?
Solved

Cisco 1841 Load Balancing

Posted on 2010-01-04
7
Medium Priority
?
691 Views
Last Modified: 2013-12-24
Hi,

Hope an expert can help,

I have a Cisco 1841 with 2 * WIC-ADSL cards, Each card is connected to a seperate DSL each with its own IP. This was fine for browsing, but now I need to allow incoming FTP, SMTP etc, as we have 2 public address's the only way I can see of doing this is to set incoming traffic via route maps in some way, so ftp goes out of one interface (1.1.1.1)  and smtp goes out of another (2.2.2.2) etc, but both will be used for internet access,

I have ecnclosed the config as we have as current for load sharing.

Can anyone help me with the configuration required to achive the following.

500 points up for grabs here.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$v.04$TRrIrEXgd/3THoC6nPcgE/
!
no aaa new-model
clock timezone GMT 0
clock summer-time brit_summer recurring last Sun Mar 1:00 last Sun Oct 1:00
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.0.150 10.0.0.254
!
ip dhcp pool building-services
   network 10.0.0.0 255.255.255.0
   dns-server 81.17.66.13 81.17.72.70
   default-router 10.0.0.1
!
!
ip cef
ip name-server xxxxxxxxxxx
ip name-server xxxxxxxxxxx
ip inspect name building cuseeme timeout 3600
ip inspect name building ftp timeout 3600
ip inspect name building rcmd timeout 3600
ip inspect name building realaudio timeout 3600
ip inspect name building smtp timeout 3600
ip inspect name building tftp timeout 30
ip inspect name building udp timeout 30
ip inspect name building tcp timeout 3600
ip inspect name building h323 timeout 3600
ip inspect name building icmp timeout 3600
no ipv6 cef
ntp server 158.43.128.33 prefer source Dialer0
ntp server 158.43.128.66 source Dialer1
!
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/1/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface Dialer0
 ip address 1.1.1.1 255.255.255.248
 ip nat outside
 ip inspect building out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxx
 ppp chap password xxxxxxxxxxxxxx
!
interface Dialer1
 ip address xxxxxxxxxx 255.255.255.254
 ip nat outside
 ip inspect building out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 2
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxx
 ppp chap password xxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 200
ip route 0.0.0.0 0.0.0.0 Dialer1 200
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map isp1 interface Dialer0 overload
ip nat inside source route-map isp2 interface Dialer1 overload
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map isp2 permit 10
 match ip address 100
 match interface Dialer1
!
route-map isp1 permit 10
 match ip address 100
 match interface Dialer0
!
!
!
control-plane
!
!
!
line con 0
 password xxxxxxxxxxxx
 login
line aux 0
line vty 0 4
 password xxxxxxxxxxxx
 login
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
end

0
Comment
Question by:webleyaxsor
7 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 26171155
Let me make sure I understand:
* You have 2 different ISPs?
* You want to force FTP out one I/F and SMTP out the other I/F?
* By "incoming" do you mean sourced from your private network headed OUT toward the internet?

Good luck,
SteveJ

0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26171181
Hi

try create two ACLs
1st to allow every thing except SMTP

2nd to allow every thing except FTP

as

access-list 100 deny tcp any any eq smtp
access-list 100 permit ip any any

access-list 101 deny tcp any any eq ftp
access-list 101 permit ip any any

route-map isp2 permit 10
 match ip address 100
 match interface Dialer1
!
route-map isp1 permit 10
 match ip address 101
 match interface Dialer0


0
 
LVL 16

Accepted Solution

by:
SteveJ earned 1000 total points
ID: 26171291
memo tnt's option won't work. How is the user supposed to set the next hop for his outbound traffic? Use policy based routing . . . don't just deny traffic, send it where it needs to go.

access-list 100 permit tcp any any eq smtp
access-list 101 permit tcp any any eq ftp

route-map smtp-isp
match ip address 100
set interface dialer0

route-map ftp-isp
match ip address 101
set interface dialer1

interface dialer0
ip policy route-map smtp-isp

inerface dialer1
ip policy route-map ftp-isp


Good luck,
SteveJ
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 16

Expert Comment

by:SteveJ
ID: 26171301
Ooops. Sorry memo tnt. Your solution works. I just like policy based routing better
0
 
LVL 22

Assisted Solution

by:Jody Lemoine
Jody Lemoine earned 1000 total points
ID: 26171521
Inbound traffic isn't going to be a problem as the interface it's coming in on will be dictated by the destination IP address.  What needs to be policy routed is the reply traffic returning from the internal servers.  That needs to be sent out to the Internet via the same interface the original traffic came in on.  In the case of SMTP, that's pretty easy:

ip access-list extended SMTP-Policy
 permit tcp any eq smtp any

route-map ISP-Policy permit 10
 match IP address SMTP-Policy
 set interface Dialer0

interface FastEthernet0/0
 ip policy route-map ISP-Policy

ip nat inside source static tcp x.x.x.x 25 interface Dialer0 25

Replace x.x.x.x with the internal IP address of your SMTP server.

For FTP, it's a little bit tougher because you have to address more than just the control channel on 21/tcp.  The data channel, which could be on almost any port is the bulk of the traffic and the hardest to address.  The easiest thing to do is assign a dedicated internal IP address to your FTP server and policy route all traffic from that address out the associated interface.

ip access-list extended FTP-Policy
 permit tcp host y.y.y.y any

route-map ISP-Policy permit 20
 match IP address FTP-Policy
 set interface Dialer1

interface FastEthernet0/0
 ip policy route-map ISP-Policy

ip nat inside source static tcp y.y.y.y 21 interface Dialer1 21

Replace y.y.y.y with the internal IP address of your FTP server.
0
 

Author Comment

by:webleyaxsor
ID: 26171637
thanks for all you answers, to answer SteveJ original question *incoming* is when a remote user makes a ftp transfer to the public address of the router, so to clarify a remote user initiates a ftp to ip address 1.1.1.1 and the interface attached to 1.1.1.1 responds, this will be the same for smtp traffic but the incoming will be the address 2.2.2.2 and all responsed back out will need to be via that address, I hope that helps
0
 

Author Closing Comment

by:webleyaxsor
ID: 31672367
Thanks to all of you, got the best from 2 solutions,
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question