I have a Cisco 2851 (with a 4 port switch module) that I am trying to set up with two different internet connections, and have it route traffic out to them based on the source IP. One connection is a 50mb Comcast connection, another is our T1 that our servers are hosted on. The goal is to guide server/phone system traffic to the T1 and have the rest default to the Comcast.
I currently have the 2851 connected to our Layer 3 switch (Dell Powerconnect 6224) with a subnet created between them. Static routes have been created on the 2851 back to all of our existing subnets. Traffic flows internally without a problem between the subnets and 2851 (and vice versa). I set up the 2851 with route-map's in the NAT to control the flow of traffic, with the default route set to the Comcast connection. Default route works great, speedtest shows full speeds and everything looks great.
The problem happens when I apply my route-map policy to the internal LAN interface with the ACL list of IP's that I want to guide to the T1 (with a next-hop of the T1's IP address). I tested some tracert's and pings from one of the IP's in this list and they would stop at the T1 modem and not go any further. I did a "show ip nat translations" and noticed that the "outside" portion (right half) was blank for every IP that was in the ACL or related to the T1. So my guess is it looks like this is not doing NAT for the T1? I double-checked that I had my "ip nat inside" on the LAN interface and "ip nat ouside" on the T1 VLAN interface and Comcast interface and they were there.
Can any of you guys check this out and tell me why it isn't working? Or maybe give me an alternative method to accomplish the same end result? I have attached the running-config from the 2851 (with certain IP's changed/blanked).
what is the reason of having multiple secondary IPs on the VLAN interface ?
can yu confirue the IP that peer with T1 service as main IP and remove the secondary IPs
do clear ip nat translation *
also enable debug ip nat detailed and see where the nat is stoping
hope this help
The T1 currently is hosting several sites so we have several IP's defined. This is exactly how the T1 is currently configured on our 2811, just on the 2851 I moved it to a VLAN and switchport because I have no more GigabitEthernet ports. I'm concerned that the 2851 doesn't seem to function the same as the 2811 with a near identical configuration. Unless there is some issue with VLAN interfaces having multiple IPs, where a FastEthernet/GigabitEthernet interface handles it better?
I can remove those IPs for testing, but would ultimately need a configuration that includes them so I'm not positive that would be helpful in the long run. Typing "debug ip nat" before crashed my 2851 when I typed it, and endless stream of text kept repeating and I had to power cycle the router to get it to come back.
I have to go in over night and take down the whole network to try this configuration, so I wanted to make sure I had several suggestions for things to try before taking that step. Any other suggestions by anyone would be greatly appreciated.
I do not understand your explanation about multiple IP addresses and the T1. I especially do not understand this part:"just on the 2851 I moved it to a VLAN and switchport because I have no more GigabitEthernet ports. "
what do more Gig Eth ports have to do with the T1?
I am also quite puzzled about the comparison of T1 on 2811 with FastEth0/0/0 and VLAN 5 on the 2851. Perhaps you can clarify this for us?
I do notice a few things that do not seem right but am not sure if they relate to your main problem:
- access list 20 gives multiple host specific addresses. but the mask used is a /24. you probably should correct this mismatch.
- the ip nat statements do not include the overload parameter. is this on purpose?
The PBR route map sets the next hop as 184.108.40.206. does that exist? if you show arp on the 2851 is there an entry for that address?
Forgive me, allow me to clarify.
We have 5 static IP's with our T1 line. We use these static IP's (and subsequently the T1) to host several on-site IP-based services such as Exchange and access to our voicemail system. Because of this, we defined several secondary IP's on the interface so traffic knows where to flow.
We currently have the T1 setup on a Cisco 2811 with a near identical configuration (in regards to the secondary IP's declared on the interface). Since the 2851 I am setting up only has two built-in GigabitEthernet interfaces, one of which is connected to our switch, the other is connected to our Comcast connection, I had to add a 4-port switch module to the 2851 so the T1 had a port. Since this is a switchport module I had to create a VLAN (because the interface itself does not support IP information on it) and assign the switchport that the T1 is plugged into as a member of that VLAN. I was clarifying that I am setting this up on a virtual interface and a switchport module as opposed to the built-in interfaces, I am just trying to give as much information as possible......
In regards to access-list 20, I did see this when I was configuring and corrected that and removed the "0.0.0.255".
In the IP NAT statements I do have overload in the statements, sorry for leaving that out of the doc.
The 220.127.116.11 is the Gateway address for our T1 modem, it is the next-hop supplied by the ISP where the 18.104.22.168 is the primary IP on the interface.
Thank you for the additional information. It helps some. But I am still confused. You keep talking about T1 and T1 modem and so I am expecting to see a serial interface. Perhaps you can clarify for me how serial T1 becomes Ethernet connections?
And I will repeat my question about whether the 22.214.171.124 address is working. Is there an entry in the ARP table for this address?
The T1 modem is not connected to the router via serial interface, but rather a bridged T1 modem connected to a fastethernet or gigabitethernet interface. I'll ultimately be retiring this T1 but I do need to keep it (and the sites it hosts) up in the meantime until we transition completely to the new connection. This is tempting me to make the complete transition sooner rather than later.
I will have to get back to you regarding the show arp, I am not on location right now to switch the T1 connection over to the 2851 to test. As mentioned it is currently connected to the 2811 until I can get it functional on the 2851.
Not sure if this is helpful but when I tested it last, I could ping 126.96.36.199 from the router itself. Doing a tracert showedtraffic stops at the .105 IP and timed out after that. Incoming traffic did not flow either. This is specifically only the IPs listed in ACL 20. All other traffic flowed fine via the default route (Comcast).