Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2036
Views
0
Helpful
15
Replies

DUAL INTERNET LINK - NATING PROBLEM

STYLIANOS DEMETRIOU
Level 1
Level 1

‎11-28-2013 12:12 AM - edited ‎03-04-2019 09:42 PM

HI guys,

I have implemented my scenarion following a helpful link from a guy in the forum (https://supportforums.cisco.com/docs/DOC-8313
).

What i actually want to implement is the below

i want my users to access the internet (80,443,and some ports of office 365 exchange online which i have openned) from provider A and only for the traffic i already mentioned.

Provider B should take over for the above mentioned traffic only when provider A is down  otherwise provider B should be translating anything else (icmp, telnet, etc).

If either provider is down the other should be responsible for all traffic.

The problem begins when i have both interfaces up , nat translations for the web comes from both ISPS one packet is translated from provider A the other from Provider B. So the page takes too long to open.

See below my configuration and let me know if i have to change something either in the PBR logic or my access-lists that are connected to the PBR to correct this issue.

Current configuration : 19481 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname test

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 32568

!

aaa new-model

!

!

aaa session-id common

clock timezone EEDT 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

!

dot11 syslog

ip source-route

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip cef

!

!

ip domain name neocleous.com

ip inspect tcp reassembly queue length 756

ip inspect name CBAC tcp

ip inspect name CBAC udp

ip inspect name CBAC icmp

ip inspect name CBAC ftp

ip inspect name CBAC http

ip inspect name CBAC imap

ip inspect name CBAC imap3

no ipv6 cef

!

multilink bundle-name authenticated

!

voice dsp waitstate 0

!

!

!

voice-card 0

no dspfarm

!

track 1 ip sla 1 reachability

delay down 1 up 1

!

track 2 ip sla 2 reachability

delay down 1 up 1

!

!

!

!

interface FastEthernet0/0

description PRIMETEL

bandwidth 8000

ip address [public ip] 255.255.255.240

ip access-group CBAC-OUT-NEW in

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/1

description INSIDE-TO-LAN

ip address 192.168.100.x 255.255.255.240

ip nat inside

ip inspect CBAC in

ip virtual-reassembly

ip policy route-map PBR

duplex full

speed 100

!

interface FastEthernet0/0/0

description CYTA

ip address [public ip 2] 255.255.255.248

ip access-group CBAC-OUT-NEW in

ip nat outside

ip virtual-reassembly

duplex full

speed 100

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 [gateway public ip] track 1

ip route 0.0.0.0 0.0.0.0 [gateway public ip 2] track 2

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map CYTA interface FastEthernet0/0/0 overload

ip nat inside source route-map PRIMETEL interface FastEthernet0/0 overload

ip nat inside source static 192.168.100.13 [an ip in the range of public ip 2] route-map CYTA-STATIC-NAT

ip nat inside source static 192.168.3.23 [an ip in the range of public ip 2] route-map CYTA-STATIC-NAT

ip nat inside source static 192.168.100.13 [an ip in the range of public ip] route-map PRIMETEL-STATIC-NAT

ip nat inside source static 192.168.3.23 [an ip in the range of public ip] route-map PRIMETEL-STATIC-NAT

!

ip access-list extended ALLOW-EVERYWHEREACCESS

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended ALLOW-WEB

permit tcp 192.168.0.0 0.0.255.255 any eq www

permit tcp 192.168.0.0 0.0.255.255 any eq 443

permit tcp 192.168.0.0 0.0.255.255 any eq smtp

ip access-list extended CBAC-OUT-NEW

permit ip host 192.168.20.1 any

ip access-list extended PBR-NOFILTER

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended STATIC-NAT

permit ip host 192.168.100.x any

permit ip host 192.168.3.x any

ip access-list extended WEBFILTERING

permit tcp 192.168.0.0 0.0.255.255 any eq smtp

permit ip 192.168.101.0 0.0.0.255 any

permit ip 192.168.100.0 0.0.0.255 any

deny   tcp any any eq 443

permit ip any any

!

ip sla 1

icmp-echo [gateway public ip]

timeout 500

frequency 1

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo [gateway public ip]

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

logging 192.168.3.x

snmp-server community key RO

snmp-server location Internet Router 2

snmp-server contact x

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps ds1

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps xgcp

snmp-server enable traps flash insertion removal change

snmp-server enable traps ds3

snmp-server enable traps envmon

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config

snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up

snmp-server enable traps license

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps bgp

snmp-server enable traps bulkstat collection transfer

snmp-server enable traps memory bufferpeak

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps dsp oper-state

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps mpls ldp

snmp-server enable traps mpls traffic-eng

snmp-server enable traps mpls fast-reroute protected

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps ipsla

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps pw vc

snmp-server enable traps firewall serverstatus

snmp-server enable traps ipmobile

snmp-server enable traps rf

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps ccme

snmp-server enable traps srst

snmp-server enable traps mpls vpn

snmp-server enable traps voice

snmp-server enable traps dnis

snmp-server host 192.168.3.x version 2c key

!

!

!

!

route-map CYTA permit 10

match ip address NATacl-NEW

match interface FastEthernet0/0/0

route-map PRIMETEL permit 10

match ip address NATacl-NEW

match interface FastEthernet0/0

!

route-map PBR permit 10

match ip address ALLOW-WEB

set ip next-hop verify-availability [gateway public ip ] 1 track 10

!

route-map PBR permit 30

match ip address ALLOW-EVERYWHEREACCESS

set ip next-hop verify-availability [gateway public ip 2] 2 track 20

!

route-map CYTA-STATIC-NAT permit 10

match ip address STATIC-NAT

match interface FastEthernet0/0/0

!

route-map PRIMETEL-STATIC-NAT permit 10

match ip address STATIC-NAT

match interface FastEthernet0/0

!

!

!

control-plane

!

!

!

ccm-manager fax protocol cisco

!

mgcp fax t38 ecm

!

Labels:
0 Helpful
15 Replies 15

STYLIANOS DEMETRIOU
Level 1
Level 1
In response to robardill

‎12-18-2013 09:19 AM

Hi Guys,

I still have isses with the nat translations (i thought it was solved but after a while i see load balancing between providers instead of interested traffic being routed through the desired provider as i wanted to implement using policy base routing)

Nevertheless that i am using PBR as you can see in my configuration at the beggining of this conversation, half of the packets are going through CYTA and the other half through PRIMETEL (for 443,), so i guess PBR is not working as expected.

P.S i've just cleared nat entries and it seems that is working correctly.. i don't know, what to say..Please provide me with commands to test PBR functionality.

0 Helpful
Customers Also Viewed These Support Documents