Re: Cisco 1721 with 2 link << routing seems failing

join2action · ‎07-14-2004

Hello Guyes..,

I 've been facing a very interesting problem and come here ..

Our cisco 1721 has 1 "FastEthernet 0" and 1 "Serial 0" ; so far we didn't have any problem. Now since we wanted to get another Lease circuit from a nother ISP .. we installed an other Serial card "serial 1"( the router provided 1 upgrade slot). we got a different set of ip pool ( of different serise ) , DNS and gateway from this new ISP.

so here we 've got two different set of public ip pools; 2 different set of DNS and 2 different gateway, and one internal network .

I was trying to make the routing such that i could route from both 2 different serias of private ip pool (inside our network) to these two ISP gateways . our present ISP= VSNL-->> 203.197.03.33 up to 60 is the current ip pool the router is configured with.I created a secondary interfce for this to route traffic through both interfaces.

Router#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-Y-M), Version 12.2(4)YA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)........................

My previous one isp setting was working fine. I added a "route-map " to achive this purpose . and added the "serial1 " route to the route list. what happened is the

routing through "serial 0 " mean old ISP didn't work. this is the present config i try to implement :--

Router#sh run

Building configuration...

current configuration : 1809 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

interface Serial0

ip address 202.54.52.29 255.255.255.252

ip accounting output-packets

ip nat outside

!

interface Serial1

ip unnumbered FastEthernet0

!

ip nat pool search 203.197.103.33 203.197.103.60 netmask 255.255.255.224

ip nat inside source list 1 pool search overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 serial1

##ip route 0.0.0.0 0.0.0.0 202.54.52.30

##ip route 0.0.0.0 0.0.0.0 203.197.103.60

##ip route 203.197.103.128 255.255.255.128 Null0

no ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 103 permit ip 210.212.3.208 0.0.0.15 any

access-list 104 permit ip 203.197.103.32 0.0.0.31 any

route-map abc permit 10

match ip address 103

set ip next-hop 61.0.239.32

!

route-map abc permit 20

match ip address 104

set ip next-hop 202.54.52.30

!

line con 0

exec-timeout 0 0

password

login

line aux 0

line vty 0 4

password

login

!

end

Router#

my 2 gateways :

isp0 --> serial 0(202.54.52.29/30)--> gateway202.54.52.30/30 ( their end router)

ip pool= 203.197.103.33 to 60 dns= 202.54.9.1

isp1 --> serial 1 (210.212.3.210/28)--> gateway 61.0.239.32

ip pool= 210.212.3.208 to 223 dns=61.0.0.106 .

normal ip route ( the one which is marked "##" in above config ) was working fine for first isp. They work on fine as single basis. But making them work both get me a strange behaviour.

I SAW WITH ABOVE CONFIG ONLY serial 1 routing is successful , but from the other network (192.168.100.0 ) not connecting / routing. A trace route from internat network 192.XXXXX shows the pkts trying to the 210.212.3.210 primary interface insted their configured gateway the secondary int 192.168.100.254and thus failing.

I 'D BE GLAD TO REPLY FOR ANY FURTHER INFO IF SOME ONE ASKS FOR TO HELP THIS OUT.

REGARDS..

Sanjay Saha

System Admin

Search Engine Ranking

Georg Pauwen · ‎07-14-2004

Hello Sanjay,

I think something got lost when you pasted the configuration, can you post it again ?

Regards,

GP

join2action · ‎07-15-2004

Hi Pauwen ..,

this isthe config i tried and found that connection from serial 1 is working( i 've confirmed from our new isp that they 've statically mapped our ip numbered interface (serial1 ) to their gateway router 61.0.239.32 ) and from serial 0 is not, while line proto showed up to both :---------

Router#sh run

Building configuration...

Current configuration : 1934 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret X XXXXXXXXXXXXX>XXX.

!

ip subnet-zero

ip name-server 202.54.9.1

ip name-server 202.54.1.30

!

interface FastEthernet0

ip address 192.168.100.254 255.255.255.0 secondary

ip address 210.212.3.210 255.255.255.240

ip nat inside

speed auto

full-duplex

!

interface Serial0

ip address 202.54.52.29 255.255.255.252

ip accounting output-packets

ip nat outside

!

interface Serial1

ip unnumbered FastEthernet0

!

ip nat pool search 203.197.103.33 203.197.103.60 netmask 255.255.255.224

ip nat inside source list 1 pool search overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 Serial1

no ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 102 permit ip 203.197.103.32 0.0.0.31 any

access-list 103 permit ip 210.212.3.208 0.0.0.15 any

route-map abc permit 10

match ip address 103

set ip next-hop 61.0.239.32

!

banner motd ^Cotd=

****WARNING: THIS IS A PRIVATE NETWORK. UNAUTHORIZED USE IS PROHIBITED AND ALL ACTIVITIES ARE LOGGED.****^C

!

line con 0

exec-timeout 0 0

password X XXXXXXXXXXXX

login

line aux 0

line vty 0 4

password X XXXXXXXXXX

login

!

end

-----------------

before this integration i had this :---

Router#sh run

Building configuration...

Current configuration : 1600 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret X XXXXXXXXXXXXXXXXXXXXx

!

ip subnet-zero

ip name-server 202.54.9.1

ip name-server 202.54.1.30

!

interface FastEthernet0

ip address 203.200.168.81 255.255.255.252 secondary

ip address 192.168.100.254 255.255.255.0

ip nat inside

speed auto

full-duplex

!

interface Serial0

ip address 202.54.52.29 255.255.255.252

ip access-group 101 in

ip accounting output-packets

ip nat outside

!

ip nat pool search 203.197.103.33 203.197.103.60 netmask 255.255.255.224

ip nat inside source list 1 pool search overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 202.54.52.30

ip route 0.0.0.0 0.0.0.0 203.197.103.60 50

ip route 203.197.103.128 255.255.255.128 Null0

no ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 101 deny ip 203.197.103.128 0.0.0.127 any

access-list 101 deny ip 203.197.103.64 0.0.0.63 any

access-list 101 deny ip 203.197.103.0 0.0.0.31 any

access-list 101 permit ip any any

access-list 102 permit ip 203.197.103.32 0.0.0.31 any

access-list 102 permit tcp 203.197.103.32 0.0.0.31 any

access-list 102 permit udp 203.197.103.32 0.0.0.31 any

access-list 102 permit icmp 203.197.103.32 0.0.0.31 any

access-list 102 deny ip any any

access-list 102 deny tcp any any

access-list 102 deny udp any any

!

line con 0

exec-timeout 0 0

password X XXXXXXXXXXXXXXXXXXXX

login

line aux 0

line vty 0 4

password X XXXXXXXXXXXXXXXXXXXXXx

login

!

no scheduler allocate

end

--------

The old config had no prob with one link.Is nat overload ( PAT basically) playing any role ??..

I 've not yet tested the setup removing NAT from config.. may be the comming sunday i'll do this.. ofcourse if i find no soloution otherthan this..

Thank you for your interest.. but thats what it is..

i 'd be glad if you get to me with any appropriate logic to make this work..

Regards..

--

SANJAY SAHA

join2action · ‎07-16-2004

Hi Pauwen ..,

*** THE ABOVE REPLY HAS A PASTE ***

*** PROBLEM AND A MINUTE MISTAKE ***

***HAS OCCURED. PLEASE FOLLOW THIS***

This is the config i tried and found that connection from serial 1 is working( i 've confirmed from our new isp that they 've statically mapped our ip numbered interface (serial1 ) to their gateway router 61.0.239.32 ) and from serial 0 is not, while line proto showed up to both :---------

Router#sh run

Building configuration...

Current configuration : 1934 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret X XXXXXXXXXXXXX>XXX.

!

ip subnet-zero

ip name-server 202.54.9.1

ip name-server 202.54.1.30

!

interface FastEthernet0

ip address 192.168.100.254 255.255.255.0 secondary

ip address 210.212.3.210 255.255.255.240

ip nat inside

speed auto

full-duplex

!

interface Serial0

ip address 202.54.52.29 255.255.255.252

ip accounting output-packets

ip nat outside

!

interface Serial1

ip unnumbered FastEthernet0

!

ip nat pool search 203.197.103.33 203.197.103.60 netmask 255.255.255.224

ip nat inside source list 1 pool search overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 Serial1

no ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 102 permit ip 203.197.103.32 0.0.0.31 any

access-list 103 permit ip 210.212.3.208 0.0.0.15 any

route-map abc permit 10

match ip address 103

set ip next-hop 61.0.239.32

!

route-map abc permit 20

match ip address 102

set ip next-hop 202.BB.CC.30

!

line con 0

exec-timeout 0 0

password X XXXXXXXXXXXX

login

line aux 0

line vty 0 4

password X XXXXXXXXXX

login

!

end

-------------

202.BB.CC.30 is my isp end router.

before this integration i had this :---

Router#sh run

Building configuration...

Current configuration : 1600 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

enable secret X XXXXXXXXXXXXXXXXXXXXx

!

ip subnet-zero

ip name-server 202.54.9.1

ip name-server 202.54.1.30

!

interface FastEthernet0

ip address 203.200.168.81 255.255.255.252 secondary

ip address 192.168.100.254 255.255.255.0

ip nat inside

speed auto

full-duplex

!

interface Serial0

ip address 202.54.52.29 255.255.255.252

ip access-group 101 in

ip accounting output-packets

ip nat outside

!

ip nat pool search 203.197.103.33 203.197.103.60 netmask 255.255.255.224

ip nat inside source list 1 pool search overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 202.54.52.30

ip route 0.0.0.0 0.0.0.0 203.197.103.60 50

ip route 203.197.103.128 255.255.255.128 Null0

no ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 101 deny ip 203.197.103.128 0.0.0.127 any

access-list 101 deny ip 203.197.103.64 0.0.0.63 any

access-list 101 deny ip 203.197.103.0 0.0.0.31 any

access-list 101 permit ip any any

access-list 102 permit ip 203.197.103.32 0.0.0.31 any

access-list 102 permit tcp 203.197.103.32 0.0.0.31 any

access-list 102 permit udp 203.197.103.32 0.0.0.31 any

access-list 102 permit icmp 203.197.103.32 0.0.0.31 any

access-list 102 deny ip any any

access-list 102 deny tcp any any

access-list 102 deny udp any any

!

line con 0

exec-timeout 0 0

password X XXXXXXXXXXXXXXXXXXXX

login

line aux 0

line vty 0 4

password X XXXXXXXXXXXXXXXXXXXXXx

login

!

no scheduler allocate

end

--------

This old config have some access-group/ access-list entry needed when some trojanaccack occured last month. They dont belong to this problem.

The old config had no prob with one link.Is nat overload ( PAT basically) playing any role ??..

I 've not yet tested the setup removing NAT from config.. may be the comming sunday i'll do this.. ofcourse if i find no soloution otherthan this..

Thank you for your interest.. but thats what it is..

i 'd be glad if you get to me with any appropriate logic to make this work..

Regards..

--

SANJAY SAHA