Solved

No Dataflow After Changing Default Route on Cisco Router with 2x Internet Connections

Posted on 2009-04-08
7
357 Views
Last Modified: 2012-05-06
The Internet T1 connection on Fa0/1 is being replaced by a new 2xT1 connection on Fa0/3/2 (VLAN3).  We have been migrating to this new service very slowly because numerous remote hosts utilize the public addresses of the old T1 (111.111.111.0/27).  Notice how each connection has both a dynamic NAT and static entries for various internal hosts.  We use a route map based on ACL 115 to specify what outgoing traffic shall egress via the new connection.

NOTE:  Just to complicate things&  We send 80 and 443 out via Fa0/3/1 (VLAN2) which is a businesses partner with a DS3 connection.  This is done with ACL 110 and its just so users have a really fast web experience.

PROBLEM:  Pretty much all that remains is to change the last few static NAT entries and swap the default route so I can FINALLY retire the old circuit.  OK, but when I change the default route from 111.111.111.1 to 222.222.222.1 no data flows through the NAT!  Why?

FYI  Ive simplified the config as much as possible.  Please let me know if you need any additional lines.

!--------  Begin Router Config  --------

interface FastEthernet0/0
 description Detroit LAN$ETH-LAN$$FW_INSIDE$
 ip address 172.16.2.254 255.255.255.0
 ip access-group 102 in
 ip inspect SDM_LOW in
 ip nat inside
 ip virtual-reassembly
 ip policy route-map INTERNET_ACCESS
 duplex auto
 speed 100
!
interface FastEthernet0/1
 description OLD T1 CONNECTION
 ip address 111.111.111.2 255.255.255.224
 ip access-group 103 in
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/3/0
 description DET-RTR4 100Mb Physical Interface
 duplex full
 speed 100
!
interface FastEthernet0/3/1
 description B2B 100Mb Physical Interface
 switchport access vlan 2
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/3/2
 description NEW T1 CONNECTION Physical Interface
 switchport access vlan 3
 duplex full
 speed 100
!
interface FastEthernet0/3/3
 description DET-ASA 100Mb Physical Interface
 switchport access vlan 4
 duplex full
 speed 100
!
interface Vlan1
 description DET-RTR4 Logical Interface
 ip address 172.16.0.38 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip policy route-map INTERNET_ACCESS
!
interface Vlan2
 description B2B Logical Interface
 ip address 172.16.15.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description NEW T1 CONNECTION Logical Interface
 bandwidth 3088
 ip address 222.222.222.2 255.255.255.224
 ip access-group 103 in
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
!
interface Vlan4
 description DET-ASA Logical Interface
 ip address 172.16.0.30 255.255.255.248
 ip nat inside
 ip virtual-reassembly
!
router eigrp 100
 redistribute rip
 network 172.16.0.0
 network 192.168.0.0
 auto-summary
!
!
ip local pool SDM_POOL_1 192.168.0.1 192.168.45.254
ip classless
ip route 0.0.0.0 0.0.0.0 111.111.111.1
ip route 10.0.0.0 255.0.0.0 172.16.15.1
ip route 159.140.0.0 255.255.0.0 172.16.15.1
!
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat pool DET-POOL 111.111.111.10 111.111.111.10 netmask 255.255.255.224
ip nat pool XO-POOL 222.222.222.10 222.222.222.12 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_2 pool DET-POOL overload
ip nat inside source route-map XO-MAP pool XO-POOL overload
ip nat inside source static tcp 172.16.2.3 27 111.111.111.6 25 route-map SDM_RMAP_2 extendable
ip nat inside source static tcp 172.16.2.3 80 111.111.111.6 80 route-map SDM_RMAP_2 extendable
ip nat inside source static tcp 172.16.2.2 389 111.111.111.6 389 route-map SDM_RMAP_2 extendable
ip nat inside source static tcp 172.16.2.3 443 111.111.111.6 443 route-map SDM_RMAP_2 extendable
ip nat inside source static tcp 172.16.2.3 8080 222.222.222.6 80 extendable
ip nat inside source static tcp 172.16.2.3 444 222.222.222.6 443 extendable
ip nat inside source static tcp 172.16.2.4 80 222.222.222.7 80 route-map XO-MAP extendable
ip nat inside source static tcp 172.16.2.3 2525 222.222.222.8 26 extendable
ip nat inside source static tcp 172.16.2.3 144 222.222.222.8 143 extendable
ip nat inside source static tcp 172.16.2.5 80 222.222.222.16 80 route-map XO-MAP extendable
ip nat inside source static tcp 172.16.2.5 1755 222.222.222.16 1755 route-map XO-MAP extendable
ip nat inside source static udp 172.16.2.5 1755 222.222.222.16 1755 route-map XO-MAP extendable
!
access-list 100 remark SDM_ACL Category=18
access-list 100 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 172.16.0.0 0.0.255.255 any
access-list 102 remark Exchange Server HTTPS Access
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp host 172.16.2.1 eq domain any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 permit esp any host 111.111.111.2
access-list 103 permit ip 111.111.111.0 0.0.0.255 any
access-list 103 permit udp any host 111.111.111.2 eq isakmp
access-list 103 permit udp any host 111.111.111.2 eq non500-isakmp
access-list 103 permit tcp any host 111.111.111.6 eq www
access-list 103 permit tcp any host 222.222.222.6 eq www
access-list 103 permit tcp any host 111.111.111.6 eq 443
access-list 103 permit tcp any host 222.222.222.6 eq 443
access-list 103 permit tcp host 198.173.202.94 host 111.111.111.6 eq 389
access-list 103 permit tcp 38.101.82.192 0.0.0.15 host 111.111.111.6 eq 389
access-list 103 permit tcp 38.101.81.32 0.0.0.7 host 111.111.111.6 eq 389
access-list 103 permit icmp any any
access-list 103 permit tcp host 198.173.202.94 host 111.111.111.6 eq smtp
access-list 103 permit tcp host 198.173.202.94 host 222.222.222.8 eq smtp
access-list 103 permit tcp 38.101.82.208 0.0.0.15 host 111.111.111.6 eq smtp
access-list 103 permit tcp 38.101.82.208 0.0.0.15 host 222.222.222.8 eq smtp
access-list 103 permit tcp any host 222.222.222.8 eq 143
access-list 103 permit tcp any host 222.222.222.7 eq www
access-list 103 permit tcp any host 222.222.222.8 eq 26
access-list 103 permit tcp host 69.16.213.75 host 111.111.111.3 eq smtp
access-list 103 permit tcp host 208.101.38.162 host 111.111.111.6 eq 389
access-list 103 permit tcp host 208.101.6.190 host 111.111.111.6 eq 389
access-list 103 permit tcp host 75.146.123.118 host 111.111.111.6 eq 389
access-list 103 permit udp any host 222.222.222.16 eq 1755
access-list 103 permit tcp any host 222.222.222.16 eq 1755
access-list 103 permit tcp any host 222.222.222.16 eq www
access-list 103 permit esp any host 222.222.222.2
access-list 103 permit udp any host 222.222.222.2 eq isakmp
access-list 103 permit udp any host 222.222.222.2 eq non500-isakmp
access-list 103 permit ip 222.222.222.0 0.0.0.31 any
access-list 103 permit tcp any host 222.222.222.18 eq 3389
access-list 110 remark -- TRAFFIC TO LEAVE VIA B2B FAST ETHERNET --
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
access-list 115 remark -- TRAFFIC TO LEAVE VIA NEW T1 CONNECTION --
access-list 115 permit tcp host 172.16.2.3 eq 8080 any
access-list 115 permit tcp host 172.16.2.3 eq 444 any
access-list 115 permit tcp host 172.16.2.5 eq www any
access-list 115 permit tcp host 172.16.2.5 eq 1755 any
access-list 115 permit udp host 172.16.2.5 eq 1755 any
access-list 115 permit tcp host 172.16.2.4 eq www any
access-list 115 permit tcp host 172.16.2.3 eq 2525 any
access-list 115 permit tcp host 172.16.2.3 eq 144 any
access-list 150 remark SDM_ACL Category=20
access-list 150 permit ip 172.16.0.0 0.0.255.255 any
access-list 150 permit ip 10.0.0.0 0.255.255.255 any
access-list 150 permit ip 159.140.0.0 0.0.255.255 any
!
route-map INTERNET_ACCESS permit 10
 match ip address 110
 set ip next-hop 172.16.15.1
!
route-map INTERNET_ACCESS permit 20
 match ip address 115
 set ip next-hop 222.222.222.1
!
route-map SDM_RMAP_2 permit 1
 match ip address 100
!
route-map XO-MAP permit 10
 match ip address 100
!
!
banner login
-----------------------------------------------------------------------

                  This is DET-RTR1.  Do not break it.

-----------------------------------------------------------------------
0
Comment
Question by:David Blair
  • 4
  • 3
7 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Add this so the traffic is properly NAT'd to the correct pool based on which ISP is used.

conf t
route-map SDM_RMAP_2 permit 1
match interface FastEthernet0/1
!
route-map XO-MAP permit 10
match interface Vlan3
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
Good advice!  I've never done it that way.  QUESTION...  Does this mean I can lose ACL 115?

With these changes I tried again to change the default route.  A trace reveals traffic is still stopping at 222.222.222.1 which is the ISP-supplied gateway router for the new 2xT1 connection.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
When the default route is cutover to the new connection, you can remove sequence 20 of the INTERNET_ACCESS route-map and acl 115.  

It doesn't work because the traffic is being NAT'd to the other providers address space.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:David Blair
Comment Utility
I was under the assumption that sequence 20 could coexist with a change in the default gateway - it would just be like belt and suspenders so to speak since both settings point traffic towards 222.222.222.1.  Is this not the case?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Yes, I was just referring to cleanup when all is said and done.
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
Got it.  Still no luck though as traffic is stopping at 222.222.222.1.  Do you have any other suggestions?
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
FOUND IT!  The implicit deny all at the end of ACL 115 was the problem!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now