Link to home
Start Free TrialLog in
Avatar of George Fakis
George FakisFlag for Greece

asked on

How to Cisco 2811 route-maps from different tcp protocols

Hello to all,i am a new junior network admin in a small Retail business.

I have a problem with port forwarding.

In my office Cisco 2811 with IOS c2800nm-advsecurityk9-mz.124-4.T8
The ACL 111 deny tcp traffic from various remote programs such as PcAnywhere,NetOp,RemoteDesktop and so on and it is used for web surfing,mail and ftp

The other ACL 112 permits only these remote programs.These programs have well-know ports.
So far all good.Many programs from above are going from the DIALER100 dsl we have for customer Helpdesk.

I have 2 adsl (Alcatel 20190 chips) and the traffic for www goes through the Dialer 0 and the Remote Desktop Connections pass through the Dialer 100 from route-map statements.

My problem is with new VPN dialer installed on terminals.
I have the VPN CHECKPOINT for connections to 1 customer and the Cisco VPN client v5 on the other.The users can be connected with customers sites.First we dial through the Vpn and then open PcAnywhere and from there we can Remote connect to the customer VPN Domain sites.

The problem  is that i can't route map the VPN clients traffic through the 2nd DSL dialer100.
Whatever statement i put the traffic goes through the dialer0.

I have find through NAT and Wireshark that some ports are dynamic but in the customer VPN server is standard.
The ports i have find so far these standard port:
443Https,137NetBiosName , ipsec4500

If i apply a statement access-list 111 deny tcp any any eq 443,137,4500 est
and
access-list 112 permit tcp any any 443,137,4500 est nothing happens.

Again the VPN traffic goes through the dialer0.Also if i setup deny access for any domain name is not working.I tried today to deny traffic from and to facebook.com,youtube.com but nothing happens.I have tried to change the route-map statements with no luck.

Thanks in advance
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
logging buffered 64000 debugging
enable secret 5 xxxx
enable password xxxx
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
!
! 
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map http-ftp-mail
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $ES_LAN$
 no ip address
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 carrier-delay 1
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
!
interface ATM0/0/0.1 point-to-point
 description ****WAN_SUBINF*****
 no snmp trap link-status
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface ATM0/1/0
 no ip address
 carrier-delay 1
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
!
interface ATM0/1/0.1 point-to-point
 description ****WAN_SUBINF*****
 no snmp trap link-status
 pvc 8/35 
  pppoe-client dial-pool-number 100
 !
!
interface Dialer0
 description *****DIALER_FOR_WAN_ADSLxxxx*****
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 dialer hold-queue 100
 dialer persistent
 no cdp enable
 ppp authentication chap pap callin
 ppp pap sent-username xxxxxx
 ppp ipcp dns request
!
interface Dialer100
 description *****DIALER_FOR_WAN_ADSL_xxxx*****
 ip address negotiated
 ip mtu 1452
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 100
 dialer idle-timeout 0
 dialer hold-queue 100
 dialer persistent
 no cdp enable
 ppp authentication chap pap callin
 ppp pap sent-username xxxxxx
 ppp ipcp dns request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer100
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip http server
no ip http secure-server
ip nat pool smpool x.x.x.x x.x.x.x  netmask 255.255.255.240
ip nat inside source route-map all1 interface Dialer0 overload
ip nat inside source route-map all2 interface Dialer100 overload
ip nat inside source static 192.168.1.2 x.x.x.x
ip nat inside source static 192.168.1.4 x.x.x.x
ip nat inside source static 192.168.1.5 x.x.x.x
!
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 111 deny   udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 3389
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 112 permit udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 3389
dialer-list 1 protocol ip permit
dialer-list 100 protocol ip permit
route-map all1 permit 10
 match ip address 111
 match interface Dialer0
 set interface Dialer0
!
route-map all2 permit 10
 match ip address 112
 match interface Dialer100
 set interface Dialer100
!
route-map http-ftp-mail permit 10
 match ip address 111
 match interface Dialer0
 set interface Dialer0
!
route-map http-ftp-mail permit 20
 match ip address 112
 match interface Dialer100
 set interface Dialer100
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 xxxxx
 login
 history size 256
!
scheduler allocate 20000 1000
!
end

Open in new window

Avatar of rfc1180
rfc1180
Flag of United States of America image

>The problem  is that i can't route map the VPN clients traffic through the 2nd DSL dialer100.
Whatever statement i put the traffic goes through the dialer0.

I believe you are going to have better luck with Policy Based Routing

http://pierky.wordpress.com/2009/03/28/dual-wan-connection-on-cisco-with-policy-based-routing-pbr/

Billy
if you use the following nat command instead of the route-map does it give the desired result?

ip nat inside source list 112 interface dialer 0
oops

that would be

ip nat inside source list 111 interface dialer 0
Avatar of George Fakis

ASKER

Hello,

Mag03 i will try this tomorrow morning and i will inform you.
The http-ftp-mail policy is assigned to the fa0/0.
Don't you think that the route-map all1 & all2 is just a garbage for the confg?
If a show route-maps command aplied you can see that packets is routed from the http-ftp-mail route-map.

I thing i tried this on last Sunday and never worked,but i will apply your idea.
Also i will read the above link that rfc1180 gave me.

Thanks for any help.I will come back with some news.

George
Avatar of asavener
I think you might want to take out the "match interface" commands from your policy-based routing.  I don't think it will match the interface before you set the interface.
Hello,


I changed the IP NAT to:

ip nat inside source list 111 interface dialer 0 overload
ip nat inside source list 112 interface dialer 100 overload.

Also i deleted the route-map all1 and all2.It was not active.I saw that with sh route-map commands that packets was forwarded through http-ftp-mail route-map only.So i deleted

but when i put a statement in the accesslist for deny https and allow at 112 i have the same problem
The vpn clients traffic pass through dialer 0.

Any help please?


ip nat pool smpool x.x.x.x x.x.x.x netmask 255.255.255.240
ip nat inside source list 111 interface Dialer0 overload
ip nat inside source list 112 interface Dialer100 overload
ip nat inside source static 192.168.1.2 x.x.x.x
ip nat inside source static 192.168.1.4 x.x.x.x
ip nat inside source static 192.168.1.5 x.x.x.x
!
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 111 deny   udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 111 deny   tcp 192.168.1.0 0.0.0.255 any eq 3389
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 112 permit udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 3389
dialer-list 1 protocol ip permit
dialer-list 100 protocol ip permit
no cdp run
route-map http-ftp-mail permit 10
 match ip address 111
 set interface Dialer0
!
route-map http-ftp-mail permit 20
 match ip address 112
 set interface Dialer100

Open in new window

I believe that the route-map / access lists do not recognize the the headers coming from the WAN VPN as they are encapsulated and will not be un-encapsulated until they enter the router. Perhaps using a route-map with next hop values at the other end of the VPN would be more successful.
The route map will only affect traffic that enters the interface to which it is applied.  In this case, traffic that comes in the F0/0 interface from your local LAN.

If you have static IP addresses on your dialer interfaces, try setting the next-hop value instead of the interface value.
What kind of VPN do the terminals use?  PPTP?  IPSec?  Anyconnect?  Clientless SSL?
ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have tried in the past to apply the VPN server ip like:

access-list 111 deny ip 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx
access-list 112 permit ip 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx

Open in new window



Also i have tried :

access-list 111 deny tcp 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx eq 443 
access-list 111 deny tcp 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx eq 4500

Open in new window

access-list 112 permit tcp 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx eq 443

I have 16 static ip on dialer 0 and 1 static on dialer 100.

I am thinking of making a new route-map:

 route-map remote-desktop permit 10 
         match ip address 112
         set interface dialer 0

Open in new window


....and apply this on dialer 100 interface???

Then i can delete the route-map http-ftp-mail permit 20 and have something like this:

route-map http-ftp-mail permit 10
 match ip address 111
 set interface Dialer0
!
route-map remote-desktop permit 10
 match ip address 112
 set interface Dialer100

interface FastEthernet0/0
 ip policy route-map http-ftp-mail

!

interface Dialer100
 ip policy route-map http-ftp-mail

Open in new window


do you think this should work and then i can put extra lines for the VPN protocol in the access-lists?
Sorry,something like this

	

route-map http-ftp-mail permit 10
 match ip address 111
 set interface Dialer0
!
route-map remote-desktop permit 10
 match ip address 112
 set interface Dialer100

interface FastEthernet0/0
 ip policy route-map http-ftp-mail

!

interface Dialer100
 ip policy route-map remote-desktop

Open in new window

Don't apply that to the dialer interface.  Inbound traffic only has one place to go, which is your internal network.

Did you try adding the lines that will match IPSec traffic that I described above?  Make sure you're specifying UDP 500 and UDP 4500; using TCP 500 and 4500 won't match the right traffic.
Asavener thanks a lot.
You gave me the solution.

Look :

Extended IP access list 111
    10 deny tcp 192.168.1.0 0.0.0.255 any range 6512 6519
    20 deny tcp 192.168.1.0 0.0.0.255 any eq 6581
    30 deny tcp 192.168.1.0 0.0.0.255 any eq 6501
    40 deny tcp 192.168.1.0 0.0.0.255 any eq 5631 (5105 matches)
    50 deny tcp 192.168.1.0 0.0.0.255 any eq 5632
    60 deny tcp 192.168.1.0 0.0.0.255 any eq 6502 (2737 matches)
    70 deny udp 192.168.1.0 0.0.0.255 any eq 5632 (12 matches)
    80 deny tcp 192.168.1.0 0.0.0.255 any eq 5800
    90 deny tcp 192.168.1.0 0.0.0.255 any eq 5900
    100 deny tcp 192.168.1.0 0.0.0.255 any eq 3360
    110 deny tcp 192.168.1.0 0.0.0.255 any eq 3389 (5997 matches)
    120 deny tcp 192.168.1.0 0.0.0.255 any eq 3390
    130 deny udp any any eq netbios-ns (1918 matches)
    140 deny udp any any eq netbios-dgm (1079 matches)
    150 deny tcp any any eq 443 (3634 matches)
    160 deny tcp any any eq 1723 (174 matches)
    170 deny udp any any eq isakmp (41 matches)
    180 deny udp any any eq non500-isakmp (40971 matches)
    190 deny esp any any (742 matches)
    200 deny gre any any (1140 matches)
    210 permit icmp 192.168.1.0 0.0.0.255 any echo (38 matches)
    220 permit ip 192.168.1.0 0.0.0.255 any (218173 matches)
Extended IP access list 112
    10 permit tcp 192.168.1.0 0.0.0.255 any range 6512 6519
    20 permit tcp 192.168.1.0 0.0.0.255 any eq 6581
    30 permit tcp 192.168.1.0 0.0.0.255 any eq 6501
    40 permit tcp 192.168.1.0 0.0.0.255 any eq 5631 (5105 matches)
    50 permit tcp 192.168.1.0 0.0.0.255 any eq 5632
    60 permit tcp 192.168.1.0 0.0.0.255 any eq 6502 (2737 matches)
    70 permit udp 192.168.1.0 0.0.0.255 any eq 5632 (12 matches)
    80 permit tcp 192.168.1.0 0.0.0.255 any eq 5800
    90 permit tcp 192.168.1.0 0.0.0.255 any eq 5900
    100 permit tcp 192.168.1.0 0.0.0.255 any eq 3360
    110 permit tcp 192.168.1.0 0.0.0.255 any eq 3389 (5999 matches)
    120 permit tcp 192.168.1.0 0.0.0.255 any eq 3390
    130 permit udp any any eq netbios-ns (1918 matches)
    140 permit udp any any eq netbios-dgm (1079 matches)
    150 permit tcp any any eq 443 (3634 matches)
    160 permit udp any any eq isakmp (41 matches)
    170 permit tcp any any eq 1723 (174 matches)
    180 permit udp any any eq non500-isakmp (40971 matches)
    190 permit esp any any (742 matches)
    200 permit gre any any (1140 matches)
    210 permit icmp 192.168.1.0 0.0.0.255 any echo (11 matches)

Open in new window


I have 2 vpn clients.The one was ok after adding these lines for UDP 500,4500 but the other client wanted the gre and esp also.

Thanks a lot.