1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

POLICY BASED ROUTING HELP NEEDED !

Discussion in 'Routing & Switching' started by lowfell, Apr 25, 2007.

  1. lowfell

    lowfell Bit Poster

    10
    0
    2
    I have an 1841 router with two internet connections. One adsl & the other 2meg leased line.

    On the Inside of the 1841 is an ISA server with a 10.1.1.1 address

    Recently I configured POLICY BASED ROUTING so that Remote access users connect through to the
    ISA server through the leased line. The ISA's 10.1.1.1 is then natted to 194.XXX to go through the leased line
    ALL other traffic from the ISA is routed through the ADSL interface. This time the ISA 10.1.1.1 nats to 217.XXX

    There is also an OUTGOING PAT for internet traffic which nats ALL the 10.1.1.0 255.255.255.0 traffic against the ADSL interface of the router.

    We are now trying to invoke POLICY BASED ROUTING for a SITE TO SITE IPSEC vpn.
    I BELEIVE I HAVE CONFIGURED PBR TO ROUTE AND NAT DOWN THE LEASED LINE INTERFACE

    However when I look at the output of IP nat translations I only see a nat for the ISA against the ADSL interface & not tHE LEASED LINE INTERFACE from this config can anyone see why?

    BT-ADSL-GW#sho run
    Building configuration...

    Current configuration : 4025 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname BT-ADSL-GW
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 debugging
    enable secret 5
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    !
    no ip dhcp use vrf connected
    !
    !
    no ip domain lookup
    ip domain name yourdomain.com
    !
    username privilege 15 password 0
    username password 0
    !
    !
    !
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
    ip address 10.1.1.254 255.255.255.0
    ip nat inside
    ip policy route-map vpn_only
    duplex auto
    speed auto
    no cdp enable
    !
    interface FastEthernet0/1
    ip address 194.XXX 255.255.255.240 **********LEASED LINE**************
    ip nat outside
    speed 100
    full-duplex
    !
    interface ATM0/0/0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface Dialer0
    ip address 217.xxxx 255.255.255.248 ****************ADSL LINE********************
    no ip unreachables
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 0
    ppp pap sent-username
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 84.19.x.x 255.255.255.255 FastEthernet0/1 ***********VPN PEER*************
    ip route 87.246.76.147 255.255.255.255 FastEthernet0/1 *********VPN REMOTE ENC DOM********
    !
    no ip http server
    ip http authentication local
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source list 199 interface Dialer0 overload
    ip nat inside source static 10.1.1.1 194.xxxx route-map outside_nat1 *******nat for leased line*********
    ip nat inside source static 10.1.1.1 217.XXX route-map outside_nat2 *****nat for ADSL*****
    ip nat inside source static 10.1.1.2 XXXXX
    ip nat inside source static 10.1.1.3 xxxxx
    ip nat inside source static 10.1.1.4 xxxxx
    ip nat inside source static 10.1.1.5 xxxxx
    !
    access-list 23 remark Telnet Access
    access-list 23 permit
    access-list 23 permit
    access-list 23 permit 10.1.1.0 0.0.0.255
    access-list 101 permit tcp host 10.1.1.1 eq 1723 any
    access-list 101 permit gre any any
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 permit udp any eq isakmp any eq isakmp
    access-list 101 permit ip any host 84.XXXX *********VPN PEER***********
    access-list 102 deny tcp any eq 1723 any
    access-list 102 deny gre any any
    access-list 102 deny esp any any
    access-list 102 deny ahp any any
    access-list 102 deny udp any eq isakmp any eq isakmp
    access-list 102 permit ip host 10.1.1.1 any
    access-list 110 permit tcp host 10.1.1.1 eq 1723 any
    access-list 110 permit gre host 10.1.1.1 any
    access-list 110 permit esp host 10.1.1.1 any
    access-list 110 permit ahp host 10.1.1.1 any
    access-list 110 permit udp host 10.1.1.1 eq isakmp any eq isakmp
    access-list 110 permit ip any host 84.XXXX ********VPN PEER***********
    access-list 199 remark IP NAT
    access-list 199 deny esp any any log
    access-list 199 deny ip any host 87.XX.147 **********REMOTE ENC DOM*********
    access-list 199 permit ip 10.1.1.0 0.0.0.255 any
    access-list 199 deny ip any host 84.xx.90
    route-map vpn_only permit 10
    match ip address 110
    match interface FastEthernet0/1
    set ip next-hop 194.xxxx
    !
    route-map outside_nat1 permit 10
    match ip address 101
    match interface FastEthernet0/1
    !
    route-map outside_nat2 permit 10
    match ip address 102
    match interface Dialer0
    !
    !
    control-plane
    !
    banner motd ^CC
    ###########################################
    # For use by authorised personnel only. #
    # Improper use may result in prosecution. #
    ###########################################
    ^C
    !
    line con 0
    exec-timeout 30 0
    logging synchronous
    login local
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 30 0
    privilege level 15
    logging synchronous
    login local
    transport input telnet
    line vty 5 15
    privilege level 15
    login local
    transport input telnet
    !
    end
     
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    A few things:

    Check your show commands to see if there are any hits against the policy maps and access-lists.

    Since both access-list 101 and 110 have the following line:

    permit ip any host 84.XXXX

    - you can test the pbr by pinging the 84.XXX host (from a computer in the internal network) and watch what happens using debug ip icmp and debug ip policy.

    ** Note that before using debugs on production equipment make sure you have planned it out properly, eg have "un all" ready, terminal and logging settings appropriately configured, etc. You can also filter the debugs with an access-list to greatly reduce the output, I would recommend creating one to only capture debugs concerning the host computer you are using for testing. **

    Since it seems the leased line is used for vpn's only, you might consider static nat's without the route-map for interface f0/1. You will only need a few static nat statements for f0/1 to handle the site to site vpn. This will simplify the config and make troubleshooting easier.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. lowfell

    lowfell Bit Poster

    10
    0
    2
    I am unable to use any more static nats as the ONLY thing I have behind the router is the ISA server which is the 10.1.1.1 address

    So by using the PBR statements I nat 10.1.1.1 to for my vpn to 194.XXX

    & I nat 10.1.1.1 to 217.XXXX for the othe interface.

    I'm really stuck on this as we've now been looking at this for 3 days .

    Thanks in advance, you are a star Mr Weasel.
     

Share This Page

Loading...