1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PBR with PPTP is this possible ?

Discussion in 'Routing & Switching' started by lowfell, Feb 22, 2007.

  1. lowfell

    lowfell Bit Poster

    10
    0
    2
    I have an 1841 with
    one adsl interface pointing to the internet to isp1

    I have Fa0/1 pointing to isp2

    I have one lan interface fa0/0
    with ip address 10.1.1.254

    Presently I only have one Static nat for
    an inside address of 10.1.1.1 which nats to a public address & proxies for mail & PPTP (The 10.1.1.1 is an ISA SERVER). I want to configure PBR so that PPTP goes through isp1 & all other traffic through isp2
    I have used the following route-maps in an attempt to do this.
    ip nat inside source static 10.1.1.1 194.72.X.X route-map outside_nat1 (new nat for VPN)

    ip nat inside source static 10.1.1.1 217.36.X.X route-map outside_nat2
    (new nat for all other traffic)

    route-map outside_nat1 permit 10
    match ip address 101
    set default interface FastEthernet0/1

    access-list 101 permit tcp host 10.1.1.1 eq 1723 any
    access-list 101 permit gre host 10.1.1.1 any

    route-map outside_nat2 permit 10
    match ip address 102
    set default interface Dialer0
    access-list 102 deny tcp host 10.1.1.1 eq 1723 any
    access-list 102 deny gre host 10.1.1.1 any

    Interface FastEthernet0/0
    ip policy route-map vpn_only

    route-map vpn_only permit 10
    match ip address 110
    set default interface FastEthernet0/1
    access-list 110 permit tcp host 10.1.1.1 eq 1723 any
    access-list 110 permit gre host 10.1.1.1 any

    Using this configuration I can still collect mail from ISP1, but when I try to make the connection for the remote access PPTP vpn via isp2 I can see a nat translation for the address but no GRE connection info & the vpn won't work.

    for example, before employing PBR i see the following translations when connected to the vpn
    #show ip nat translations
    tcp 217.36.X.X:1723 10.1.1.1:1723 195.200.x.x:1485 195.200.x.x:1485
    gre 217.36.x.x:7576 10.1.1.1:7576 195.200.x.x:7576 195.200.X.x:7576
    gre 217.36.X.X:32768 10.1.1.1:32768 195.200.X.X:32768 195.200.X.X:32768

    This includes 1723 for pptp & an entry for gre, however when I use the PBR I only see TCP connection including 1723 for the PPTP, but NO GRE translation. How do I get this to work?
     
  2. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Hmmm, this is why I try to tell people that IT is not for everyone :twisted:

    Good luck, I am sure you will work it out
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  3. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    lowfell,

    The key to PBR is the routing table. As you know, PBR changes the normal routing behaviour of the router, so if you could post your routing table that would be very helpful. Without the routing table it can be difficult to predict the effect of your PBR config.

    I'll assume for now that isp2 (via f0/1) is your default route.

    First off, change this:
    route-map vpn_only permit 10
    match ip address 110
    set default interface FastEthernet0/1

    To this:
    route-map vpn_only permit 10
    match ip address 110
    match interface f0/1
    set ip next-hop <whatever is next hop ip to isp1>

    Use debug ip policy to check on exactly what the router is doing with the pptp packets. Also, make sure cef is running, it is by far the best switching path available.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  4. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    lowfell,

    Also, I wonder a bit about your NAT config. For example, the NAT for isp2 appears to match nothing at all:

    ip nat inside source static 10.1.1.1 217.36.X.X route-map outside_nat2

    route-map outside_nat2 permit 10
    match ip address 102
    set default interface Dialer0

    access-list 102 deny tcp host 10.1.1.1 eq 1723 any
    access-list 102 deny gre host 10.1.1.1 any


    I would suggest testing something like this:

    route-map outside_nat2 permit 10
    match ip address 102
    match interface Dialer0

    access-list 102 deny tcp host 10.1.1.1 eq 1723 any
    access-list 102 deny gre host 10.1.1.1 any
    access-list 102 permit host 10.1.1.1 any <-- example only, change to suit your requirements

    route-map vpn_only permit 10
    match ip address 110
    match interface FastEthernet0/1

    access-list 110 permit tcp host 10.1.1.1 eq 1723 any
    access-list 110 permit gre host 10.1.1.1 any

    Hopefully this is helpful, it can sometimes take a bit of tweaking and debugging to get PBR and NAt working together.

    Run deb ip policy and ping an Internet host. Check the NAT translation to see how it was nat'ed (presumably through Di0). Than add to access-l 101 and 110:

    access-l 101 per icmp host 10.1.1.1 host 4.2.2.1 <-- Example host
    access-l 110 per icmp host 10.1.1.1 host 4.2.2.1 <-- Example host

    Now ping the host, above, and see the results, the PBR should send it out f0/1 and the NAT translation should show that. Ping a different host and it should be nat'ed out the di0 interface.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  5. lowfell

    lowfell Bit Poster

    10
    0
    2
    Many thanks Weasel, you are a Star! this is now working! You have saved my life! However, although they can now connect to the vpn via 194.72.X.X, they can STILL use the vpn by using
    217.6.X.X. Can you work out why from this config?

    All I want to do is send pptp down 194.72.X.X
    All other traffic that IS NOT PPTP down 217.36.X.X

    show run
    Building configuration...

    Current configuration : 3289 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname ADSL-GW
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    no ip domain lookup
    ip domain name yourdomain.com
    !

    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
    ip address 10.1.1.254 255.255.255.0
    ip nat inside
    ip policy route-map vpn_only
    duplex auto
    speed auto
    no cdp enable
    !
    interface FastEthernet0/1
    ip address 194.72.X.X 255.255.255.240
    ip nat outside
    speed 100
    full-duplex
    !
    interface ATM0/0/0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface Dialer0
    ip address 217.36.X.X 255.255.255.248
    no ip unreachables
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip http server
    ip http authentication local
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source list 199 interface Dialer0 overload
    ip nat inside source static 10.1.1.1 194.72.X.X route-map outside_nat1
    ip nat inside source static 10.1.1.1 217.36.X.X route-map outside_nat2

    !

    access-list 101 permit tcp host 10.1.1.1 eq 1723 any
    access-list 101 permit gre any any
    access-list 102 deny tcp any any eq 1723
    access-list 102 deny gre any any
    access-list 102 permit tcp host 10.1.1.1 any neq 1723
    access-list 110 permit tcp host 10.1.1.1 eq 1723 any
    access-list 110 permit gre host 10.1.1.1 any
    access-list 199 remark IP NAT
    access-list 199 permit ip 10.1.1.0 0.0.0.255 any
    route-map vpn_only permit 10
    match ip address 110
    match interface FastEthernet0/1
    set ip next-hop 194.72.X.X
    !
    route-map outside_nat1 permit 10
    match ip address 101
    match interface FastEthernet0/1
    !
    route-map outside_nat2 permit 10
    match ip address 102
    match interface Dialer0
     
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Glad to help, lowfell.

    Here are some further suggestions:

    Check your access-list 102 -

    access-list 102 deny tcp any any eq 1723
    access-list 102 deny gre any any
    access-list 102 permit tcp host 10.1.1.1 any neq 1723

    The list allows responses to inbound pptp sessions. It should deny them. The first line denies outbound pptp sessions. The last line only blocks inbound connections with a source port of 1723. It should block destination port of 1723. For example:

    access-list 102 deny tcp any eq 1723 any
    access-list 102 deny gre any any
    access-list 102 permit ip host 10.1.1.1 any


    Also, strongly consider some access lists to control inbound and outbound traffic. It is always good to limit exposure when statically nat'ing a server to the Internet. Consider replacing the nat route maps:

    ip nat inside source static 10.1.1.1 194.72.X.X route-map outside_nat1
    ip nat inside source static 10.1.1.1 217.36.X.X route-map outside_nat2

    - with static nat statements for only the ports needed.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE

Share This Page

Loading...