cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2363
Views
0
Helpful
4
Replies

CISCO 1811 Dual ISP need a static route for only one connection

bayle.david
Level 1
Level 1

HI, here is my problem, we got a customer who wants to do his backup using one of the two ISP connection.

(I apologize for my scrappy English)

There is two connections, a cable one with static ip address, and adsl (Dialer0).

We would like to setup all transactions reaching outside port 5752 getting through Dialer0,

or set one of the internal server using only the Dialer0 connection.

There is a load-balancing setup between the two links, and we can't make lots of changes in the actual configuration due to external factors.

So, I'd like to add one "ip route" or "ip nat" in order to use only the right link to do the backups (by port or full address (don't care about compromising load-balancing for this host.)

Could you provide me some help ?

Thanks in advance

Infos:

router cisco 1811 address:         192.168.25.1

inside backup serveur                192.168.25.10

outside backup serveur              205.151.208.74

inside port used                        random

outside port used                       5752

Dialer0 is on FastEthernet0

configuration file attached

!----------------------------------------------------------------------------

!version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname RTR_StDenis

!

boot-start-marker

boot system flash c181x-advipservicesk9-mz.124-15.T11.bin

boot-end-marker

!

logging buffered 4096

enable password **************

!

aaa new-model

!

!

aaa authentication login default local

!

!

aaa session-id common

clock timezone EST -5

clock summer-time EDT recurring

!

crypto pki trustpoint TP-self-signed-3457811302

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3457811302

revocation-check none

rsakeypair TP-self-signed-3457811302

!

!

crypto pki certificate chain TP-self-signed-3457811302

certificate self-signed 01

  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343537 38313133 3032301E 170D3038 31323136 31333336

  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353738

  31313330 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AE2C 1D352420 122894CF BF8BD45C 9897018B 58925B25 B6ADFA71 4B5D2146

  A5B9C640 3A79DBDE BA63BE8B 80A4D2E2 0AAB575C A4F1BB76 8B55E3DC FA2A98BC

  0BD408FB 58940572 B5AC3AF9 822A205A D347C14E ADBEE731 9C7C1D4C B60933C8

  D1C6430D 7689D5B3 F9FC90A9 79F1DD2F 64B53581 C5879869 37F469D6 35986764

  396D0203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603

  551D1104 20301E82 1C525452 5F537444 656E6973 2E677569 64657375 6C797373

  652E636F 6D301F06 03551D23 04183016 80147844 5E1468DA 1750CA24 E510F010

  DDD89428 83CA301D 0603551D 0E041604 1478445E 1468DA17 50CA24E5 10F010DD

  D8942883 CA300D06 092A8648 86F70D01 01040500 03818100 1357EF1D A402E3D4

  E0308563 47DFA354 C8E7BBD3 03F3D3A5 7A4942C5 688268BB 4449637F 816F54DC

  61A98C0D 67709F30 5E283C9B 86B781DB B21E87E8 D81823E1 DFB4A768 37DF497B

  23679FA8 F65C3B8F A652A5B3 56DEAEAF 2B7F86F9 487C6AEF A7F9F5B7 5D1302D6

  817DCF2F 590E8E88 E9C5C165 1DF6294A 00FA008B 3A3BF9BA

  quit

dot11 syslog

!

!

ip cef

!

!

ip domain name guidesulysse.com

ip name-server 192.168.25.10

ip name-server 205.151.69.200

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall ftp

ip inspect name firewall http

ip inspect name firewall smtp

ip inspect name firewall sqlnet

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

!

multilink bundle-name authenticated

!

!

username ********** password ****************

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SchlusselCf@GVoyUlysse address 70.55.244.188

crypto isakmp key SchlusselCf@GVoyUlysse address 70.55.244.186

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel vers St-Urbain

set peer 70.55.244.188

set security-association idle-time 1080

set transform-set ESP-3DES-SHA

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel vers PrsdtKennedy

set peer 70.55.244.186

set security-association idle-time 1080

set transform-set ESP-3DES-SHA

match address 102

!

archive

log config

  hidekeys

!

!

!

track 1 rtr 18 reachability

!

!

!

interface FastEthernet0

description internet bell

no ip address

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet1

description internet videotron

ip address 69.70.171.58 255.255.255.252

ip access-group 118 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

description LAN$FW_INSIDE$

ip address 192.168.25.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 118 in

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp pap sent-username ************** password ******************

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 69.70.171.57 track 1

ip route 0.0.0.0 0.0.0.0 Dialer0 254

ip route 4.2.2.4 255.255.255.255 69.70.171.57

!

!

ip http server

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload

ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload

ip nat inside source route-map backupenligne interface Dialer0 overload

!

ip sla 18

icmp-echo 4.2.2.4 source-interface FastEthernet1

timeout 1000

threshold 800

frequency 2

ip sla schedule 18 life forever start-time now

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.25.0 0.0.0.255

access-list 100 remark IPSec Rule for Traffic between StDenis & StUrbain

access-list 100 permit ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.15

access-list 100 permit esp host 70.55.244.188 host 70.55.244.185

access-list 100 permit udp host 70.55.244.188 host 70.55.244.185 eq isakmp

access-list 100 permit esp host 70.55.244.188 host 69.70.171.58

access-list 100 permit udp host 70.55.244.188 host 69.70.171.58 eq isakmp

access-list 101 remark IPSec Rule

access-list 101 remark SDM_ACL Category=18

access-list 101 deny   udp host 70.55.244.188 host 70.55.244.185 eq isakmp

access-list 101 deny   esp host 70.55.244.188 host 70.55.244.185

access-list 101 deny   ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.15

access-list 101 deny   udp host 70.55.244.186 host 70.55.244.185 eq isakmp

access-list 101 deny   esp host 70.55.244.186 host 70.55.244.185

access-list 101 deny   ip 192.168.25.0 0.0.0.255 172.23.186.160 0.0.0.15

access-list 101 deny   ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.63

access-list 101 permit ip 192.168.25.0 0.0.0.255 any

access-list 101 deny   udp host 70.55.244.188 host 69.70.171.58 eq isakmp

access-list 101 deny   esp host 70.55.244.188 host 69.70.171.58

access-list 101 deny   udp host 70.55.244.186 host 69.70.171.58 eq isakmp

access-list 101 deny   esp host 70.55.244.186 host 69.70.171.58

access-list 102 remark IPSec Rule for Traffic between StDenis & PrsdtKennedy

access-list 102 permit ip 192.168.25.0 0.0.0.255 172.23.186.160 0.0.0.15

access-list 102 permit esp host 70.55.244.186 host 70.55.244.185

access-list 102 permit udp host 70.55.244.186 host 70.55.244.185 eq isakmp

access-list 102 permit esp host 70.55.244.186 host 69.70.171.58

access-list 102 permit udp host 70.55.244.186 host 69.70.171.58 eq isakmp

access-list 108 permit tcp 192.168.25.0 0.0.0.255 any eq 5752

access-list 108 deny   tcp 192.168.25.0 0.0.0.255 67.70.171.0 0.0.0.255 eq 5752

access-list 110 deny   ip 192.168.25.0 0.0.0.255 172.23.186.160 0.0.0.15

access-list 110 deny   ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.63

access-list 110 permit ip 192.168.25.0 0.0.0.255 any

access-list 118 remark internet

access-list 118 permit esp host 70.55.244.188 host 70.55.244.185

access-list 118 permit udp host 70.55.244.188 host 70.55.244.185 eq isakmp

access-list 118 permit esp host 70.55.244.188 host 69.70.171.58

access-list 118 permit udp host 70.55.244.188 host 69.70.171.58 eq isakmp

access-list 118 permit esp host 70.55.244.186 host 70.55.244.185

access-list 118 permit udp host 70.55.244.186 host 70.55.244.185 eq isakmp

access-list 118 permit esp host 70.55.244.186 host 69.70.171.58

access-list 118 permit udp host 70.55.244.186 host 69.70.171.58 eq isakmp

access-list 118 permit icmp host 4.2.2.4 host 69.70.171.58 echo-reply

access-list 118 permit tcp any host 70.55.244.185 established

access-list 118 permit tcp any host 69.70.171.58 established

access-list 118 permit udp any eq domain host 70.55.244.185

access-list 118 permit udp any eq domain host 69.70.171.58

access-list 118 deny   ip any any

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 110

match interface FastEthernet1

!

route-map SDM_RMAP_2 permit 1

match ip address 110

match interface Dialer0

!

route-map backupenligne permit 10

match ip address 108

!

!

!

!

control-plane

!

banner motd ^CC

*******************************************************************************

*                              AVERTISSEMENT                                  *

*                                                                             *

* LES PROGRAMMES ET LES DONNEES STOCKEES DANS CE SYSTEME SONT VISES PAR UNE   *

* LICENCE OU SONT LA PROPRIETE PRIVEE DE CETTE COMPAGNIE ET ILS NE SONT       *

* ACCESSIBLES LEGALEMENT QU'AUX USAGERS AUTORISES A DES FINS AUTORISEES.      *

* IL EST INTERDIT D'Y ACCEDER SANS AUTORISATION, ET TOUT ACCES NON AUTORISE   *

* AU-DELA DE CE POINT ENTRAINERA DES POURSUITES. LE SYSTEME PEUT EN TOUT TEMPS*

* FAIRE L'OBJET D'UNE SURVEILLANCE. SI VOUS N'ETES PAS UN USAGER AUTORISE,    *

* N'ESSAYEZ PAS D'Y ACCEDER.                                                  *

*                                                                             *

*                                 WARNING                                     *

*                                                                             *

* THE PROGRAMS AND DATA STORED ON THIS SYSTEM ARE LICENSED TO OR ARE PRIVATE  *

* PROPERTY OF THIS COMPANY AND ARE LAWFULLY AVAILABLE ONLY TO AUTHORIZED      *

* USERS FOR APPROVED PURPOSES. UNAUTHORIZED ACCESS TO ANY PROGRAM OR DATA ON  *

* THIS SYSTEM IS NOT PERMITTED, AND ANY UNAUTHORIZED ACCESS BEYOND THIS POINT *

* MAY LEAD TO PROSECUTION. THIS SYSTEM MAY BE MONITORED AT ANY TIME FOR       *

* OPERATIONAL REASONS. THEREFORE, IF YOU ARE NOT AN AUTHORIZED USER, DO NOT   *

* ATTEMPT TO LOG ON.                                                          *

*                                                                             *

*******************************************************************************

^C

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

password ******************

!

scheduler max-task-time 5000

ntp server 192.168.25.10

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

4 Replies 4

Hi,

It seems to me that you're looking for Policy Routing?

i.e.

You can send all traffic via one internet connection and using a route-map instruct the router to send other traffic via the other connection. This other traffic can be defined using the source/destination IPs or even port numbers as you mentioned.

Federico.

Could you please help me (as I am really beginner in cisco configuration) to write a route map in order to:

- make the 192.168.25.10 pass by Dialer0 all the time

or

- Make all the outcoming connections passing by external port 5752 go through Dialer0 all the time (regardless load-balancing)

Thanks in advance.

db

Should it be womething like that ?

ip local policy route-map backupenligne
ip route 0.0.0.0 0.0.0.0 Dialer0 254
ip route 192.168.25.10 255.255.255.0 Dialer0

??

bayle.david
Level 1
Level 1

Ok, my friend (cisco fan) helped me, it was a pretty dumb iproute as I thought..

ip route 205.151.208.74 255.255.255 Dialer0

or

ip route 205.151.208.74 255.255.255 FastEthernet0

thanks for helping.

Review Cisco Networking for a $25 gift card