08-02-2006 12:18 PM - edited 03-03-2019 04:20 AM
Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
Thanks in advance.
08-02-2006 12:26 PM
I think you are looking for policy base routing.
I"m not sure what is the relation between http server on the device and your needs.
if you need to send web traffic to a specific interface.
use something like:
access-list 100 permit tcp any any eq www
interface async 1
ip policy route-map route-web
!
route-map route-web permit 10
match ip address 100
set ip default next-hop 6.6.6.6
Vlad
08-02-2006 12:31 PM
I mentioned the http server because if that is disabled then the SDM won't be accessible via http.
I will try that route-map suggestion, thank you.
08-02-2006 08:12 PM
The HTTP you see on the SDM is to enable web access to the router. It has got nothing to do with the access-list statements you configure.
As suugested use route-maps and force the http & https towards your prefered link and have a default route for the non prefered one
hth
Narayan
08-03-2006 03:33 PM
I have setup the route-map and the access-list as in your example, however it doesn't appear that any web traffic is being redirected to that interface, FE 0/1.
I also tried applying the route-map to the "inside" interface, FE 0/0, and that simply stopped all web traffic. I'm assuming the route-map need to be applied to the "inside" interface.
08-03-2006 04:51 PM
It will be much easier to provide effective answers if you will post the config that you have been using. Based on your description of the symptoms but without seeing what is actually configured, we are not likely to find the right answer.
HTH
Rick
08-04-2006 03:08 AM
why wouldnt you just point a static default route out of that interaface to be used for internet ?
08-04-2006 03:54 AM
Here is one eg.config which i used and it works fine
STM :- 10.10.10.1/30
DSL :- 20.20.20.1/30
LAN Pool from STM - 100.100.100.0/28
LAN Pool from DSL - 200.200.200.0/28
your router IP's
towards STM - 10.10.10.2/30
towards DSL - 20.20.20.2/30
route-map toDSL permit 1
match ip address 111
set ip next-hop 20.20.20.1
access-list 111 permit tcp any any eq www
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 200.200.200.0 255.255.255.240
interface ethernet 0/1
ip address 100.100.100.1 255.255.255.240
ip policy route-map toDSL
HTH
Narayan
08-04-2006 09:39 AM
I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
FE 0/0 goes to our fw, then to lan
FE 0/1 goes to DSL
S 0/2/0 goes to T1
Here is my config:
router#show run
Building configuration...
Current configuration : 4506 bytes
!
! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
boot-start-marker
boot system flash c2801-ipbasek9-mz.124-8.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
!
no aaa new-model
!
resource policy
!
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
!
!
no ip bootp server
ip name-server 198.60.22.2
ip name-server 198.60.22.22
!
username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 199.104.124.210 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
ip address 192.168.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip policy route-map toDSL
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/2/0
ip address 204.228.133.46 255.255.255.252
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
!
ip route 0.0.0.0 0.0.0.0 204.228.133.45
ip route 192.168.2.0 255.255.255.0 192.168.2.1
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
access-list 111 permit tcp any any eq www
no cdp run
route-map toDSL permit 1
match ip address 111
set ip next-hop 192.168.2.1
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178101
ntp update-calendar
ntp server 198.60.22.240 source Serial0/2/0
end
08-04-2006 09:59 AM
Ron
Thanks for the additional detail. It is helpful.
For Policy Based Routing (which is what you are doing) the route map in the policy is applied to the interface where traffic enters the router. And you have applied it on the interrface where traffic exits the router. So move the:
ip policy route-map toDSL
from fastethernet0/1 to fastethernet0/0.
Try that and let us know what happens.
Also with the route map and Policy Based Routing if you do unplug the DSL it is not that the WWW traffic would be denied, it would simply route out the normal interface. So your attempt to test does not really proove anything.
HTH
Rick
08-05-2006 09:41 AM
Hi
The policy map has to be applied to the inside interface of the router and to check whether its working by seeing the hit counts in the access-list.
and If you want to deny ur WWW traffic when the DSL goes down you have to put another access-list which denies them and apply it on the interface connecting to T1
Narayan
08-05-2006 10:40 AM
I think the problem is with the DSL.
I applied the route-map to FE 0/0 (inside), yet I still see no traffic on FE 0/1 (dsl). I unplugged the T1 (S 0/2/0) and all web traffic stopped, so it appears all http is going out the serial interface, not the Fast Ethernet 0/1 connected to the DSL.
What is strange is that I can ping the ethernet side of the DSL at 192.168.0.1 from the cli of the router... If I connect a laptop to the same cable going into FE 0/1 (going to the DSL) I'm online no problem.
Yes, once I get this working I plan on creating a rule to disallow all web traffic via the T1. I just want it going out the DSL.
Oh, I also removed all routes, then created a default route going out FE 0/1 (DSL) and all traffic stopped.
I get link and activity lights on both the 2801 and on the DSL modem when the cable is connected. I can ping the ethernet side of the DSL from the 2801.
What am I missing?
I really don't want to call Qwest, as I'm sure they will just say the router is configured incorrectly.
08-05-2006 11:01 AM
Hello,
just a thought, but can you check the config of the device with IP address 192.168.2.1, the next hop for your WWW traffic ? Since this is a private space address, I am thinking that NAT must occur on that router, maybe the NAT only applies to private space addresses, and not to 199.104.124.210/28 addresses, which are used on your inside interface.
Regards,
GNT
08-06-2006 01:28 PM
Ron
I believe that the explanation of what happened when you unplugged the serial is in looking at your routing logic. Your config includes 2 static routes:
ip route 0.0.0.0 0.0.0.0 204.228.133.45
ip route 192.168.2.0 255.255.255.0 192.168.2.1
If you unplug the serial then the default route becomes unworkable and traffic has no way to get out (other than the policy based routing - which is not working).
I believe one thing to explore is whether the next hop from FastEthernet0/1 has a route back to the subnet of your FastEthernet0/1. You say that you can ping the next hop from the router and that if you plug a PC into that DSL it can function well. But both of those will be using 192.168.2.2 as the source address. I suggest that you test using an extended ping. In the extended ping specify the destination as the next hop address of 192.168.2.1 and specify the source address (in the extended commands) as the FastEthernet0/0 address. I suspect that this extended ping may fail. (as a detail your following post is talking about 192.168.0.x addresses but the config that you posted earlier has 192.168.2.x addresses. I hope this was just an oversight in the posting.)
It might also be useful to turn on debug for policy based routing, try a WWW connection from a PC on the FastEthernet0/0 and post the debug output.
HTH
Rick
08-07-2006 12:07 PM
To answer your questions:
The 2Wire DSL modem has no way to configure NAT. I spoke with their tech support who indicated it is always natted.
I tried the extended ping from S 0/2/0 and from FE 0/0, and it worked.
I enabled debugging for the policy route-map, however there was no output.
While I was speaking with the 2Wire tech, he indicated that I should be using transparent bridging so that the Cisco could connect through the modem via PPPoE. We set the modem to use transparent bridging, and tested it by creating and using a PPPoE connection on a laptop, and it worked fine.
At this point I feel I have a good understanding of policy based routing, and how to filter traffic towards specific interfaces. I really appreciate everyones input on this.
My quandry now is to confirm whether or not the PPPoE connection is working. I applied the changes to my config to enable the PPPoE connection, however when I apply the policy route-map, http traffic stops.
Here is what has been changed/added:
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no mop enabled
!
!
interface Dialer1
description Qwest DSL
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username username password 7 password
!
ip route 0.0.0.0 0.0.0.0 204.228.133.45
!
logging trap debugging
access-list 100 permit tcp any any eq 443
access-list 111 permit tcp any any eq www
no cdp run
route-map toDSL permit 1
match ip address 111
set interface Dialer1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide