progjm
asked on
Cisco routing issue
I have recently acquired a secondary ISP for my Cisco 2811, I have been able to successfully setup the interface and apply a rout-map to direct certain traffic across the new line.
The problem I am face is, not all traffic destined for this new line is using it I believe and I am not sure why.
sh ip nat is showing all traffic from this particular ip is using the new line but when I attempt to connect to a site like whatmyip.com from a machine that is suppose to be using the new ISP, i am still seeing the main ISP line IP.
See below for an example of my configuration
ip route 0.0.0.0 0.0.0.0 (Current ISP) name CURRENT_GATEWAY
ip route 0.0.0.0 0.0.0.0 (New ISP) 100 name NEW_GATEWAY
route-map NEW ISP permit 10
match ip address NEW_ISP_ACL
set ip next-hop (new ISP IP)
ip access-list extended NEW_ISP_ACL
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any
50 permit tcp host 192.168.5.20 any eq 80
70 permit tcp host 192.168.5.20 any eq 443
80 permit ip host 192.168.5.36 any
VLAN 11
ip policy route-map NEW_ISP
If you need more of my configuration to help me with this, please let me know
The problem I am face is, not all traffic destined for this new line is using it I believe and I am not sure why.
sh ip nat is showing all traffic from this particular ip is using the new line but when I attempt to connect to a site like whatmyip.com from a machine that is suppose to be using the new ISP, i am still seeing the main ISP line IP.
See below for an example of my configuration
ip route 0.0.0.0 0.0.0.0 (Current ISP) name CURRENT_GATEWAY
ip route 0.0.0.0 0.0.0.0 (New ISP) 100 name NEW_GATEWAY
route-map NEW ISP permit 10
match ip address NEW_ISP_ACL
set ip next-hop (new ISP IP)
ip access-list extended NEW_ISP_ACL
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any
50 permit tcp host 192.168.5.20 any eq 80
70 permit tcp host 192.168.5.20 any eq 443
80 permit ip host 192.168.5.36 any
VLAN 11
ip policy route-map NEW_ISP
If you need more of my configuration to help me with this, please let me know
ASKER
Getting the same outcome on both the workstations listed in the ACL for whatsmyip (the main ISP IP). When I do a traceroute looks like it is using the correct line (new ISP for the 192.168.5.36 line and the main ISP for the 192.168.5.20 line) and the sh ip nat translations shows the same. I know I am missing something small here just not sure what
(new ISP for the 192.168.5.36 line and the main ISP for the 192.168.5.20 line)
If .36 is sending correctly and .20 is not, then it could be the ACL itself
can we do little changes on the ACL and see
If .36 is sending correctly and .20 is not, then it could be the ACL itself
can we do little changes on the ACL and see
ip access-list extended NEW_ISP_ACL
10 permit ip host 192.168.5.20 any
20 permit ip host 192.168.5.36 any
ASKER
Good point, let me do some testing and see. You think maybe too much in a single ACL? Maybe split them up and create a route-map for each (with the same name but 10, 20 etc...)
.20 is working as expected, not telling it to allow any udp
.20 is working as expected, not telling it to allow any udp
I was wondering with below
If the new ACL works, we can concentrate on it to make changes to selectively allow the required traffic.
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any
We are not hosting any service. and hosts use other source ports when requesting a page on internet.If the new ACL works, we can concentrate on it to make changes to selectively allow the required traffic.
ASKER
Lets start with making the same changes to the current ACL, just seems strange the nat translations are showing correctly
The initial ACL was line
All traffic from trusted LAN to the untrusted WAN is passing via ISP1 anyway. We are just PBR it to route traffic from .20 and .36 to the ISP2.
ip access-list extended NEW_ISP_ACL
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any
50 permit tcp host 192.168.5.20 any eq 80
70 permit tcp host 192.168.5.20 any eq 443
80 permit ip host 192.168.5.36 any
The following doesnt make sense, because source ports are not 20, 21, 80, 443 in the host. We can remove them
10 permit tcp host 192.168.5.20 eq 20 any
20 permit tcp host 192.168.5.20 eq 21 any
30 permit tcp host 192.168.5.20 eq 80 any
40 permit tcp host 192.168.5.20 eq 443 any
We can leave permit tcp host 192.168.5.20 any" but if you only want to allow only 80 and 443, then we can do
10 permit tcp host 192.168.5.20 any eq 80
20 permit tcp host 192.168.5.20 any eq 443
Else "80 permit ip host 192.168.5.36 any" is just fine.All traffic from trusted LAN to the untrusted WAN is passing via ISP1 anyway. We are just PBR it to route traffic from .20 and .36 to the ISP2.
Mifthaul is correct. The acl is incorrect. Could you also post more of your config so we can make sure everything else is correct?
ASKER
I am hosting an FTP server on the .20, so I thought I was telling it to only allow those ports to connect.
ASKER
ip nat inside source static tcp 192.168.5.20 20 (NEW ISP IP) 20 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 21 (NEW ISP IP) 21 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 80 (NEW ISP IP)80 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 443 (NEW ISP IP) 443 route-map NEWISP extendable
ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface FastEthernet0/1 overload
route-map NEWISP permit 10
match interface FastEthernet0/0
route-map ISP2_NAT permit 10
match ip address NAT_ADDRESSES
match interface FastEthernet0/1
!
route-map ISP1_NAT permit 10
match ip address NAT_ADDRESSES
match interface FastEthernet0/0
ip nat inside source static tcp 192.168.5.20 21 (NEW ISP IP) 21 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 80 (NEW ISP IP)80 route-map NEWISP extendable
ip nat inside source static tcp 192.168.5.20 443 (NEW ISP IP) 443 route-map NEWISP extendable
ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface FastEthernet0/1 overload
route-map NEWISP permit 10
match interface FastEthernet0/0
route-map ISP2_NAT permit 10
match ip address NAT_ADDRESSES
match interface FastEthernet0/1
!
route-map ISP1_NAT permit 10
match ip address NAT_ADDRESSES
match interface FastEthernet0/0
so you have ports 20, and 21 forwarded on the router. You want 20, and 21 on your isp2 wan interface forwarded to 192.168.5.20 port 20 & 21.
Could you please share the port forwarding config hiding your public ip.
Could you please share the port forwarding config hiding your public ip.
ASKER
Do you need more than what I just sent?
As per your config, it seems ISP1 is connected on Fe0/0 and ISP2 is on Fe0/1. Are you port forwarding FTP on ISP1, I thought it is ISP2 where the inbound ports are forwarded from WAN.
To me, NAT ACL is already taking care of the inbound traffic for port 20 & 21. Return traffic on 20 and 21 also should follow the same path due to the NAT binding.
On the PBR ACL, we don't need to specify source ports. If we want to be little more specific can only allow 80 and 443.
To me, NAT ACL is already taking care of the inbound traffic for port 20 & 21. Return traffic on 20 and 21 also should follow the same path due to the NAT binding.
On the PBR ACL, we don't need to specify source ports. If we want to be little more specific can only allow 80 and 443.
ASKER
Yes that is correct, i have taken this config over from another engineer so I apologize about some of the naming. yes ISP1 is on f0/0 which is NEW ISP
Yes I have those ACL entries in to coincide with the NAT bindings. I have added the external 443 and 80 for testing on the .20. the .20 machine is working as it needs to (sorry for the confusion)
The problem I have is with the .36 machine. I want all traffic coming from that machine to go out the NEW ISP. Which when watching the NAT translation seems to be. I did attempt to upload a file from this machine to another 'ext" machine and for some reason it started using the main ISP line (was watching bandwidth). Thats when I tried the whatsmyip and found it was showing the main ISP IP. the other kicker to this is what I did a google search for whatsmyip google showed me the correct "new isp" IP but not whatsmyip
Yes I have those ACL entries in to coincide with the NAT bindings. I have added the external 443 and 80 for testing on the .20. the .20 machine is working as it needs to (sorry for the confusion)
The problem I have is with the .36 machine. I want all traffic coming from that machine to go out the NEW ISP. Which when watching the NAT translation seems to be. I did attempt to upload a file from this machine to another 'ext" machine and for some reason it started using the main ISP line (was watching bandwidth). Thats when I tried the whatsmyip and found it was showing the main ISP IP. the other kicker to this is what I did a google search for whatsmyip google showed me the correct "new isp" IP but not whatsmyip
Do you have a NAT configuration for ISP2 link. How are the 192.168.5.36 requests translated when requests are going out via ISP2.
Please3 advise.
Please3 advise.
ASKER
Other that the one to one I have setup for the ftp, dont have one. Do I need to burn another outside IP for this on the NEW ISP?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No, I am telling there has to be NAT for the NewISP. Otherwise traffic intended to be passed via that link will be blocked by ISP due to private IP block.
Please do a NAT configuration for the NEW ISP link.
Please do a NAT configuration for the NEW ISP link.
ASKER
Didnt I do this here
ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
Yes,
What are the contents of your NAT_Address acl?
What are the contents of your NAT_Address acl?
Yes, please give the NAT_address ACL
ASKER
ip access-list standard NAT_ADDRESSES
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
Lets see your debug ip policy when you try these tests.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will do
ASKER
Debug commands are bringing the network to a crawl will have to do them after hours
ASKER
Looked to of been one of my route maps causing the issue, after applying the following all is good
ip nat inside source route-map NEW_LINE interface FastEthernet0/0 overload
ip nat inside source route-map MAIN_LINE interface FastEthernet0/1 overload
ip access-list standard MAIN_LINE_ACL
deny ip host 192.168.5.36
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
ip access-list standard NEW_LINE_ACL
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
route-map NEW_LINE permit 10
match ip address NEW_LINE_ACL
match interface FastEthernet0/1
route-map MAIN_LINE permit 10
match ip address MAIN_LINE_ACL
match interface FastEthernet0/0
Thank you for your help
ip nat inside source route-map NEW_LINE interface FastEthernet0/0 overload
ip nat inside source route-map MAIN_LINE interface FastEthernet0/1 overload
ip access-list standard MAIN_LINE_ACL
deny ip host 192.168.5.36
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
ip access-list standard NEW_LINE_ACL
permit 192.168.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
route-map NEW_LINE permit 10
match ip address NEW_LINE_ACL
match interface FastEthernet0/1
route-map MAIN_LINE permit 10
match ip address MAIN_LINE_ACL
match interface FastEthernet0/0
Thank you for your help
ASKER
Thank you again for your assistance
Did you do whatismyip.com on these two workstations.
Could you please do a traceroute on any of the two workstation and see which path traffic is flowing.