11-28-2013 12:12 AM - edited 03-04-2019 09:42 PM
HI guys,
I have implemented my scenarion following a helpful link from a guy in the forum (https://supportforums.cisco.com/docs/DOC-8313
).
What i actually want to implement is the below
i want my users to access the internet (80,443,and some ports of office 365 exchange online which i have openned) from provider A and only for the traffic i already mentioned.
Provider B should take over for the above mentioned traffic only when provider A is down otherwise provider B should be translating anything else (icmp, telnet, etc).
If either provider is down the other should be responsible for all traffic.
The problem begins when i have both interfaces up , nat translations for the web comes from both ISPS one packet is translated from provider A the other from Provider B. So the page takes too long to open.
See below my configuration and let me know if i have to change something either in the PBR logic or my access-lists that are connected to the PBR to correct this issue.
Current configuration : 19481 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 32568
!
aaa new-model
!
!
aaa session-id common
clock timezone EEDT 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
!
dot11 syslog
ip source-route
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
ip domain name neocleous.com
ip inspect tcp reassembly queue length 756
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip inspect name CBAC ftp
ip inspect name CBAC http
ip inspect name CBAC imap
ip inspect name CBAC imap3
no ipv6 cef
!
multilink bundle-name authenticated
!
voice dsp waitstate 0
!
!
!
voice-card 0
no dspfarm
!
track 1 ip sla 1 reachability
delay down 1 up 1
!
track 2 ip sla 2 reachability
delay down 1 up 1
!
!
!
!
interface FastEthernet0/0
description PRIMETEL
bandwidth 8000
ip address [public ip] 255.255.255.240
ip access-group CBAC-OUT-NEW in
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
description INSIDE-TO-LAN
ip address 192.168.100.x 255.255.255.240
ip nat inside
ip inspect CBAC in
ip virtual-reassembly
ip policy route-map PBR
duplex full
speed 100
!
interface FastEthernet0/0/0
description CYTA
ip address [public ip 2] 255.255.255.248
ip access-group CBAC-OUT-NEW in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 [gateway public ip] track 1
ip route 0.0.0.0 0.0.0.0 [gateway public ip 2] track 2
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map CYTA interface FastEthernet0/0/0 overload
ip nat inside source route-map PRIMETEL interface FastEthernet0/0 overload
ip nat inside source static 192.168.100.13 [an ip in the range of public ip 2] route-map CYTA-STATIC-NAT
ip nat inside source static 192.168.3.23 [an ip in the range of public ip 2] route-map CYTA-STATIC-NAT
ip nat inside source static 192.168.100.13 [an ip in the range of public ip] route-map PRIMETEL-STATIC-NAT
ip nat inside source static 192.168.3.23 [an ip in the range of public ip] route-map PRIMETEL-STATIC-NAT
!
ip access-list extended ALLOW-EVERYWHEREACCESS
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended ALLOW-WEB
permit tcp 192.168.0.0 0.0.255.255 any eq www
permit tcp 192.168.0.0 0.0.255.255 any eq 443
permit tcp 192.168.0.0 0.0.255.255 any eq smtp
ip access-list extended CBAC-OUT-NEW
permit ip host 192.168.20.1 any
ip access-list extended PBR-NOFILTER
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended STATIC-NAT
permit ip host 192.168.100.x any
permit ip host 192.168.3.x any
ip access-list extended WEBFILTERING
permit tcp 192.168.0.0 0.0.255.255 any eq smtp
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
deny tcp any any eq 443
permit ip any any
!
ip sla 1
icmp-echo [gateway public ip]
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo [gateway public ip]
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
logging 192.168.3.x
snmp-server community key RO
snmp-server location Internet Router 2
snmp-server contact x
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal change
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps license
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls fast-reroute protected
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps ipmobile
snmp-server enable traps rf
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps mpls vpn
snmp-server enable traps voice
snmp-server enable traps dnis
snmp-server host 192.168.3.x version 2c key
!
!
!
!
route-map CYTA permit 10
match ip address NATacl-NEW
match interface FastEthernet0/0/0
route-map PRIMETEL permit 10
match ip address NATacl-NEW
match interface FastEthernet0/0
!
route-map PBR permit 10
match ip address ALLOW-WEB
set ip next-hop verify-availability [gateway public ip ] 1 track 10
!
route-map PBR permit 30
match ip address ALLOW-EVERYWHEREACCESS
set ip next-hop verify-availability [gateway public ip 2] 2 track 20
!
route-map CYTA-STATIC-NAT permit 10
match ip address STATIC-NAT
match interface FastEthernet0/0/0
!
route-map PRIMETEL-STATIC-NAT permit 10
match ip address STATIC-NAT
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
11-28-2013 07:19 AM
I do not have a full understanding of your issues. But I do have some suggestions to make. After you try them if there are still problems then please update with a description of the issues.
You are using the correct approach to NAT with two interfaces to use a route map. But the route map is referring to access list NATacl-NEW and I can not find that access list in the configuration.
Your description of what you want to achieve says that ISP B should be primary for most traffic and ISP A should carry all traffic if B is not working. The way to achieve that is to have a static default route pointing to ISP B and a floating static default route pointing to ISP A. What is in the configuration is two static default routes. This results in the router attempting to load share using both connections and traffic going through A that you would prefer to use B.
I believe that there are a couple of things in your PBR that should change.
- I do not understand what you are trying to do with
route-map PBR permit 30
It looks to me like the result is to send all traffic through ISP A. I wonder if your intent was for this to provide the failover if B is not working. But that is not what it is doing.
- several of the access lists use a mask for /16 such as this
permit tcp 192.168.0.0 0.0.255.255
But the LAN in the configuration has mask ip address 192.168.100.x 255.255.255.240. I am puzzled why the access list mask is so much more inclusive. Are there other 192.168 addresses in your network? If so how do they connect because I do not see anything in your config that would communicate with them?
HTH
Rick
11-28-2013 08:39 AM
NATacl-NEW is indeed in the configuration i forgot to copy paste it.. see below the config
ip access-list extended NATacl-NEW
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip host 192.168.7.247 any
permit ip host 192.168.7.248 any
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.15 any
permit ip 192.168.102.0 0.0.0.15 any
permit ip host 192.168.101.3 any
permit ip host 192.168.101.4 any
permit ip host 192.168.20.1 any
Provider A (provider's name PRIMETEL, you can see it in route map) speed 24mpbs
Provider B (provider's name CYTA, also in route map) speed 8mpbs
Provider A should act as the primary ISP and do nat translation for 80.443, and all ports that office 365 is using (since we are accessing office365 through outlook). Nothing more nothing less.
Provider B should act as the secondary ISP and do nat translation for all traffic except 80,443 and office 365 ports.
In case that provider A goes down Provider B will translate everything including 80,443 and office365 ports.
In case that provider B goes down Provide A will translate everything.
I use /16 bit subnet since i have a lot of subnets as you can see in NATacl-NEW access list and i don't want to define each one separetely.
If i didn't make things clear yet please see the link https://supportforums.cisco.com/docs/DOC-8313 . This is what i want to achieve... in that example in route-map PBR section match ip address 100 in my example is
NATacl-NEW and for route-map PBR permit 30 match ip address 101 is ALLOW-EVERYWHEREACCESS access-list.
I need both default static routes to be in the routing table at the same time since ISPA is for web browsing and ISPB is for anything else. If i use floating static default route for ISPB i will loose it from routing table am i right? And this is not the desirable action.
Please correct me if i am wrong somewhere.
Thanks a lot
11-28-2013 10:17 AM
Thank you for the additional information.
I am glad to know that the access list used for NAT does exist. I can only comment based on what you share with us in the config. And the ACL not being there looked like a significant problem (and I have seen situations where the ACL missing was indeed the cause of the problem). I do have a suggestion about the ACL. I suggest that you re-write the ACL and make it a standard access list rather than extended access list. There is not anything that you are checking for that needs the capabilities of an extended access list and I have seen a few situations where it did make a difference whether NAT was using standard or extended access lists (especially when the destination is always permit any).
I must have mis-read the route map. When I wrote my first response it looked to me like both statements were setting the next hop to gateway public ip. Looking at it now I see the 2. But I do think that there is a better way to accomplish your objective and not need route-map PBR permit 30. If you take my suggestion to have one normal static default route and one floating static default route then most traffic will go through CYTA. Traffic identified in route-map PBR permit 10 will go through PRIMETEL. If PRIMETEL is not working then then route map will not redirect and your web etc traffic will follow the default and go through CYTA. And if CYTA has a problem then the floating static route comes into the routing table and all traffic goes through PRIMETEL.
HTH
Rick
11-28-2013 10:33 AM
Rick
Just wanted to say congratulations on 12 years at Netcraftsmen. It is obviously a great place to work considering how long you have been there.
Jon
11-28-2013 10:37 AM
Jon
Thanks. I enjoy what I do and continue to believe that Chesapeake NetCraftsmen is indeed a great place.
HTH
Ric
11-28-2013 10:37 AM
Floating default route isn't it inserted in the routing table only if the default static route is down?
Will the routes be like the below
ip route 0.0.0.0 0.0.0.0 public ip
ip route 0.0.0.0 0.0.0.0 public ip 2 10
Will with the way you suggest be able to nat translate from both isp's ?
I am a bit confused :)
Will it be possible to make required changes on my config and paste it back ?
Thank you
11-28-2013 11:00 AM
Here is basically what I suggest.
In looking more closely I find a mismatch that should be fixed. In the track commands
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
you identify them as track 1 and track 2. But in the route map you call them 10 and 20
set ip next-hop verify-availability [gateway public ip ] 1 track 10
So you should change either the track commands or the set commands so that the numbers agree.
Then I would suggest this
ip route 0.0.0.0 0.0.0.0 CYTA track 20
ip route 0.0.0.0 0.0.0.0 PRIMETEL
Then I would suggest
no route-map PBR permit 30
Then I would suggest
no ip access-list extended NATacl-NEW
ip access-list standard NATacl-NEW
permit ip 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255
permit ip host 192.168.7.247
permit ip host 192.168.7.248
permit ip 192.168.10.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.15
permit ip 192.168.102.0 0.0.0.15
permit ip host 192.168.101.3
permit ip host 192.168.101.4
permit ip host 192.168.20.1
I also notice that you are using the same named access list on both of the ISP interfaces. It seems to me that it would be better if each ISP interface had its own unique access list rather than CBAC-OUT-NEW on both of them.
HTH
Rick
11-28-2013 11:04 AM
In reading my response I realize that I did not address this part of your question
Will with the way you suggest be able to nat translate from both isp's ?
So let me address that here. Yes you would be able to nat translate from both isp. Doing the translation only depends on identifying packets as they go out the interface and determining whether they qualify for translation. It does not matter whether the packet got to the interface by static route, or by PBR, or by whatever. It only matters that a packet is going out the PRIMETEL interface or the CYTA interface and that it match the route map statements.
HTH
Rick
11-28-2013 11:06 AM
Thank you very much for your prompt response!
I will follow your suggestion tomorrow morning (time here is 21:00 :) ) and will let you know!
12-02-2013 08:59 AM
Thanks a lot Richard it worked!
I have one more question. I've upgrade the ios to the latest one for my router (15.1(3)T ) when i do a "show version" i see the below
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Why my rom still refers to version 12.4(13r)T which it was my old IOS?
12-02-2013 09:40 AM
I am glad to know that you implemented what I suggested and that it worked.
To answer your question we need to be clear about the difference between the ROM bootstrap code and the IOS image. When the router first boots it loads and runs the ROM monitor code which runs diagnostics and loads the IOS image. The IOS image is the code that runs the router after it is in the up and stable condition. So you have two different code files that run at different times and do different things. It is common for the ROM code to be different (and earlier) than the IOS code. We frequently do upgrades to the IOS code without changing the ROM code. Some times in doing an IOS upgrade there will be a suggestion to also upgrade the ROM code but most of the time the new IOS will be fine with the old ROM code.
HTH
Rick
12-02-2013 11:17 PM
For my case what do you suggest me to do?
Will i face any weird issues if i don't upgrade it?
What is the procedure of upgrading rommon?
12-03-2013 09:02 AM
I have looked through the Release Notes for 15.1 for the 2800 router. It does not seem to suggest an upgrade for ROM monitor. So my suggestion is that you not do anything other than the normal upgrade of the IOS image. I do not expect you to experience any weird issues if you do not upgrade it.
HTH
Rick
12-05-2013 06:47 AM
Failover will not be smooth. You need to clear the NAT table. Else existing sessions will retain the WAN IP of the original connection.
You can use an Event manage applet to trigger on the IP SLA and clear the Nat table any time a link fails. Only issues is that all session then get reset, but that's better than waiting for the normal session timeout, which is often minutes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: