Solved

Cisco routing issue

Posted on 2014-01-10
28
366 Views
Last Modified: 2014-01-21
I have recently acquired a secondary ISP for my Cisco 2811, I have been able to successfully setup the interface and apply a rout-map to direct certain traffic across the new line.
The problem I am face is, not all traffic destined for this new line is using it I believe and I am not sure why.
sh ip nat is showing all traffic from this particular ip is using the new line but when I attempt to connect to a site like whatmyip.com from a machine that is suppose to be using the new ISP, i am still seeing the main ISP line IP.

See below for an example of my configuration

ip route 0.0.0.0 0.0.0.0 (Current ISP) name CURRENT_GATEWAY
ip route 0.0.0.0 0.0.0.0 (New ISP) 100 name NEW_GATEWAY

route-map NEW ISP permit 10
match ip address NEW_ISP_ACL
set ip next-hop (new ISP IP)

ip access-list extended NEW_ISP_ACL
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any
50 permit tcp host 192.168.5.20 any eq 80
70 permit tcp host 192.168.5.20 any eq 443
80 permit ip host 192.168.5.36 any

VLAN 11
ip policy route-map NEW_ISP

If you need more of my configuration to help me with this, please let me know
0
Comment
Question by:progjm
  • 14
  • 10
  • 4
28 Comments
 
LVL 11

Expert Comment

by:Miftaul
ID: 39770891
you configuration say, you are instructing two machines 192.168.5.20 and 192.168.5.36 to use the new_isp link.

Did you do whatismyip.com on these two workstations.

Could you please do a traceroute on any of the two workstation and see which path traffic is flowing.
0
 
LVL 1

Author Comment

by:progjm
ID: 39770943
Getting the same outcome on both the workstations listed in the ACL for whatsmyip (the main ISP IP). When I do a traceroute looks like it is using the correct line (new ISP for the 192.168.5.36 line and the main ISP for the 192.168.5.20 line) and the sh ip nat translations shows the same. I know I am missing something small here just not sure what
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39770968
(new ISP for the 192.168.5.36 line and the main ISP for the 192.168.5.20 line)
If .36 is sending correctly and .20 is not, then it could be the ACL itself

can we do little changes on the ACL and see
ip access-list extended NEW_ISP_ACL
10 permit ip host 192.168.5.20 any
20 permit ip host 192.168.5.36 any

Open in new window

0
 
LVL 1

Author Comment

by:progjm
ID: 39770975
Good point, let me do some testing and see. You think maybe too much in a single ACL? Maybe split them up and create a route-map for each (with the same name but 10, 20 etc...)

.20 is working as expected, not telling it to allow any udp
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39770997
I was wondering with below
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any

Open in new window

We are not hosting any service. and hosts use other source ports when requesting a page on internet.

If the new ACL works, we can concentrate on it to make changes to selectively allow the required traffic.
0
 
LVL 1

Author Comment

by:progjm
ID: 39771052
Lets start with making the same changes to the current ACL, just seems strange the nat translations are showing correctly
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39771137
The initial ACL was line
ip access-list extended NEW_ISP_ACL
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any
50 permit tcp host 192.168.5.20 any eq 80
70 permit tcp host 192.168.5.20 any eq 443
80 permit ip host 192.168.5.36 any

Open in new window

The following doesnt make sense, because source ports are not 20, 21, 80, 443 in the host. We can remove them
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any

Open in new window

We can leave permit tcp host 192.168.5.20 any" but if you only want to allow only 80 and 443, then we can do
10 permit tcp host 192.168.5.20 any eq 80
20 permit tcp host 192.168.5.20 any eq 443

Open in new window

Else "80 permit ip host 192.168.5.36 any" is just fine.
All traffic from trusted LAN to the untrusted WAN is passing via ISP1 anyway. We are just PBR it to route traffic from .20 and .36 to the ISP2.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39771205
Mifthaul is correct. The acl is incorrect. Could you also post more of your config so we can make sure everything else is correct?
0
 
LVL 1

Author Comment

by:progjm
ID: 39771286
I am hosting an FTP server on the .20, so I thought I was telling it to only allow those ports to connect.
0
 
LVL 1

Author Comment

by:progjm
ID: 39771311
ip nat inside source static tcp 192.168.5.20 20 (NEW ISP IP) 20 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 21 (NEW ISP IP) 21 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 80 (NEW ISP IP)80 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 443 (NEW ISP IP) 443 route-map NEWISP extendable

ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface FastEthernet0/1 overload

route-map NEWISP permit 10
 match interface FastEthernet0/0

route-map ISP2_NAT permit 10
 match ip address NAT_ADDRESSES
 match interface FastEthernet0/1
!
route-map ISP1_NAT permit 10
 match ip address NAT_ADDRESSES
 match interface FastEthernet0/0
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39771332
so you have ports 20, and 21 forwarded on the router. You want 20, and 21 on your isp2 wan interface forwarded to 192.168.5.20 port 20 & 21.
Could you please share the port forwarding config hiding your public ip.
0
 
LVL 1

Author Comment

by:progjm
ID: 39771391
Do you need more than what I just sent?
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39771415
As per your config, it seems ISP1 is connected on Fe0/0 and ISP2 is on Fe0/1. Are you port forwarding FTP on ISP1, I thought it is ISP2 where the inbound ports are forwarded from WAN.

To me, NAT ACL is already taking care of the inbound traffic for port 20 & 21. Return traffic on 20 and 21 also should follow the same path due to the NAT binding.

On the PBR ACL, we don't need to specify source ports. If we want to be little more specific can only allow 80 and 443.
0
 
LVL 1

Author Comment

by:progjm
ID: 39771448
Yes that is correct, i have taken this config over from another engineer so I apologize about some of the naming. yes ISP1 is on f0/0 which is NEW ISP

Yes I have those ACL entries in to coincide with the NAT bindings. I have added the external 443 and 80 for testing on the .20. the .20 machine is working as it needs to (sorry for the confusion)

The problem I have is with the .36 machine. I want all traffic coming from that machine to go out the NEW ISP. Which when watching the NAT translation seems to be. I did attempt to upload a file from this machine to another 'ext" machine and for some reason it started using the main ISP line (was watching bandwidth). Thats when I tried the whatsmyip and found it was showing the main ISP IP. the other kicker to this is what I did a google search for whatsmyip google showed me the correct "new isp" IP but not whatsmyip
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:Miftaul
ID: 39771518
Do you have a NAT configuration for ISP2 link. How are the 192.168.5.36 requests translated when requests are going out via ISP2.

Please3 advise.
0
 
LVL 1

Author Comment

by:progjm
ID: 39771523
Other that the one to one I have setup for the ftp, dont have one. Do I need to burn another outside IP for this on the NEW ISP?
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 100 total points
ID: 39771548
Can you enable debug for PBR and Nat. Make some communication attempts as before and post the output?
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39771553
No, I am telling there has to be NAT for the NewISP. Otherwise traffic intended to be passed via that link will be blocked by ISP due to private IP block.

Please do a NAT configuration for the NEW ISP link.
0
 
LVL 1

Author Comment

by:progjm
ID: 39771587
Didnt I do this here
ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39771596
Yes,

What are the contents of your NAT_Address acl?
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39771614
Yes, please give the NAT_address ACL
0
 
LVL 1

Author Comment

by:progjm
ID: 39771629
ip access-list standard NAT_ADDRESSES
 permit 192.168.0.0 0.0.255.255
 permit 10.0.0.0 0.255.255.255
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39771715
Lets see your debug ip policy when you try these tests.
0
 
LVL 11

Accepted Solution

by:
Miftaul earned 400 total points
ID: 39771736
It seems Ok, can you please check on FA0/1, IP NAT outside is stated. Also for the purpose of troubleshooting, can we change
 "ip nat inside source route-map ISP2_NAT interface FastEthernet0/1 overload"
to
 "ip nat inside source NAT_ADDRESSES interface FastEthernet0/1 overload"

Just removing the Route Map.
0
 
LVL 1

Author Comment

by:progjm
ID: 39771763
Will do
0
 
LVL 1

Author Comment

by:progjm
ID: 39771835
Debug commands are bringing the network to a crawl will have to do them after hours
0
 
LVL 1

Author Comment

by:progjm
ID: 39796750
Looked to of been one of my route maps causing the issue, after applying the following all is good

ip nat inside source route-map NEW_LINE interface FastEthernet0/0 overload
ip nat inside source route-map MAIN_LINE interface FastEthernet0/1 overload

ip access-list standard MAIN_LINE_ACL
deny ip host 192.168.5.36
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255

ip access-list standard NEW_LINE_ACL
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255

route-map NEW_LINE permit 10
match ip address NEW_LINE_ACL
match interface FastEthernet0/1

route-map MAIN_LINE permit 10
match ip address MAIN_LINE_ACL
match interface FastEthernet0/0


Thank you for your help
0
 
LVL 1

Author Closing Comment

by:progjm
ID: 39796751
Thank you again for your assistance
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now