10-28-2010 06:26 PM - edited 03-04-2019 10:17 AM
HI, here is my problem, we got a customer who wants to do his backup using one of the two ISP connection.
(I apologize for my scrappy English)
There is two connections, a cable one with static ip address, and adsl (Dialer0).
We would like to setup all transactions reaching outside port 5752 getting through Dialer0,
or set one of the internal server using only the Dialer0 connection.
There is a load-balancing setup between the two links, and we can't make lots of changes in the actual configuration due to external factors.
So, I'd like to add one "ip route" or "ip nat" in order to use only the right link to do the backups (by port or full address (don't care about compromising load-balancing for this host.)
Could you provide me some help ?
Thanks in advance
Infos:
router cisco 1811 address: 192.168.25.1
inside backup serveur 192.168.25.10
outside backup serveur 205.151.208.74
inside port used random
outside port used 5752
Dialer0 is on FastEthernet0
configuration file attached
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname RTR_StDenis
!
boot-start-marker
boot system flash c181x-advipservicesk9-mz.124-15.T11.bin
boot-end-marker
!
logging buffered 4096
enable password **************
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-3457811302
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3457811302
revocation-check none
rsakeypair TP-self-signed-3457811302
!
!
crypto pki certificate chain TP-self-signed-3457811302
certificate self-signed 01
30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343537 38313133 3032301E 170D3038 31323136 31333336
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353738
31313330 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AE2C 1D352420 122894CF BF8BD45C 9897018B 58925B25 B6ADFA71 4B5D2146
A5B9C640 3A79DBDE BA63BE8B 80A4D2E2 0AAB575C A4F1BB76 8B55E3DC FA2A98BC
0BD408FB 58940572 B5AC3AF9 822A205A D347C14E ADBEE731 9C7C1D4C B60933C8
D1C6430D 7689D5B3 F9FC90A9 79F1DD2F 64B53581 C5879869 37F469D6 35986764
396D0203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
551D1104 20301E82 1C525452 5F537444 656E6973 2E677569 64657375 6C797373
652E636F 6D301F06 03551D23 04183016 80147844 5E1468DA 1750CA24 E510F010
DDD89428 83CA301D 0603551D 0E041604 1478445E 1468DA17 50CA24E5 10F010DD
D8942883 CA300D06 092A8648 86F70D01 01040500 03818100 1357EF1D A402E3D4
E0308563 47DFA354 C8E7BBD3 03F3D3A5 7A4942C5 688268BB 4449637F 816F54DC
61A98C0D 67709F30 5E283C9B 86B781DB B21E87E8 D81823E1 DFB4A768 37DF497B
23679FA8 F65C3B8F A652A5B3 56DEAEAF 2B7F86F9 487C6AEF A7F9F5B7 5D1302D6
817DCF2F 590E8E88 E9C5C165 1DF6294A 00FA008B 3A3BF9BA
quit
dot11 syslog
!
!
ip cef
!
!
ip domain name guidesulysse.com
ip name-server 192.168.25.10
ip name-server 205.151.69.200
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall http
ip inspect name firewall smtp
ip inspect name firewall sqlnet
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
!
multilink bundle-name authenticated
!
!
username ********** password ****************
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key SchlusselCf@GVoyUlysse address 70.55.244.188
crypto isakmp key SchlusselCf@GVoyUlysse address 70.55.244.186
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel vers St-Urbain
set peer 70.55.244.188
set security-association idle-time 1080
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel vers PrsdtKennedy
set peer 70.55.244.186
set security-association idle-time 1080
set transform-set ESP-3DES-SHA
match address 102
!
archive
log config
hidekeys
!
!
!
track 1 rtr 18 reachability
!
!
!
interface FastEthernet0
description internet bell
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1
description internet videotron
ip address 69.70.171.58 255.255.255.252
ip access-group 118 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description LAN$FW_INSIDE$
ip address 192.168.25.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 118 in
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username ************** password ******************
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 69.70.171.57 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 254
ip route 4.2.2.4 255.255.255.255 69.70.171.57
!
!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source route-map backupenligne interface Dialer0 overload
!
ip sla 18
icmp-echo 4.2.2.4 source-interface FastEthernet1
timeout 1000
threshold 800
frequency 2
ip sla schedule 18 life forever start-time now
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.25.0 0.0.0.255
access-list 100 remark IPSec Rule for Traffic between StDenis & StUrbain
access-list 100 permit ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.15
access-list 100 permit esp host 70.55.244.188 host 70.55.244.185
access-list 100 permit udp host 70.55.244.188 host 70.55.244.185 eq isakmp
access-list 100 permit esp host 70.55.244.188 host 69.70.171.58
access-list 100 permit udp host 70.55.244.188 host 69.70.171.58 eq isakmp
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=18
access-list 101 deny udp host 70.55.244.188 host 70.55.244.185 eq isakmp
access-list 101 deny esp host 70.55.244.188 host 70.55.244.185
access-list 101 deny ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.15
access-list 101 deny udp host 70.55.244.186 host 70.55.244.185 eq isakmp
access-list 101 deny esp host 70.55.244.186 host 70.55.244.185
access-list 101 deny ip 192.168.25.0 0.0.0.255 172.23.186.160 0.0.0.15
access-list 101 deny ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.63
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny udp host 70.55.244.188 host 69.70.171.58 eq isakmp
access-list 101 deny esp host 70.55.244.188 host 69.70.171.58
access-list 101 deny udp host 70.55.244.186 host 69.70.171.58 eq isakmp
access-list 101 deny esp host 70.55.244.186 host 69.70.171.58
access-list 102 remark IPSec Rule for Traffic between StDenis & PrsdtKennedy
access-list 102 permit ip 192.168.25.0 0.0.0.255 172.23.186.160 0.0.0.15
access-list 102 permit esp host 70.55.244.186 host 70.55.244.185
access-list 102 permit udp host 70.55.244.186 host 70.55.244.185 eq isakmp
access-list 102 permit esp host 70.55.244.186 host 69.70.171.58
access-list 102 permit udp host 70.55.244.186 host 69.70.171.58 eq isakmp
access-list 108 permit tcp 192.168.25.0 0.0.0.255 any eq 5752
access-list 108 deny tcp 192.168.25.0 0.0.0.255 67.70.171.0 0.0.0.255 eq 5752
access-list 110 deny ip 192.168.25.0 0.0.0.255 172.23.186.160 0.0.0.15
access-list 110 deny ip 192.168.25.0 0.0.0.255 172.23.186.128 0.0.0.63
access-list 110 permit ip 192.168.25.0 0.0.0.255 any
access-list 118 remark internet
access-list 118 permit esp host 70.55.244.188 host 70.55.244.185
access-list 118 permit udp host 70.55.244.188 host 70.55.244.185 eq isakmp
access-list 118 permit esp host 70.55.244.188 host 69.70.171.58
access-list 118 permit udp host 70.55.244.188 host 69.70.171.58 eq isakmp
access-list 118 permit esp host 70.55.244.186 host 70.55.244.185
access-list 118 permit udp host 70.55.244.186 host 70.55.244.185 eq isakmp
access-list 118 permit esp host 70.55.244.186 host 69.70.171.58
access-list 118 permit udp host 70.55.244.186 host 69.70.171.58 eq isakmp
access-list 118 permit icmp host 4.2.2.4 host 69.70.171.58 echo-reply
access-list 118 permit tcp any host 70.55.244.185 established
access-list 118 permit tcp any host 69.70.171.58 established
access-list 118 permit udp any eq domain host 70.55.244.185
access-list 118 permit udp any eq domain host 69.70.171.58
access-list 118 deny ip any any
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 110
match interface FastEthernet1
!
route-map SDM_RMAP_2 permit 1
match ip address 110
match interface Dialer0
!
route-map backupenligne permit 10
match ip address 108
!
!
!
!
control-plane
!
banner motd ^CC
*******************************************************************************
* AVERTISSEMENT *
* *
* LES PROGRAMMES ET LES DONNEES STOCKEES DANS CE SYSTEME SONT VISES PAR UNE *
* LICENCE OU SONT LA PROPRIETE PRIVEE DE CETTE COMPAGNIE ET ILS NE SONT *
* ACCESSIBLES LEGALEMENT QU'AUX USAGERS AUTORISES A DES FINS AUTORISEES. *
* IL EST INTERDIT D'Y ACCEDER SANS AUTORISATION, ET TOUT ACCES NON AUTORISE *
* AU-DELA DE CE POINT ENTRAINERA DES POURSUITES. LE SYSTEME PEUT EN TOUT TEMPS*
* FAIRE L'OBJET D'UNE SURVEILLANCE. SI VOUS N'ETES PAS UN USAGER AUTORISE, *
* N'ESSAYEZ PAS D'Y ACCEDER. *
* *
* WARNING *
* *
* THE PROGRAMS AND DATA STORED ON THIS SYSTEM ARE LICENSED TO OR ARE PRIVATE *
* PROPERTY OF THIS COMPANY AND ARE LAWFULLY AVAILABLE ONLY TO AUTHORIZED *
* USERS FOR APPROVED PURPOSES. UNAUTHORIZED ACCESS TO ANY PROGRAM OR DATA ON *
* THIS SYSTEM IS NOT PERMITTED, AND ANY UNAUTHORIZED ACCESS BEYOND THIS POINT *
* MAY LEAD TO PROSECUTION. THIS SYSTEM MAY BE MONITORED AT ANY TIME FOR *
* OPERATIONAL REASONS. THEREFORE, IF YOU ARE NOT AN AUTHORIZED USER, DO NOT *
* ATTEMPT TO LOG ON. *
* *
*******************************************************************************
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
password ******************
!
scheduler max-task-time 5000
ntp server 192.168.25.10
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
10-28-2010 07:48 PM
Hi,
It seems to me that you're looking for Policy Routing?
i.e.
You can send all traffic via one internet connection and using a route-map instruct the router to send other traffic via the other connection. This other traffic can be defined using the source/destination IPs or even port numbers as you mentioned.
Federico.
10-29-2010 05:30 AM
Could you please help me (as I am really beginner in cisco configuration) to write a route map in order to:
- make the 192.168.25.10 pass by Dialer0 all the time
or
- Make all the outcoming connections passing by external port 5752 go through Dialer0 all the time (regardless load-balancing)
Thanks in advance.
db
10-29-2010 05:52 AM
Should it be womething like that ?
ip local policy route-map backupenligne
ip route 0.0.0.0 0.0.0.0 Dialer0 254
ip route 192.168.25.10 255.255.255.0 Dialer0
??
10-31-2010 02:30 PM
Ok, my friend (cisco fan) helped me, it was a pretty dumb iproute as I thought..
ip route 205.151.208.74 255.255.255 Dialer0
or
ip route 205.151.208.74 255.255.255 FastEthernet0
thanks for helping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide