02-05-2015 11:30 AM - edited 03-05-2019 12:43 AM
Hello Cisco geniuses!
I have a network where I am required to split traffic between two ISPs. ISP1 (Verizon) and ISP2 (Comcast). ISP1 uses T1 connections and ISP2 uses a standard cable modem. Currently all of my traffic goes out of the T1 connection but I would like for HTTP(80) and HTTPS(443) to go out of my ISP2 connection. On ISP1 I need to have clients come in on ports 500 for S2S VPN, 8421 IBM Access, 3024 IBM Access.
I have actually programmed my 2811 and had my PBR working but all of a sudden it stopped. Unfortunately my syslog and NCM did not record any changes to the routers and the routers were written and configs saved and backed up. Im not sure if my ISP2 modem failed because my PBR no longer works. If you could find it in your hearts to review my config and see if anything is missing.
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay multilink bid to u300785
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address 152.179.XX.XX 255.255.255.252
ip access-group 110 in
no ip redirects
no ip proxy-arp
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/0
description to ASA5520
ip address 65.216.XX.XX 255.255.255.248
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map COMCAST_TRAFFIC
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface to ISP2
ip address 23.31.XX.XX 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
ip route 0.0.0.0 0.0.0.0 152.179.XX.XX (default route to ISP1)
!
!
!
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 443
access-list 120 permit udp any any eq domain
access-list 120 deny udp any any eq ntp
access-list 120 deny udp any any eq 8933
access-list 120 deny udp any any eq 8943
access-list 120 deny udp any any eq 19560
access-list 120 deny udp any any eq 65535
access-list 120 deny tcp any any eq 1025
access-list 120 deny udp any any eq 1025
access-list 120 deny tcp any any eq 8933
access-list 120 deny tcp any any eq 8943
access-list 120 deny tcp any any eq 19560
access-list 120 deny tcp any any eq 65535
access-list 120 deny tcp any any eq 50
access-list 120 deny tcp any eq 51 any
access-list 120 deny tcp any any eq 51
access-list 120 deny tcp any eq 500 any
access-list 120 deny tcp any eq 4500 any
access-list 120 deny tcp any eq 50 any
access-list 120 deny udp any eq 50 any
access-list 120 deny udp any eq 51 any
access-list 120 deny tcp any eq 4820 any
access-list 120 deny tcp any eq 4823 any
access-list 120 deny tcp any eq 4822 any
access-list 120 deny tcp any eq smtp any
access-list 120 deny tcp any eq 5223 any
access-list 120 deny ahp any any
access-list 120 deny ip any any
access-list 120 deny tcp any eq 8421 any
access-list 120 deny tcp any eq 3024 any
access-list 120 deny udp any eq 3024 any
access-list 120 deny udp any eq 8421 any
!
!
!
access-list 110 permit ip any any
access-list 110 deny 53 any any
access-list 110 deny 55 any any
access-list 110 deny 77 any any
access-list 110 deny pim any any
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 207.159.122.144 0.0.0.7 any
!
!
route-map COMCAST_TRAFFIC permit 10
match ip address 120
set ip next-hop 23.31.XX.XX
02-07-2015 09:05 PM
If I were to change the default route. Should my new pbr be placed on the Lan facing interface or the ISP 1 facing interface?
02-07-2015 10:26 PM
>PBR will still be placed on LAN interface.
>While going out this traffic will be NATed to public ip of ISP1.
>For return traffic it has to come back via ISP1 only (no need to make any change for this)
02-09-2015 07:42 AM
I changed my default route to 0.0.0.0 0.0.0.0 23.31.xx.xx. My internet speeds were normal at 100Mb/s. I created a new ACL (ACL 140) and a new PBR (VZ). I applied this ACL to my newly created PBR and placed it on the LAN facing interface. My internet at my corporate office works fine and the speeds are great but my external clients cannot connect to my services using my ISP1 ip address. I believe my NAT statements are incorrect on this router when i change my default route to my ISP2. Also just added information my clients connect to a server using public IP 65.216.XX.XX which is NATTED to 10.0.0.10 behind my ASA. My ASA has static (inner,outside) tcp 65.216.XX.XX 8421 10.0.0.10 8421 netmask 255.255.255.255. Should I change this static information as well? Or should the NAT on my dual isp router handle this? My config is shown below and a network diagram is attached.
interface MFR1.500 point-to-point
description interface to ISP1
ip address 152.179.XX.XX 255.255.255.252
ip access-group 110 in
no ip redirects
no ip proxy-arp
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
interface FastEthernet0/0
description to Office LAN and ASA5520
ip address 65.216.XX.XX 255.255.255.248
ip access-group 130 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map VZ
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface to ISP2
ip address 23.31.XX.XX 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
ip route 0.0.0.0 0.0.0.0 23.31.XX.XX (ISP2 MODEM ADDRESS)
ip nat inside source route-map cable-nat interface FastEthernet0/1 overload
!
access-list 110 deny 53 any any
access-list 110 deny 55 any any
access-list 110 deny 77 any any
access-list 110 deny pim any any
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 207.159.122.144 0.0.0.7 any
!
access-list 140 remark ==VerizonACCESS==
access-list 140 remark -VPN ACCESS-
access-list 140 permit tcp any any eq 500
access-list 140 permit udp any any eq 4500
access-list 140 remark -JD Edwards-
access-list 140 permit tcp any any eq 3024
access-list 140 permit udp any any eq 3024
access-list 140 permit tcp any any eq 8421
access-list 140 permit udp any any eq 8421
access-list 140 remark -Spark Access-
access-list 140 permit tcp any any eq 5222
access-list 140 permit udp any any eq 5222
access-list 140 permit tcp any any eq 5223
!
!
!
route-map VZ permit 10
match ip address 140
set ip next-hop 152.179.XX.XX (ISP1 SIDE)
02-09-2015 11:28 AM
Would a static mapping bring in that traffic from my clients connecting to the 65.216.xx.xx:3024? I had found this on another forum.
ip nat inside source route-map cable-nat interface F0/1 overload
ip nat inside source static tcp 65.216.XX.XX 3024 interface F0/0 3024
access-list 130
access-list 130 permit ip host 65.216.XX.XX any
access-list 130 permit ip host 65.216.XX.XX any
route-map cable-nat
match ip address 130
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide