 3 routes in the system
0.0.0.0 0.0.0.0 T1#1 distance 1
0.0.0.0 0.0.0.0 T1#2 distance 1
0.0.0.0 0.0.0.0 Cable distance 10

However, if I take out the routes and leave only the gigabit link route, and admin down the two t1's that's where i'm running into issues, haven't even gotten to the point where the fail overs being troubleshot per say.  

Last night I did the following:
Removed all default static T1 routes leaving only the cable route
Removed all firewalls and access lists from the cable interface
Ping d.e.f.129 (default gateway of cable route) !!!!!  - all good
ping 4.2.2.2 (DNS internet) ..... - all bad

Messed around with a few other things trying to figure out why data won't go out the cable interface but would come in it from other sites, eventually just put the code back to the way it was and went to bed.  Only thing I could think of was to wipe the whole router and rebuild it piece by piece but just didn't have the energy at that point to attempt.



Current configuration : 15080 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco2800

!

boot-start-marker

boot-end-marker

!

card type t1 0 0

security authentication failure rate 3 log

logging buffered 51200 debugging

logging rate-limit all 100

enable secret 5 $1$9/VC$ol8RuDQ81TipSPuhvfM4y.

!

no aaa new-model

!

resource policy

!

clock timezone EST -5

clock summer-time EST recurring

no network-clock-participate wic 0

no ip subnet-zero

no ip source-route

ip tcp synwait-time 10

!

!

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

no ip bootp server

ip domain name companyconstruction.com

ip name-server 192.168.1.12

ip name-server 192.168.1.97

!

!

!

crypto pki trustpoint TP-self-signed-3994249393

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3994249393

 revocation-check none

 rsakeypair TP-self-signed-3994249393

!

!

crypto pki certificate chain TP-self-signed-3994249393

 certificate self-signed 01

  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33393934 32343933 3933301E 170D3038 30383139 31363238

  30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39393432

  34393339 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B567 3BE5466C 2BEC9FA4 BED51DA8 93DA86F5 CBEB0E4E ADAB44F5 847A8A55

  C9A5C75F E548599D 32ACAD47 A7B481A9 F8F2B3D6 C7712845 E98CD5A3 50D4C13C

  41C85A66 7EE0C7A1 382C6213 BFE8D6B6 5496EF2D 52D51909 B672C69C A5C6AE26

  1846A27C 6156799C D86FEC40 C52153FA DF1382EF D3015A5C CAFFA014 1932D3D9

  874D0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06

  03551D11 04253023 82216369 73636F32 3830302E 65617374 65726E63 6F6E7374

  72756374 696F6E2E 636F6D30 1F060355 1D230418 30168014 073221CA E4B9876E

  BA7ED815 B6E3D4D0 AC6B935D 301D0603 551D0E04 16041407 3221CAE4 B9876EBA

  7ED815B6 E3D4D0AC 6B935D30 0D06092A 864886F7 0D010104 05000381 81004698

  2FE1009C AD7A8743 89FAB625 6DD76AC6 6DECD44A EA2A3B58 ADA3448E 9001FE59

  9C91FA12 AB483476 7EF1F957 B23BD00E 9994B8FB DA6B35DD 95E8DB7C EA2504C0

  9E25C3B9 93A44B73 33E413A6 DACA51E8 11AF8E34 AABE47C0 867F6F90 D5D13D8A

  72FE4DF8 5227AB5C DE415BB9 F6BCE180 17334FA2 7CFACD26 AA72FF7A F0B4

  quit

username admin privilege 15 secret 5 $1$uH5T$6GuYdAdYPzzkU5ML.TsmT/

!

!

controller T1 0/0/0

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24

!

controller T1 0/0/1

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24

!

!

!

!

interface Null0

 no ip unreachables

!

interface Loopback0

 ip address x.y.z.1 255.255.255.248

 ip access-group 199 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip load-sharing per-packet

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

!

interface GigabitEthernet0/0

 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$

 ip address 192.168.1.50 255.255.255.0

 ip access-group 100 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip load-sharing per-packet

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface GigabitEthernet0/1

 description $FW_OUTSIDE$$ETH-WAN$

 ip address d.e.f.130 255.255.255.248

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip load-sharing per-packet

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

!

interface Serial0/0/0:0

 description T1 202$FW_OUTSIDE$

 bandwidth 1536000

 ip address a.b.c.202 255.255.255.252

 ip access-group 102 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip load-sharing per-packet

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

!

interface Serial0/0/1:0

 description T1 222$FW_OUTSIDE$

 bandwidth 1536000

 ip address a.b.c.222 255.255.255.252

 ip access-group 103 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip load-sharing per-packet

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

!

no ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 permanent

ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0 permanent

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10 permanent name 

ip flow-top-talkers

 top 5

 sort-by bytes

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool pool x.y.z.1 38.99.187.6 netmask 255.255.255.248

ip nat pool pool2 d.e.f.130 d.e.f.130 netmask 255.255.255.248

ip nat inside source list 1 interface Loopback0 overload

ip nat inside source list 3 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 192.168.1.96 25 x.y.z.1 25 extendable no-alias

ip nat inside source static tcp 192.168.1.96 80 x.y.z.1 80 extendable no-alias

ip nat inside source static tcp 192.168.1.96 110 x.y.z.1 110 extendable no-alias

ip nat inside source static tcp 192.168.1.96 443 x.y.z.1 443 extendable no-alias

ip nat inside source static tcp 192.168.1.96 3389 x.y.z.1 3389 extendable no-alias

ip nat inside source static tcp 192.168.1.96 25 d.e.f.130 25 extendable no-alias

ip nat inside source static tcp 192.168.1.96 80 d.e.f.130 80 extendable no-alias

ip nat inside source static tcp 192.168.1.96 110 d.e.f.130 110 extendable no-alias

ip nat inside source static tcp 192.168.1.96 443 d.e.f.130 443 extendable no-alias

ip nat inside source static tcp 192.168.1.96 25 d.e.f.130 587 extendable no-alias

ip nat inside source static tcp 192.168.1.96 3389 d.e.f.130 3389 extendable no-alias

!

logging trap debugging

logging server-arp

logging 192.168.1.250

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip a.b.c.200 0.0.0.7 any

access-list 100 deny   ip d.e.f.128 0.0.0.7 any

access-list 100 deny   ip a.b.c.216 0.0.0.7 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 permit icmp any host d.e.f.130 echo

access-list 101 permit tcp any host d.e.f.130 eq 3389

access-list 101 permit tcp any host d.e.f.130 eq 443

access-list 101 permit tcp any host d.e.f.130 eq pop3

access-list 101 permit tcp any host d.e.f.130 eq www

access-list 101 permit tcp any host d.e.f.130 eq smtp

access-list 101 permit udp any eq domain host d.e.f.130

access-list 101 permit udp any eq ntp host d.e.f.130

access-list 101 permit tcp any eq www host d.e.f.130

access-list 101 permit tcp any eq 443 host d.e.f.130

access-list 101 permit tcp any eq 3389 host d.e.f.130

access-list 101 permit tcp any eq 1494 host d.e.f.130

access-list 101 permit icmp any host d.e.f.130 echo-reply

access-list 101 permit icmp any host d.e.f.130 time-exceeded

access-list 101 permit icmp any host d.e.f.130 unreachable

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp any host x.y.z.1 eq 3389

access-list 102 permit tcp any host x.y.z.1 eq 443

access-list 102 permit tcp any host x.y.z.1 eq pop3

access-list 102 permit tcp any host x.y.z.1 eq www

access-list 102 permit tcp any host x.y.z.1 eq smtp

access-list 102 permit tcp any eq smtp host x.y.z.1

access-list 102 permit udp any eq domain host x.y.z.1

access-list 102 permit udp any eq ntp host x.y.z.1

access-list 102 permit tcp any eq www host x.y.z.1

access-list 102 permit tcp any eq 443 host x.y.z.1

access-list 102 permit tcp any eq 3389 host x.y.z.1

access-list 102 permit tcp any eq 1494 host x.y.z.1

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 permit udp any eq ntp host a.b.c.202

access-list 102 remark 2967 Symantec AV

access-list 102 permit tcp any host a.b.c.202 eq 2967

access-list 102 permit tcp any host a.b.c.202 eq smtp

access-list 102 permit tcp any eq smtp host a.b.c.202

access-list 102 permit tcp any eq 1494 host a.b.c.202

access-list 102 permit tcp any host a.b.c.202 eq 443

access-list 102 permit tcp any eq 443 host a.b.c.202

access-list 102 permit tcp any host a.b.c.202 eq www

access-list 102 permit tcp any eq www host a.b.c.202

access-list 102 permit udp any eq domain host a.b.c.202

access-list 102 permit icmp 66.28.3.0 0.0.0.255 host a.b.c.202 echo

access-list 102 permit icmp 66.250.0.0 0.0.254.255 host a.b.c.202 echo

access-list 102 permit icmp any host a.b.c.202 echo-reply

access-list 102 permit icmp any host a.b.c.202 time-exceeded

access-list 102 permit icmp any host a.b.c.202 unreachable

access-list 102 deny   ip host 0.0.0.0 any

access-list 102 deny   ip any any log

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 permit tcp any host x.y.z.1 eq 3389

access-list 103 permit tcp any host x.y.z.1 eq 443

access-list 103 permit tcp any host x.y.z.1 eq pop3

access-list 103 permit tcp any host x.y.z.1 eq www

access-list 103 permit tcp any host x.y.z.1 eq smtp

access-list 103 permit tcp any eq smtp host x.y.z.1

access-list 103 permit udp any eq domain host x.y.z.1

access-list 103 permit udp any eq ntp host x.y.z.1

access-list 103 permit tcp any eq www host x.y.z.1

access-list 103 permit tcp any eq 443 host x.y.z.1

access-list 103 permit tcp any eq 3389 host x.y.z.1

access-list 103 permit tcp any eq 1494 host x.y.z.1

access-list 103 deny   ip 10.0.0.0 0.255.255.255 any

access-list 103 deny   ip 172.16.0.0 0.15.255.255 any

access-list 103 deny   ip 192.168.0.0 0.0.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 permit udp any eq ntp host a.b.c.222

access-list 103 permit tcp any eq 3389 host a.b.c.222

access-list 103 permit tcp any host a.b.c.222 eq 3389

access-list 103 permit tcp any eq smtp host a.b.c.222

access-list 103 permit tcp any eq 1494 host a.b.c.222

access-list 103 permit tcp any host a.b.c.222 eq 443

access-list 103 permit tcp any eq 443 host a.b.c.222

access-list 103 permit tcp any host a.b.c.222 eq www

access-list 103 permit tcp any eq www host a.b.c.222

access-list 103 permit udp any eq domain host a.b.c.222

access-list 103 permit icmp 66.28.3.0 0.0.0.255 host a.b.c.222 echo

access-list 103 permit icmp 66.250.0.0 0.0.254.255 host a.b.c.222 echo

access-list 103 permit icmp any host a.b.c.222 echo-reply

access-list 103 permit icmp any host a.b.c.222 time-exceeded

access-list 103 permit icmp any host a.b.c.222 unreachable

access-list 103 deny   ip host 0.0.0.0 any

access-list 103 deny   ip any any log

access-list 199 remark auto generated by SDM firewall configuration

access-list 199 remark SDM_ACL Category=1

access-list 199 permit tcp any host x.y.z.1 eq 3389

access-list 199 permit tcp any host x.y.z.1 eq 443

access-list 199 permit tcp any host x.y.z.1 eq pop3

access-list 199 permit tcp any host x.y.z.1 eq www

access-list 199 permit tcp any host x.y.z.1 eq smtp

access-list 199 permit udp any eq domain host x.y.z.1

access-list 199 permit udp any eq ntp host x.y.z.1

access-list 199 permit tcp any eq www host x.y.z.1

access-list 199 permit tcp any eq 443 host x.y.z.1

access-list 199 permit tcp any eq 3389 host x.y.z.1

access-list 199 permit tcp any eq 1494 host x.y.z.1

access-list 199 deny   ip 10.0.0.0 0.255.255.255 any

access-list 199 deny   ip 172.16.0.0 0.15.255.255 any

access-list 199 deny   ip 192.168.0.0 0.0.255.255 any

access-list 199 deny   ip 127.0.0.0 0.255.255.255 any

access-list 199 deny   ip host 255.255.255.255 any

access-list 199 deny   ip host 0.0.0.0 any

access-list 199 permit icmp 66.28.3.0 0.0.0.255 host a.b.c.222 echo

access-list 199 permit icmp 66.250.0.0 0.0.254.255 host a.b.c.222 echo

access-list 199 permit icmp any host a.b.c.222 echo-reply

access-list 199 permit icmp any host a.b.c.222 time-exceeded

access-list 199 permit icmp any host a.b.c.222 unreachable

access-list 199 deny   ip any any log

snmp-server community company RW

snmp-server community public RO

snmp-server location HO

snmp-server host 192.168.1.250 100153

no cdp run

!

!

control-plane

!

!

banner login ^CAccess Strictly Prohibited^C

banner motd ^C ^C

alias exec s show ip interface brief

!

line con 0

 logging synchronous

 login local

 transport output telnet

line aux 0

 login local

 transport output telnet

line vty 0 4

 access-class 23 in

 exec-timeout 0 0

 privilege level 15

 login local

 transport input telnet ssh

line vty 5 15

 access-class 23 in

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Open in new window

0
 
LVL 17

Expert Comment

by:mikecr
ID: 22851259
When you ping, are you pinging from the router or through the router? If you do an extended ping from the gigabit interface to the 4.2.2.2 address, do you get a reply?
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22851328
Negative, with the T1's shutdown and the routes removed, Firewall disabled and ACL's removed.
Pinging from the router.
I could ping the d.e.f.129  (default gateway of the cable connection)
I could NOT ping 4.2.2.2
I could NOT Trace to 4.2.2.2
Extended Ping/Traces tied specifically to the gigabitethernet 0/1 interface also failed.

However I can still (even now with everything up and working during the day) send RDP/telnet traffic from an offsite location to that d.e.f.130 address and get connected to the server behind it and all the traffic going back to site uses the T1's to get where it needs to go.  Is it possible for the traffic to be routed across the T1's to the d.e.f.130 interface?  Doesn't seem likely to me but perhaps I'm going crazy.

Rather confusing honestly whey I can get traffic in and nothing out on that connection.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 22851575
Can you ping the outside IP address of your GI0/1 interface from a remote computer? Just make sure that you only have one default route going out that interface when you do it. Keep in mind that if you put multiple default routes on a router, you can get asynchronous routing. This means that you will come in one interface but exit another. In other words internally, if you go out the GI0/1 interface when you open a browser on your desktop you'll come back the same way due to NAT. However if your a computer on the internet coming into the router from the outside its return traffic may not go back out the same way it came in such as coming in Gi0/1 and going back out s0/0/0.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 22851736
Two things I just noticed in your configuration are the following:
ip load-sharing per-packet
First off, this only works if the destination router is the same over multiple links. This means if you have three different ISP circuits and you use per-packet load balancing, you're sending a packet out each one. Guess what, you aren't going anywhere because the packets can't be assembled on the other side because 3 different ISP's have them.

Next is:
ip route-cache flow

If you're using IP route-cache flow to do netflow statistics, this means CEF is turned off. CEF is a requirement for the ip load-sharing command. This means load balancing is not working the command will need removed from the interface.
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22852106
Hi Mike,
Thanks for the Answers, will clear up what I can first.

When the gig0/1 interface is the only one active and all the other routes are down I can ping the outside of the gig0/1 from one of the remote sites, however I can't make a connection as no return traffic seems to be able to get beyond the .130 port or at most the .129.  However I have disabled all extranious items at that time (Firewalls ACL's and actually delete the static routes to the T1s).

CEF shouldn't be enabled on the gig0/1 interface I will check the router now and verify that it is disabled and disable ip route-cache flow on the two CEF interfaces (T1's are same provider same route etc).
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:Posthumous
ID: 22852181
I've updated the interfaces as you've recommended (I think)

Removed CEF from Gig0/1 and gig 0/0 (think the ip cef command enables all interfaces it seems)
Removed route cache flow from both t1 interfaces.
interface Loopback0

 ip address x.y.z.1 255.255.255.248

 ip access-group 199 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip load-sharing per-packet

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

!

interface GigabitEthernet0/0

 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$

 ip address 192.168.1.50 255.255.255.0

 ip access-group 100 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface GigabitEthernet0/1

 description $FW_OUTSIDE$$ETH-WAN$

 ip address d.e.f.130 255.255.255.248

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

!

interface Serial0/0/0:0

 description T1 202$FW_OUTSIDE$

 bandwidth 1536000

 ip address a.b.c.202 255.255.255.252

 ip access-group 102 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip load-sharing per-packet

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

!

interface Serial0/0/1:0

 description T1 222$FW_OUTSIDE$

 bandwidth 1536000

 ip address a.b.c.222 255.255.255.252

 ip access-group 103 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip load-sharing per-packet

 ip inspect SDM_LOW in

 ip inspect SDM_LOW out

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

Open in new window

0
 
LVL 17

Accepted Solution

by:
mikecr earned 500 total points
ID: 22852300
Netflow and CEF are two different layer two forwarding services. To use CEF, you need to turn of Netflow. That means "no ip route-cache flow" needs run on each interface that has it enabled. Turn on CEF on the interface use "ip route-cache cef". To turn it on globally use "ip cef".
Change your ip load-sharing per-packet to ip load-sharing per-destination. This way each session will go out a different ISP instead of each packet.

Once you make these changes, shut down all interfaces again, remove all firewall and access lists configurations and then give me just the config for the GI0/1 interface to make sure it is correct and do a "show ip route" and paste it here.
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22852454
Hi mike,
Won't be able to do that till after business hours as the T1's are currently active.
However as soon as I can get it done I will.

0
 
LVL 17

Expert Comment

by:mikecr
ID: 22852485
No problem, take your time.
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22853317
here's the interface settings with the changes (hopefully correct this time!)
after 5pm EST i'll bring downt he T1's and go through the steps you have outlined and post results.
Haven't changed the packet balance yet just because I don't know how it will affect current utilization will change that after 5pm.

Thanks

GigabitEthernet0/0 is up, line protocol is up

  Internet address is 192.168.1.50/24

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is 100

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF Feature Fast switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain inside

  BGP Policy Mapping is disabled

GigabitEthernet0/1 is up, line protocol is up

  Internet address is 208.97.67.130/29

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is 101

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF Feature Fast switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Outgoing inspection rule is SDM_LOW

  Inbound inspection rule is SDM_LOW

Serial0/0/0:0 is up, line protocol is up

  Internet address is a.b.c.202/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  Peer address is a.b.c.201

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is 102

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is enabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF Feature Fast switching turbo vector

  IP multicast fast switching is disabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Outgoing inspection rule is SDM_LOW

  Inbound inspection rule is SDM_LOW

Serial0/0/1:0 is up, line protocol is up

  Internet address is a.b.c.222/30

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  Peer address is a.b.c.221

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is 103

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is enabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF Feature Fast switching turbo vector

  IP multicast fast switching is disabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Outgoing inspection rule is SDM_LOW

  Inbound inspection rule is SDM_LOW

NVI0 is up, line protocol is up

  Internet protocol processing disabled

Loopback0 is up, line protocol is up

  Internet address is x.y.z.1/29

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1514 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is 199

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF Feature Fast switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Outgoing inspection rule is SDM_LOW

  Inbound inspection rule is SDM_LOW

Open in new window

0
 
LVL 1

Author Comment

by:Posthumous
ID: 22854842
Well i had a big post all preped for you, however i managed to blow it up.
Suffice to say i got traffic going out on the Cable connection!
had to put a hardgateway into the 0.0.0.0 route to that interface and traffic started passing properly.
Tracked a couple other issues back to NAT at this point, seems that if I enable both NAT pass throughs on the cable and T1 interfaces there's some issues going out to the internet for internal pc's.
Guessing here, but I think that the packets are getting all confused some are getting NAT translated to the gig0 ip but being passed to the t1's and vice versa and its obviously screwing with delivery outbound.  
Seems that the T1's get all the priority for packets which I guess is fine except if the T1's go down and the NAT tags continue but traffic gets passed to the gigs? Not sure if that makes any sense.
Here's some more data and am awarding you the points for the question if you don't continue to help no problem you got me this far!

Heres my current ip route
Gateway of last resort is d.e.f.129 to network 0.0.0.0

     a.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C       a.b.c.221/32 is directly connected, Serial0/0/1:0
C       a.b.c.220/30 is directly connected, Serial0/0/1:0
C       a.b.c.201/32 is directly connected, Serial0/0/0:0
C       a.b.c.200/30 is directly connected, Serial0/0/0:0
C       x.y.z.0/29 is directly connected, Loopback0
     d.e.f.0/29 is subnetted, 1 subnets
C       d.e.f128 is directly connected, GigabitEthernet0/1
C    192.168.1.0/24 is directly connected, GigabitEthernet0/0
S*   0.0.0.0/0 [1/0] via d.e.f.129, GigabitEthernet0/1
               is directly connected, Serial0/0/0:0
               is directly connected, Serial0/0/1:0

IF I remove ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 208.97.67.129 permanent - everythings good
OR
IF I remove ip nat inside source list ECCL1 interface Loopback0 overload ip nat - Everythings good

So guess it's just a matter of getting that fixed and I'll probably be a free man!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 208.97.67.129 permanent

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 permanent

ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0 permanent
 

ip nat inside source list ECCL1 interface Loopback0 overload ip nat inside source list ECCL2 interface GigabitEthernet0/1 overload
 

ip access-list standard ECCL1

 remark Eccl - Cogent

 remark SDM_ACL Category=2

 permit 192.168.1.0 0.0.0.255

ip access-list standard ECCL2

 remark Eccl - Rogers

 remark SDM_ACL Category=2

 permit 192.168.1.0 0.0.0.255

Open in new window

0
 
LVL 17

Expert Comment

by:mikecr
ID: 22858295
I think you're on the right track now and should be okay.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now