- Cisco Community
- Technology and Support
- Networking
- Other Network Architecture Subjects
- Re: C876 port forwarding stops working when applying PBR
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
C876 port forwarding stops working when applying PBR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2010 06:01 AM - edited 03-03-2019 06:06 AM
Hello to all,
I have a c876 running 12.4(24)T4 advance enterprise services IOS. I'm trying to load share the traffic destined to Internet between two (2) Internet connections.
One Internet connection is on the ATM0 - Dialer0 interface and the second is on VLAN2 (VLAN2 is connected to a Baudtec router that connects to a second aDSL line).
The way I want to load share the traffic is to send all mail traffic through Dialer0 and all the rest through VLAN2.
My LAN sits on VLAN1 where I have a mail server, so I need the Internet to be able to see it. Therefore I need to port forward the ports my servers listens to.
My problem is that every time I apply the policy route-map PBR to the VLAN1 interface, the port forwarding stops working and as consequence the Internet doesn't see my mail server.
Can someone go through my configuration and tell me what I'm doing wrong? Thanks in advance for any answers.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Milopoulos
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password ***omitted***
!
aaa new-model
!
!
aaa authentication login vpncllogin local
aaa authorization network vpnclautho local
!
!
aaa session-id common
clock timezone UTC 2
clock summer-time DST recurring last Sun Mar 1:00 last Sun Oct 1:00
clock save interval 12
!
crypto pki trustpoint TP-self-signed-***omitted***
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-***omitted***
revocation-check none
rsakeypair TP-self-signed-***omitted***
!
!
crypto pki certificate chain TP-self-signed-***omitted***
certificate self-signed 01
***omitted***
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 195.170.0.1
ip name-server 195.170.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
isdn switch-type basic-net3
!
!
username ***omitted*** password ***omitted***
username ***omitted*** password ***omitted***
username ***omitted*** password ***omitted***
username ***omitted*** password ***omitted***
username ***omitted*** privilege 15 password ***omitted***
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 30
!
crypto isakmp client configuration group ***omitted***
key ***omitted***
dns 195.170.0.2 195.170.2.2
pool vpnclientspool
acl ACLVPN
save-password
include-local-lan
crypto isakmp profile vpnclientprf
match identity group ***omitted***
client authentication list vpncllogin
isakmp authorization list vpnclautho
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto ipsec profile DVTI
set transform-set TS
set isakmp-profile vpnclientprf
!
!
archive
log config
hidekeys
!
!
!
track 1 interface Dialer0 ip routing
!
track 2 ip sla 3 reachability
!
!
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
isdn tei-negotiation preserve
isdn point-to-point-setup
!
interface ATM0
bandwidth inherit 1024
bandwidth receive inherit 24000
backup delay 3 3
backup interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel source Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DVTI
!
interface Vlan1
description *** INSIDE ***
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
description *** OUTSIDE 2ND WAN ***
ip address 10.0.0.1 255.255.255.0
ip access-group WAN2_Inbound in
ip virtual-reassembly
!
interface Dialer0
description *** OUTSIDE 1ST WAN ***
ip address negotiated
ip access-group WAN1_Inbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 270
dialer string ***omitted***
dialer-group 1
keepalive 5 2
ppp chap hostname ***omitted***
ppp chap password ***omitted***
ppp pap sent-username ***omitted*** password ***omitted***
!
ip local pool vpnclientspool 192.168.2.1 192.168.2.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 10.0.0.2 track 2
ip route ***2ndWANipAddress*** 255.255.255.255 10.0.0.2
ip http server
ip http access-class 23
ip http secure-server
!
!
ip dns server
ip nat inside source route-map Dialer0PAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 25 ***Dialer0ipAddress*** 25 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 443 ***Dialer0ipAddress*** 443 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 465 ***Dialer0ipAddress*** 465 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 563 ***Dialer0ipAddress*** 563 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 636 ***Dialer0ipAddress*** 636 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 993 ***Dialer0ipAddress*** 993 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 995 ***Dialer0ipAddress*** 995 route-map Dialer0PAT extendable
!
ip access-list extended ACLVPN
remark --- VPN IPSec traffic to permit to VPN clients
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
remark ---------------------------------------------------------------
ip access-list extended PAT
remark --- NAT overload
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
remark ---------------------------------------------------------------
ip access-list extended TrafficShape1
remark --- Deny traffic to the VPN
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
remark --- Allow DNS
permit udp host 192.168.1.10 any eq domain
permit udp host 192.168.1.10 eq domain any eq domain
remark --- Allow SMTP and SMTPS
permit tcp 192.168.1.0 0.0.0.255 any eq smtp
permit tcp 192.168.1.0 0.0.0.255 any eq 465
remark --- Allow POP3 and POP3S
permit tcp 192.168.1.0 0.0.0.255 any eq pop3
permit tcp 192.168.1.0 0.0.0.255 any eq 995
remark --- Block all other traffic
deny ip any any
remark ---------------------------------------------------------------
ip access-list extended TrafficShape2
remark --- Deny traffic to the VPN
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
remark --- Block SMTP and SMTPS
deny tcp 192.168.1.0 0.0.0.255 any eq smtp
deny tcp 192.168.1.0 0.0.0.255 any eq 465
remark --- Block POP3 and POP3S
deny tcp 192.168.1.0 0.0.0.255 any eq pop3
deny tcp 192.168.1.0 0.0.0.255 any eq 995
remark --- Allow all other traffic
permit ip any any
remark ---------------------------------------------------------------
ip access-list extended WAN1_Inbound
remark --- Phase 1 . Add anti-spoofing entries.
remark --- Deny special-use address sources.
remark --- See RFC 3330 for additional special-use addresses.
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
remark --- Filter RFC 1918 space.
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark --- Deny your space as source (as noted in RFC 2827).
deny ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
remark --- Phase 2 . Explicitly permit return traffic.
remark --- Allow specific ICMP types.
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any
remark --- These are outgoing DNS queries.
permit udp any eq domain host ***Dialer0ipAddress*** gt 1023
remark --- Permit older DNS queries and replies to primary DNS server.
permit udp any eq domain host ***Dialer0ipAddress*** eq domain
remark --- Permit legitimate business traffic.
permit tcp any host ***Dialer0ipAddress*** established
permit udp any range 1 1023 host ***Dialer0ipAddress*** gt 1023
remark --- Allow outgoing IPSec VPN traffic
permit udp any eq isakmp host ***Dialer0ipAddress***
permit udp any eq non500-isakmp host ***Dialer0ipAddress***
remark --- Explicitly permit externally sourced traffic.
remark --- These are incoming DNS queries.
permit udp any gt 1023 host ***Dialer0ipAddress*** eq domain
remark --- These are zone transfer DNS queries to primary DNS server.
permit tcp host 195.170.0.1 gt 1023 host ***Dialer0ipAddress*** eq domain
permit tcp host 195.170.2.2 gt 1023 host ***Dialer0ipAddress*** eq domain
remark --- Permit older DNS zone transfers.
permit tcp host 195.170.0.1 eq domain host ***Dialer0ipAddress*** eq domain
permit tcp host 195.170.2.2 eq domain host ***Dialer0ipAddress*** eq domain
remark --- Deny all other DNS traffic.
deny udp any any eq domain
deny tcp any any eq domain
remark --- Allow incoming IPSec VPN traffic.
permit udp any host ***Dialer0ipAddress*** eq isakmp
permit udp any host ***Dialer0ipAddress*** eq non500-isakmp
permit esp any host ***Dialer0ipAddress***
permit ahp any host ***Dialer0ipAddress***
remark --- These are Internet-sourced connections to
remark --- publicly accessible servers.
remark --- Allow incoming SMTP, HTTPS, SMTPS, NTTPS, LDAPS, IMAPS
permit tcp any host ***Dialer0ipAddress*** eq smtp
permit tcp any host ***Dialer0ipAddress*** eq 443
permit tcp any host ***Dialer0ipAddress*** eq 465
permit tcp any host ***Dialer0ipAddress*** eq 563
permit tcp any host ***Dialer0ipAddress*** eq 636
permit tcp any host ***Dialer0ipAddress*** eq 993
remark --- Explicitly deny all other traffic.
deny ip any any
remark ---------------------------------------------------------------
ip access-list extended WAN2_Inbound
remark --- Phase 1 . Add anti-spoofing entries.
remark --- Deny special-use address sources.
remark --- See RFC 3330 for additional special-use addresses.
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
remark --- Filter RFC 1918 space.
permit ip host 10.0.0.2 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark --- Deny your space as source (as noted in RFC 2827).
deny ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
remark --- Phase 2 . Explicitly permit return traffic.
remark --- Allow specific ICMP types.
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any
remark --- These are outgoing DNS queries.
permit udp any eq domain host 192.168.1.10 gt 1023
remark --- Permit older DNS queries and replies to primary DNS server.
permit udp any eq domain host 192.168.1.10 eq domain
remark --- Permit legitimate business traffic.
permit tcp any host 192.168.1.10 established
permit udp any range 1 1023 host 192.168.1.10 gt 1023
remark --- Allow outgoing IPSec VPN traffic
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
remark --- Explicitly permit externally sourced traffic.
remark --- These are incoming DNS queries.
permit udp any gt 1023 host 192.168.1.10 eq domain
remark --- These are zone transfer DNS queries to primary DNS server.
permit tcp host 195.170.0.1 gt 1023 host 192.168.1.10 eq domain
permit tcp host 195.170.2.2 gt 1023 host 192.168.1.10 eq domain
remark --- Permit older DNS zone transfers.
permit tcp host 195.170.0.1 eq domain host 192.168.1.10 eq domain
permit tcp host 195.170.2.2 eq domain host 192.168.1.10 eq domain
remark --- Deny all other DNS traffic.
deny udp any any eq domain
deny tcp any any eq domain
remark --- These are Internet-sourced connections to
remark --- publicly accessible servers.
remark --- Allow incoming SMTP, HTTPS, SMTPS, NTTPS, LDAPS, IMAPS
permit tcp any host 192.168.1.10 eq smtp
permit tcp any host 192.168.1.10 eq 443
permit tcp any host 192.168.1.10 eq 465
permit tcp any host 192.168.1.10 eq 563
permit tcp any host 192.168.1.10 eq 636
permit tcp any host 192.168.1.10 eq 993
remark --- Explicitly deny all other traffic.
deny ip any any
remark ---------------------------------------------------------------
!
ip sla 3
icmp-echo ***2ndWANipAddress*** source-interface Vlan2
ip sla schedule 3 life forever start-time now
access-list 23 remark >>> HTTP and LINE VTY Access-class list <<<
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 23 deny any
access-list 23 remark ----------
dialer-list 1 protocol ip permit
!
!
!
!
route-map PBR permit 10
match ip address TrafficShape1
set ip next-hop verify-availability 80.106.108.152 10 track 1
set ip next-hop verify-availability 10.0.0.2 20 track 2
!
route-map PBR permit 20
match ip address TrafficShape2
set ip next-hop verify-availability 10.0.0.2 10 track 2
set ip next-hop verify-availability 80.106.108.152 20 track 1
!
route-map PBR permit 30
!
route-map Dialer0PAT permit 10
match ip address PAT
match interface Dialer0
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
login authentication vpncllogin
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
login authentication vpncllogin
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
- Labels:
-
Other Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2010 01:05 PM
Michael
The way your post is formatted results in truncation of lines in the config beyond a certain length, which included the port forwarding lines. So I can not be quite clear what you are doing there, and therefore not sure whether there may be some issue with that part of the configuration.
The first and most important issue that I notice is that you do provide address translation for traffic through the dialer interface. But there is no translation for traffic going out the vlan2 interface. Are we to assume that the Baudtec router is doing the address translation? And if so, the question becomes whether the Baudtec router has a route for the 192.168.1.0 network.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2010 11:52 PM
Hi Rick, thatnks for the reply,
The lines that are trancated are the following:
ip nat inside source route-map Dialer0PAT interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 25 ***Dialer0ipAddress*** 25 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 443 ***Dialer0ipAddress*** 443 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 465 ***Dialer0ipAddress*** 465 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 563 ***Dialer0ipAddress*** 563 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 636 ***Dialer0ipAddress*** 636 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 993 ***Dialer0ipAddress*** 993 route-map Dialer0PAT extendable
ip nat inside source static tcp 192.168.1.10 995 ***Dialer0ipAddress*** 995 route-map Dialer0PAT extendable
Also you are correct, the baudtec router is doing the translation for the second internet connection and has a static route pointing to 10.0.0.1 for the 192.168.1.0/24 network. What I'm trying to achieve here is to load-share the traffic across the two internet connections, and have redunduncy as well. In case one of the aDSL fails, all the traffic should go through the live one. The problem is that whenever I apply ip policy route-map PBR on the VLAN1 interface, port forwarding on the cisco stops working. Any ideas why that happens?
Kind Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2010 02:32 AM
Please, people, Rick, I need help. Does anyone have the slightest idea why port forwarding stops working? Note that I also tried port forwarding using the dialer interface instead of the dialer's own IP address:
ip nat inside source static tcp 192.168.1.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.10 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.10 465 interface Dialer0 465
ip nat inside source static tcp 192.168.1.10 563 interface Dialer0 563
ip nat inside source static tcp 192.168.1.10 636 interface Dialer0 636
ip nat inside source static tcp 192.168.1.10 993 interface Dialer0 993
ip nat inside source static tcp 192.168.1.10 995 interface Dialer0 995
but that also stoped working when I applied the ip policy route-map PBR at the VLAN1 interface. Any answer will be deeply appreciated.
Kind Regards,
Michael.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: