George Fakis
asked on
How to Cisco 2811 route-maps from different tcp protocols
Hello to all,i am a new junior network admin in a small Retail business.
I have a problem with port forwarding.
In my office Cisco 2811 with IOS c2800nm-advsecurityk9-mz.1 24-4.T8
The ACL 111 deny tcp traffic from various remote programs such as PcAnywhere,NetOp,RemoteDes ktop and so on and it is used for web surfing,mail and ftp
The other ACL 112 permits only these remote programs.These programs have well-know ports.
So far all good.Many programs from above are going from the DIALER100 dsl we have for customer Helpdesk.
I have 2 adsl (Alcatel 20190 chips) and the traffic for www goes through the Dialer 0 and the Remote Desktop Connections pass through the Dialer 100 from route-map statements.
My problem is with new VPN dialer installed on terminals.
I have the VPN CHECKPOINT for connections to 1 customer and the Cisco VPN client v5 on the other.The users can be connected with customers sites.First we dial through the Vpn and then open PcAnywhere and from there we can Remote connect to the customer VPN Domain sites.
The problem is that i can't route map the VPN clients traffic through the 2nd DSL dialer100.
Whatever statement i put the traffic goes through the dialer0.
I have find through NAT and Wireshark that some ports are dynamic but in the customer VPN server is standard.
The ports i have find so far these standard port:
443Https,137NetBiosName , ipsec4500
If i apply a statement access-list 111 deny tcp any any eq 443,137,4500 est
and
access-list 112 permit tcp any any 443,137,4500 est nothing happens.
Again the VPN traffic goes through the dialer0.Also if i setup deny access for any domain name is not working.I tried today to deny traffic from and to facebook.com,youtube.com but nothing happens.I have tried to change the route-map statements with no luck.
Thanks in advance
I have a problem with port forwarding.
In my office Cisco 2811 with IOS c2800nm-advsecurityk9-mz.1
The ACL 111 deny tcp traffic from various remote programs such as PcAnywhere,NetOp,RemoteDes
The other ACL 112 permits only these remote programs.These programs have well-know ports.
So far all good.Many programs from above are going from the DIALER100 dsl we have for customer Helpdesk.
I have 2 adsl (Alcatel 20190 chips) and the traffic for www goes through the Dialer 0 and the Remote Desktop Connections pass through the Dialer 100 from route-map statements.
My problem is with new VPN dialer installed on terminals.
I have the VPN CHECKPOINT for connections to 1 customer and the Cisco VPN client v5 on the other.The users can be connected with customers sites.First we dial through the Vpn and then open PcAnywhere and from there we can Remote connect to the customer VPN Domain sites.
The problem is that i can't route map the VPN clients traffic through the 2nd DSL dialer100.
Whatever statement i put the traffic goes through the dialer0.
I have find through NAT and Wireshark that some ports are dynamic but in the customer VPN server is standard.
The ports i have find so far these standard port:
443Https,137NetBiosName , ipsec4500
If i apply a statement access-list 111 deny tcp any any eq 443,137,4500 est
and
access-list 112 permit tcp any any 443,137,4500 est nothing happens.
Again the VPN traffic goes through the dialer0.Also if i setup deny access for any domain name is not working.I tried today to deny traffic from and to facebook.com,youtube.com but nothing happens.I have tried to change the route-map statements with no luck.
Thanks in advance
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
logging buffered 64000 debugging
enable secret 5 xxxx
enable password xxxx
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map http-ftp-mail
duplex auto
speed auto
!
interface FastEthernet0/1
description $ES_LAN$
no ip address
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
carrier-delay 1
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0/0/0.1 point-to-point
description ****WAN_SUBINF*****
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface ATM0/1/0
no ip address
carrier-delay 1
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0/1/0.1 point-to-point
description ****WAN_SUBINF*****
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 100
!
!
interface Dialer0
description *****DIALER_FOR_WAN_ADSLxxxx*****
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer idle-timeout 0
dialer hold-queue 100
dialer persistent
no cdp enable
ppp authentication chap pap callin
ppp pap sent-username xxxxxx
ppp ipcp dns request
!
interface Dialer100
description *****DIALER_FOR_WAN_ADSL_xxxx*****
ip address negotiated
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 100
dialer idle-timeout 0
dialer hold-queue 100
dialer persistent
no cdp enable
ppp authentication chap pap callin
ppp pap sent-username xxxxxx
ppp ipcp dns request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer100
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
no ip http secure-server
ip nat pool smpool x.x.x.x x.x.x.x netmask 255.255.255.240
ip nat inside source route-map all1 interface Dialer0 overload
ip nat inside source route-map all2 interface Dialer100 overload
ip nat inside source static 192.168.1.2 x.x.x.x
ip nat inside source static 192.168.1.4 x.x.x.x
ip nat inside source static 192.168.1.5 x.x.x.x
!
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 111 deny udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 3389
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 112 permit udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 3389
dialer-list 1 protocol ip permit
dialer-list 100 protocol ip permit
route-map all1 permit 10
match ip address 111
match interface Dialer0
set interface Dialer0
!
route-map all2 permit 10
match ip address 112
match interface Dialer100
set interface Dialer100
!
route-map http-ftp-mail permit 10
match ip address 111
match interface Dialer0
set interface Dialer0
!
route-map http-ftp-mail permit 20
match ip address 112
match interface Dialer100
set interface Dialer100
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 xxxxx
login
history size 256
!
scheduler allocate 20000 1000
!
end
if you use the following nat command instead of the route-map does it give the desired result?
ip nat inside source list 112 interface dialer 0
ip nat inside source list 112 interface dialer 0
oops
that would be
ip nat inside source list 111 interface dialer 0
that would be
ip nat inside source list 111 interface dialer 0
ASKER
Hello,
Mag03 i will try this tomorrow morning and i will inform you.
The http-ftp-mail policy is assigned to the fa0/0.
Don't you think that the route-map all1 & all2 is just a garbage for the confg?
If a show route-maps command aplied you can see that packets is routed from the http-ftp-mail route-map.
I thing i tried this on last Sunday and never worked,but i will apply your idea.
Also i will read the above link that rfc1180 gave me.
Thanks for any help.I will come back with some news.
George
Mag03 i will try this tomorrow morning and i will inform you.
The http-ftp-mail policy is assigned to the fa0/0.
Don't you think that the route-map all1 & all2 is just a garbage for the confg?
If a show route-maps command aplied you can see that packets is routed from the http-ftp-mail route-map.
I thing i tried this on last Sunday and never worked,but i will apply your idea.
Also i will read the above link that rfc1180 gave me.
Thanks for any help.I will come back with some news.
George
I think you might want to take out the "match interface" commands from your policy-based routing. I don't think it will match the interface before you set the interface.
ASKER
Hello,
I changed the IP NAT to:
ip nat inside source list 111 interface dialer 0 overload
ip nat inside source list 112 interface dialer 100 overload.
Also i deleted the route-map all1 and all2.It was not active.I saw that with sh route-map commands that packets was forwarded through http-ftp-mail route-map only.So i deleted
but when i put a statement in the accesslist for deny https and allow at 112 i have the same problem
The vpn clients traffic pass through dialer 0.
Any help please?
I changed the IP NAT to:
ip nat inside source list 111 interface dialer 0 overload
ip nat inside source list 112 interface dialer 100 overload.
Also i deleted the route-map all1 and all2.It was not active.I saw that with sh route-map commands that packets was forwarded through http-ftp-mail route-map only.So i deleted
but when i put a statement in the accesslist for deny https and allow at 112 i have the same problem
The vpn clients traffic pass through dialer 0.
Any help please?
ASKER
ip nat pool smpool x.x.x.x x.x.x.x netmask 255.255.255.240
ip nat inside source list 111 interface Dialer0 overload
ip nat inside source list 112 interface Dialer100 overload
ip nat inside source static 192.168.1.2 x.x.x.x
ip nat inside source static 192.168.1.4 x.x.x.x
ip nat inside source static 192.168.1.5 x.x.x.x
!
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 111 deny udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 111 deny tcp 192.168.1.0 0.0.0.255 any eq 3389
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any range 6512 6519
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6581
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6501
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5631
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 6502
access-list 112 permit udp 192.168.1.0 0.0.0.255 any eq 5632
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5800
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 5900
access-list 112 permit tcp 192.168.1.0 0.0.0.255 any eq 3389
dialer-list 1 protocol ip permit
dialer-list 100 protocol ip permit
no cdp run
route-map http-ftp-mail permit 10
match ip address 111
set interface Dialer0
!
route-map http-ftp-mail permit 20
match ip address 112
set interface Dialer100
I believe that the route-map / access lists do not recognize the the headers coming from the WAN VPN as they are encapsulated and will not be un-encapsulated until they enter the router. Perhaps using a route-map with next hop values at the other end of the VPN would be more successful.
The route map will only affect traffic that enters the interface to which it is applied. In this case, traffic that comes in the F0/0 interface from your local LAN.
If you have static IP addresses on your dialer interfaces, try setting the next-hop value instead of the interface value.
If you have static IP addresses on your dialer interfaces, try setting the next-hop value instead of the interface value.
What kind of VPN do the terminals use? PPTP? IPSec? Anyconnect? Clientless SSL?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have tried in the past to apply the VPN server ip like:
Also i have tried :
I have 16 static ip on dialer 0 and 1 static on dialer 100.
I am thinking of making a new route-map:
....and apply this on dialer 100 interface???
Then i can delete the route-map http-ftp-mail permit 20 and have something like this:
do you think this should work and then i can put extra lines for the VPN protocol in the access-lists?
access-list 111 deny ip 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx
access-list 112 permit ip 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx
Also i have tried :
access-list 111 deny tcp 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx eq 443
access-list 111 deny tcp 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx eq 4500
access-list 112 permit tcp 192.168.1.0 0.0.0.255 host 195.xxx.xxx.xxx eq 443 I have 16 static ip on dialer 0 and 1 static on dialer 100.
I am thinking of making a new route-map:
route-map remote-desktop permit 10
match ip address 112
set interface dialer 0
....and apply this on dialer 100 interface???
Then i can delete the route-map http-ftp-mail permit 20 and have something like this:
route-map http-ftp-mail permit 10
match ip address 111
set interface Dialer0
!
route-map remote-desktop permit 10
match ip address 112
set interface Dialer100
interface FastEthernet0/0
ip policy route-map http-ftp-mail
!
interface Dialer100
ip policy route-map http-ftp-mail
do you think this should work and then i can put extra lines for the VPN protocol in the access-lists?
ASKER
Sorry,something like this
route-map http-ftp-mail permit 10
match ip address 111
set interface Dialer0
!
route-map remote-desktop permit 10
match ip address 112
set interface Dialer100
interface FastEthernet0/0
ip policy route-map http-ftp-mail
!
interface Dialer100
ip policy route-map remote-desktop
Don't apply that to the dialer interface. Inbound traffic only has one place to go, which is your internal network.
Did you try adding the lines that will match IPSec traffic that I described above? Make sure you're specifying UDP 500 and UDP 4500; using TCP 500 and 4500 won't match the right traffic.
Did you try adding the lines that will match IPSec traffic that I described above? Make sure you're specifying UDP 500 and UDP 4500; using TCP 500 and 4500 won't match the right traffic.
ASKER
Asavener thanks a lot.
You gave me the solution.
Look :
I have 2 vpn clients.The one was ok after adding these lines for UDP 500,4500 but the other client wanted the gre and esp also.
Thanks a lot.
You gave me the solution.
Look :
Extended IP access list 111
10 deny tcp 192.168.1.0 0.0.0.255 any range 6512 6519
20 deny tcp 192.168.1.0 0.0.0.255 any eq 6581
30 deny tcp 192.168.1.0 0.0.0.255 any eq 6501
40 deny tcp 192.168.1.0 0.0.0.255 any eq 5631 (5105 matches)
50 deny tcp 192.168.1.0 0.0.0.255 any eq 5632
60 deny tcp 192.168.1.0 0.0.0.255 any eq 6502 (2737 matches)
70 deny udp 192.168.1.0 0.0.0.255 any eq 5632 (12 matches)
80 deny tcp 192.168.1.0 0.0.0.255 any eq 5800
90 deny tcp 192.168.1.0 0.0.0.255 any eq 5900
100 deny tcp 192.168.1.0 0.0.0.255 any eq 3360
110 deny tcp 192.168.1.0 0.0.0.255 any eq 3389 (5997 matches)
120 deny tcp 192.168.1.0 0.0.0.255 any eq 3390
130 deny udp any any eq netbios-ns (1918 matches)
140 deny udp any any eq netbios-dgm (1079 matches)
150 deny tcp any any eq 443 (3634 matches)
160 deny tcp any any eq 1723 (174 matches)
170 deny udp any any eq isakmp (41 matches)
180 deny udp any any eq non500-isakmp (40971 matches)
190 deny esp any any (742 matches)
200 deny gre any any (1140 matches)
210 permit icmp 192.168.1.0 0.0.0.255 any echo (38 matches)
220 permit ip 192.168.1.0 0.0.0.255 any (218173 matches)
Extended IP access list 112
10 permit tcp 192.168.1.0 0.0.0.255 any range 6512 6519
20 permit tcp 192.168.1.0 0.0.0.255 any eq 6581
30 permit tcp 192.168.1.0 0.0.0.255 any eq 6501
40 permit tcp 192.168.1.0 0.0.0.255 any eq 5631 (5105 matches)
50 permit tcp 192.168.1.0 0.0.0.255 any eq 5632
60 permit tcp 192.168.1.0 0.0.0.255 any eq 6502 (2737 matches)
70 permit udp 192.168.1.0 0.0.0.255 any eq 5632 (12 matches)
80 permit tcp 192.168.1.0 0.0.0.255 any eq 5800
90 permit tcp 192.168.1.0 0.0.0.255 any eq 5900
100 permit tcp 192.168.1.0 0.0.0.255 any eq 3360
110 permit tcp 192.168.1.0 0.0.0.255 any eq 3389 (5999 matches)
120 permit tcp 192.168.1.0 0.0.0.255 any eq 3390
130 permit udp any any eq netbios-ns (1918 matches)
140 permit udp any any eq netbios-dgm (1079 matches)
150 permit tcp any any eq 443 (3634 matches)
160 permit udp any any eq isakmp (41 matches)
170 permit tcp any any eq 1723 (174 matches)
180 permit udp any any eq non500-isakmp (40971 matches)
190 permit esp any any (742 matches)
200 permit gre any any (1140 matches)
210 permit icmp 192.168.1.0 0.0.0.255 any echo (11 matches)
I have 2 vpn clients.The one was ok after adding these lines for UDP 500,4500 but the other client wanted the gre and esp also.
Thanks a lot.
Whatever statement i put the traffic goes through the dialer0.
I believe you are going to have better luck with Policy Based Routing
http://pierky.wordpress.com/2009/03/28/dual-wan-connection-on-cisco-with-policy-based-routing-pbr/
Billy