Solved: Thanks for that.

ndespature · ‎06-06-2017

Hello.

We have been using NAT load-balnacing for 2 ISP interfaces at our client for some time but we still have issues with FTP destinations.

What I would like to achieve is, while there is still NAT load-Balancing, to send traffic toward a specific destination on a specific interface.

I have tried to define a new ACL in order to filter traffic to the specific destination and created a new route-map with a fixed next hop specified. But unfortunately I cannot access the said site and I cannot figure out the reason why (is it even possible to have 2 routing behaviour at the same time ?).

Could you please help ?

Thank you in advance for your answers !

Here are the specifics of my conf :

interface GigabitEthernet0
 description WAN2 vers Free
 switchport access vlan 345
 no ip address
!
interface GigabitEthernet1
 description WAN1
 ip address 192.168.47.250 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map QUADRA
 duplex auto
 speed auto
!
interface Vlan1
 description Inside
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan345
 ip address 192.168.48.250 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
!
ip nat inside source route-map WAN1 interface GigabitEthernet1 overload
ip nat inside source route-map WAN2 interface Vlan345 overload
ip route 0.0.0.0 0.0.0.0 192.168.47.254 track 123
ip route 0.0.0.0 0.0.0.0 192.168.48.254 track 456
ip route 4.2.2.1 255.255.255.255 192.168.48.254
ip route 4.2.2.2 255.255.255.255 192.168.47.254
ip sla auto discovery
ip sla 1
 icmp-echo 4.2.2.2
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 4.2.2.1
ip sla schedule 2 life forever start-time now
!
route-map QUADRA permit 10
 match ip address 110
 set ip next-hop 192.168.47.254
!
route-map WAN1 permit 20
 match ip address 100
 match interface GigabitEthernet1
!
route-map WAN2 permit 20
 match ip address 100
 match interface Vlan345
!
access-list 100 deny   ip 192.168.0.0 0.0.0.255 host 213.186.33.204
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.0.0.0 0.0.0.255 host 213.186.33.204

Jon Marshall · ‎06-07-2017

Thanks for that.

Why do you have this line in acl 110 -

"access-list 110 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204"

because what that is doing is saying do not NAT the 192.168.0.x source IPs when going to that host but surely you need to don't you ?

This is probably why you are not getting return packets.

Jon

View solution in original post

Jon Marshall · ‎06-06-2017

I may be misunderstanding your setup but it looks like you have applied the route map to the wrong interface.

You need to apply it to the interface where the traffic arrives at the router from the clients, presumably the vlan 1 interface.

Jon

ndespature · ‎06-07-2017

Hi Jon,

Thank you for this answer. I had indeed the wrong interface configured, thank you for noticing that mistake (two sets of eyes are always welcome !). Unfortunately, this does not solve the problem.

I can see that the access-lists are matched (please note that the access-list # has been switched) :

rCompCo01#sh access-lists
Standard IP access list 23
 10 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
 10 permit ip 192.168.0.0 0.0.0.255 host 213.186.33.204 (6 matches)
Extended IP access list 110
 10 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204 (25 matches)
 20 permit ip 192.168.0.0 0.0.0.255 any (1186 matches)

Packets are going out on the rigth interface but it seems that there is another problem (It seems that the packets are not coming back ?)

rCompCo01#show monitor capture buffer holdpackets
08:57:27.946 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 None

08:57:27.946 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 Gi1

08:57:30.958 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 None

08:57:30.958 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 Gi1

08:57:36.962 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 None

08:57:36.962 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 Gi1

08:57:53.054 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 None

08:57:53.054 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 Gi1

08:57:56.062 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 None

08:57:56.062 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 Gi1

08:58:02.062 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 None

08:58:02.062 UTC Jun 7 2017 : IPv4 LES CEF    : Vl1 Gi1

Jon Marshall · ‎06-07-2017

Not sure what you mean by acls have been switched.

Can you repost the relevant configuration ?

Jon

ndespature · ‎06-07-2017

Of course, here it is :

track 123 ip sla 1 reachability
 delay down 15 up 10
!
track 456 ip sla 2 reachability
 delay down 15 up 10
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 description WAN2 vers Free
 switchport access vlan 345
 no ip address
!
interface GigabitEthernet1
 description WAN1 vers Orange
 ip address 192.168.47.250 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description Inside
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ip policy route-map QUADRA
!
interface Vlan345
 ip address 192.168.48.250 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in

ip nat inside source static tcp 192.168.0.5 3389 interface GigabitEthernet1 11478
ip nat inside source static udp 192.168.0.5 3389 interface GigabitEthernet1 11478
ip nat inside source route-map WAN1 interface GigabitEthernet1 overload
ip nat inside source route-map WAN2 interface Vlan345 overload
ip route 0.0.0.0 0.0.0.0 192.168.47.254 track 123
ip route 0.0.0.0 0.0.0.0 192.168.48.254 track 456
ip route 4.2.2.1 255.255.255.255 192.168.48.254
ip route 4.2.2.2 255.255.255.255 192.168.47.254
!
ip sla auto discovery
ip sla 1
 icmp-echo 4.2.2.2
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 4.2.2.1
ip sla schedule 2 life forever start-time now
!
route-map QUADRA permit 10
 match ip address 100
 set ip next-hop 192.168.47.254
!
route-map WAN1 permit 20
 match ip address 110
 match interface GigabitEthernet1
!
route-map WAN2 permit 20
 match ip address 110
 match interface Vlan345
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 213.186.33.204
access-list 110 deny   ip 192.168.0.0 0.0.0.255 host 213.186.33.204
access-list 110 permit ip 192.168.0.0 0.0.0.255 any

Jon Marshall · ‎06-07-2017

Thanks for that.

Why do you have this line in acl 110 -

"access-list 110 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204"

because what that is doing is saying do not NAT the 192.168.0.x source IPs when going to that host but surely you need to don't you ?

This is probably why you are not getting return packets.

Jon

ndespature · ‎06-07-2017

Thank you Jon :)

I've made so many updates for testing purposes that I missed it.

Jon Marshall · ‎06-07-2017

No problem, glad to have helped.

Jon

Dual ISP load balancing AND fixed next hop route map for specific destination