POLICY BASED ROUTING HELP NEEDED !

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I have an 1841 router with two internet connections. One adsl & the other 2meg leased line.

On the Inside of the 1841 is an ISA server with a 10.1.1.1 address

Recently I configured POLICY BASED ROUTING so that Remote access users connect through to the
ISA server through the leased line. The ISA's 10.1.1.1 is then natted to 194.XXX to go through the leased line
ALL other traffic from the ISA is routed through the ADSL interface. This time the ISA 10.1.1.1 nats to 217.XXX

There is also an OUTGOING PAT for internet traffic which nats ALL the 10.1.1.0 255.255.255.0 traffic against the ADSL interface of the router.

We are now trying to invoke POLICY BASED ROUTING for a SITE TO SITE IPSEC vpn.
I BELEIVE I HAVE CONFIGURED PBR TO ROUTE AND NAT DOWN THE LEASED LINE INTERFACE

However when I look at the output of IP nat translations I only see a nat for the ISA against the ADSL interface & not tHE LEASED LINE INTERFACE from this config can anyone see why?

BT-ADSL-GW#sho run
Building configuration...

Current configuration : 4025 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BT-ADSL-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name yourdomain.com
!
username privilege 15 password 0
username password 0
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.1.1.254 255.255.255.0
ip nat inside
ip policy route-map vpn_only
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 194.XXX 255.255.255.240 **********LEASED LINE**************
ip nat outside
speed 100
full-duplex
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address 217.xxxx 255.255.255.248 ****************ADSL LINE********************
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 84.19.x.x 255.255.255.255 FastEthernet0/1 ***********VPN PEER*************
ip route 87.246.76.147 255.255.255.255 FastEthernet0/1 *********VPN REMOTE ENC DOM********
!
no ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static 10.1.1.1 194.xxxx route-map outside_nat1 *******nat for leased line*********
ip nat inside source static 10.1.1.1 217.XXX route-map outside_nat2 *****nat for ADSL*****
ip nat inside source static 10.1.1.2 XXXXX
ip nat inside source static 10.1.1.3 xxxxx
ip nat inside source static 10.1.1.4 xxxxx
ip nat inside source static 10.1.1.5 xxxxx
!
access-list 23 remark Telnet Access
access-list 23 permit
access-list 23 permit
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 101 permit tcp host 10.1.1.1 eq 1723 any
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit ip any host 84.XXXX *********VPN PEER***********
access-list 102 deny tcp any eq 1723 any
access-list 102 deny gre any any
access-list 102 deny esp any any
access-list 102 deny ahp any any
access-list 102 deny udp any eq isakmp any eq isakmp
access-list 102 permit ip host 10.1.1.1 any
access-list 110 permit tcp host 10.1.1.1 eq 1723 any
access-list 110 permit gre host 10.1.1.1 any
access-list 110 permit esp host 10.1.1.1 any
access-list 110 permit ahp host 10.1.1.1 any
access-list 110 permit udp host 10.1.1.1 eq isakmp any eq isakmp
access-list 110 permit ip any host 84.XXXX ********VPN PEER***********
access-list 199 remark IP NAT
access-list 199 deny esp any any log
access-list 199 deny ip any host 87.XX.147 **********REMOTE ENC DOM*********
access-list 199 permit ip 10.1.1.0 0.0.0.255 any
access-list 199 deny ip any host 84.xx.90
route-map vpn_only permit 10
match ip address 110
match interface FastEthernet0/1
set ip next-hop 194.xxxx
!
route-map outside_nat1 permit 10
match ip address 101
match interface FastEthernet0/1
!
route-map outside_nat2 permit 10
match ip address 102
match interface Dialer0
!
!
control-plane
!
banner motd ^CC
###########################################
# For use by authorised personnel only. #
# Improper use may result in prosecution. #
###########################################
^C
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

A few things:

Check your show commands to see if there are any hits against the policy maps and access-lists.

Since both access-list 101 and 110 have the following line:

permit ip any host 84.XXXX

- you can test the pbr by pinging the 84.XXX host (from a computer in the internal network) and watch what happens using debug ip icmp and debug ip policy.

** Note that before using debugs on production equipment make sure you have planned it out properly, eg have "un all" ready, terminal and logging settings appropriately configured, etc. You can also filter the debugs with an access-list to greatly reduce the output, I would recommend creating one to only capture debugs concerning the host computer you are using for testing. **

Since it seems the leased line is used for vpn's only, you might consider static nat's without the route-map for interface f0/1. You will only need a few static nat statements for f0/1 to handle the site to site vpn. This will simplify the config and make troubleshooting easier.

Spice_Weasel

 

I am unable to use any more static nats as the ONLY thing I have behind the router is the ISA server which is the 10.1.1.1 address

So by using the PBR statements I nat 10.1.1.1 to for my vpn to 194.XXX

& I nat 10.1.1.1 to 217.XXXX for the othe interface.

I'm really stuck on this as we've now been looking at this for 3 days .

Thanks in advance, you are a star Mr Weasel.