Solved

IP Route issue on LAN

Posted on 2011-09-27
8
375 Views
Last Modified: 2012-08-13
I have a Cisco 881 router.  All traffic goes out ISP1.  I am trying to route 205.12.148.40 through our ISP2 circuit for our SIP calls.  The IP of ISP2 on the interface is 210.105.232.114, and the gateway is 210.105.232.113.  When I do a traceroute from the router itself, it goes out the ISP2 interface correctly.  However, if I do a traceroute over the LAN, it times out.  My phone company is telling me all the traffic to 205.12.148.40 is still coming from ISP1.  I have the following statement in the config, but it doesn't seeem to work: ip route 205.12.148.40 255.255.255.255 210.105.232.113

Config is below:


!
! Last configuration change at 15:29:24 UTC Tue Sep 27 2011 by r00t
!
version 15.0
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname FW1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 12345
!
no aaa new-model
!
!
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-12345
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-12345
 revocation-check none
 rsakeypair TP-self-signed-12345
!
!
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name domain.com
ip name-server 10.1.9.101
ip name-server 10.1.9.102
ip inspect max-incomplete low 320
ip inspect max-incomplete high 400
ip inspect name FIREWALL ftp
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FTX12345
!
!
archive
 log config
  hidekeys
username root password 7 123456
!
!
!
track 16 ip sla 16 reachability
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 12345 address 75.98.62.99
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map mymap 10 ipsec-isakmp
 set peer 75.98.62.99
 set transform-set myset
 match address US_2_CA
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 2
 !
!
interface FastEthernet1
 switchport access vlan 4
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 description ISP2
switchport access vlan 3
 !
!
interface FastEthernet4
 description ISP1
 ip address 175.14.108.252 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map mymap
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 shutdown
 !
!
interface Vlan2
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.16.1.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1418
 !
!
interface Vlan3
 description ISP2
 ip address 210.105.232.114 255.255.255.240
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 !
!
interface Vlan4
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 10.0.0.0 255.0.0.0 10.16.1.2 track 16
ip route 0.0.0.0 0.0.0.0 175.14.108.254
ip route 10.0.0.0 255.0.0.0 175.14.108.254 200
ip route 192.168.101.0 255.255.255.0 10.16.1.2
ip route 205.12.148.40 255.255.255.255 210.105.232.113
ip route 207.51.40.57 255.255.255.255 10.16.1.2
ip route 207.51.40.58 255.255.255.255 10.16.1.2
!
ip access-list extended US_2_CA
 permit ip 10.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
!
ip sla 16
 icmp-echo 207.51.40.57
ip sla schedule 16 life forever start-time now
access-list 103 deny   ip 10.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 103 permit ip 10.16.0.0 0.0.255.255 any
access-list 104 permit ip host 204.11.148.40 any
access-list 105 permit tcp any any eq www
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq echo
access-list 106 permit ip host 10.16.9.110 host 210.105.232.114
access-list 106 permit ip host 210.105.232.114 host 10.16.9.110
no cdp run

!
!
!
!
route-map SipTraffic permit 10
 description Sip Traffic Nat
 match ip address 106
 match interface Vlan3
!
route-map redirect permit 10
 match ip address 105
 set ip next-hop 175.14.108.254
!
route-map nonat permit 10
 match ip address 103
!
!
control-plane
 !
!
!
line con 0
 exec-timeout 0 0
 privilege level 7
 password 7 12345
 login local
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 1
 session-timeout 67
 exec-timeout 0 0
 privilege level 7
 password 7 12345
 login local
 transport preferred ssh
 transport input telnet ssh
 transport output all
line vty 2 4
 exec-timeout 120 0
 privilege level 7
 password 7 12345
 login local
 length 0
 transport preferred telnet
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
Comment
Question by:drivetech
8 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 36710874
I'm not that good reading Cisco config files.  Can you print a routing table for the router?  That's usually more universal and easier to read.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36710952
Hi,

You'll need some additional NAT configuration, similar to a load balanced configuration, where the NAT route-map's match on outgoing interface.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml
0
 
LVL 26

Accepted Solution

by:
Soulja earned 350 total points
ID: 36710999
Try this route-map

ip access-list extended 107
permit ip any host 205.12.148.40

route-map ISP2-Traffic permit 10
 match ip address 107
 set ip next-hop 210.105.232.113
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36711018
As for the ATT router, yes the move on their own time. Haha! I am surprised they signed off on that design.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:drivetech
ID: 36711573
Soulja,

I added the route-map.  Do I need to add some type of ip nat inside source route-map ISP2-Traffic statement?  
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 150 total points
ID: 36711872
yes,

route-map ISP2-Traffic permit 10
 match ip address 107
 match interface vlan3

ip nat inside source route-map ISP2-Traffic interface Vlan3 overload

0
 
LVL 26

Expert Comment

by:Soulja
ID: 36711955
Thanks Rochey.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36711962
Sorry my ATT router comment was for a different post. Ha!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Internet Speed Test 5 67
DNS on-premise and on-cloud 15 66
Cisco 4500 - Supervisor cards and licensing 2 36
SMB Routers with GB WAN 12 35
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now