12-03-2013 12:04 PM - edited 03-04-2019 09:45 PM
Hello!
I have the following problem,
2 ISP connections.
ADSL Internet
Intranet via DHCP
Aas two connections need work,
ADSL access, WWW E-MAIL, FTP etc ...
Intranet access, specific applications, for example, allow 10.32.102.62 ip, port 1725.
Both connections are already working on my router, but in conflict.
following script
Building configuration...
Current configuration : 2295 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ODIM
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface ATM0
description //// A D S L - INTERNET \\\\
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description /// INTRANET \\\
ip address dhcp
ip nat outside
load-interval 30
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Vlan1
description /// LAN \\\
ip address 172.10.1.254 255.255.255.0
ip nat inside
load-interval 30
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname teste@teste
ppp chap password teste
ppp pap sent-username teste@teste password teste
ppp ipcp dns request
ppp ipcp wins request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 track 123
no ip http server
no ip http secure-server
!
ip nat inside source route-map INTRANET interface FastEthernet0 overload
ip nat inside source route-map ADSL interface Dialer1 overload
!
access-list 110 permit ip 172.10.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map ADSL permit 10
match ip address 110
match interface Dialer1
!
route-map INTRANET permit 10
match ip address 110
match interface FastEthernet0
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Solved! Go to Solution.
12-04-2013 02:00 AM
You want two active nats on two different isp but you want to have the same ACL for the nat, why don't you use two different acl
if one is for internet have an ACL that excludes private ip addresses and permit any at the and
and for the intranet traffic have an ACL that permits the private ip addresses and deny the rest.
INTRANET
access-list 110 permit ip any 10.0.0.0 0.255.255.255
access-list 110 permit ip any 172.16.0.0 0.15.255.255
access-list 110 permit ip any 192.168.0.0 0.0.255.255
access-list 110 deny ip any any
ADSL
access-list 111 deny ip any 10.0.0.0 0.255.255.255
access-list 111 deny ip any 172.16.0.0 0.15.255.255
access-list 111 deny ip any 192.168.0.0 0.0.255.255
access-list 111 permit ip any any
kind regards
12-04-2013 09:52 AM
Hi,
I wonder how you can use both links as you only got 1 default route pointing out your Internet (the other one you get from DHCP has an AD of 254 and is only used as a backup route when the first one is deleted from the RIB)and furthermore you are tracking this route but we don't see any track object in the config.
If you want both links to be used as default routes then do this:
no ip route 0.0.0.0 0.0.0.0 Dialer1 track 123
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 dhcp
If you want specific traffic to go out one link and other type of traffic to go out other link then you'll have to use PBR on the vlan interface.
If traffic going out the Intranet is for specific IP subnet then you may use longest match feature by configuring static route with longest match going out the Intranet interface.
Regards
Alain
Don't forget to rate helpful posts.
12-04-2013 02:00 AM
You want two active nats on two different isp but you want to have the same ACL for the nat, why don't you use two different acl
if one is for internet have an ACL that excludes private ip addresses and permit any at the and
and for the intranet traffic have an ACL that permits the private ip addresses and deny the rest.
INTRANET
access-list 110 permit ip any 10.0.0.0 0.255.255.255
access-list 110 permit ip any 172.16.0.0 0.15.255.255
access-list 110 permit ip any 192.168.0.0 0.0.255.255
access-list 110 deny ip any any
ADSL
access-list 111 deny ip any 10.0.0.0 0.255.255.255
access-list 111 deny ip any 172.16.0.0 0.15.255.255
access-list 111 deny ip any 192.168.0.0 0.0.255.255
access-list 111 permit ip any any
kind regards
12-04-2013 02:48 AM
Hi,
if you need to route differently according to protocol/port you will have to apply a PBR policy to your inside NAT interface and use route-maps with match interface (outgoing interface) for NAT.
Regards
Alain
Don't forget to rate helpful posts.
12-04-2013 09:11 AM
The two links have to work together, the detail is that each has its work on the network.
ADSL will work with all external output.
For example, typing wwww.cisco.com, my output is ADSL
Intranet, working with internal applications.
For example, typing 10.32.102.62, my output is INTRANET.
In the current scenario only one link is working. When necessary to use external output, must overthrow the intranet. As I said my scenario is to run the two links together.
12-04-2013 09:52 AM
Hi,
I wonder how you can use both links as you only got 1 default route pointing out your Internet (the other one you get from DHCP has an AD of 254 and is only used as a backup route when the first one is deleted from the RIB)and furthermore you are tracking this route but we don't see any track object in the config.
If you want both links to be used as default routes then do this:
no ip route 0.0.0.0 0.0.0.0 Dialer1 track 123
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 dhcp
If you want specific traffic to go out one link and other type of traffic to go out other link then you'll have to use PBR on the vlan interface.
If traffic going out the Intranet is for specific IP subnet then you may use longest match feature by configuring static route with longest match going out the Intranet interface.
Regards
Alain
Don't forget to rate helpful posts.
12-05-2013 10:22 AM
Working 100%.
cadet alain, lmediavilla, thanks for the support.
Annex Script.
interface ATM0
description //// A D S L - INTERNET \\\\
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description /// INTRANET \\\
ip address 10.48.50.214 255.255.255.0
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
interface Vlan1
description /// LAN \\\
ip address 172.10.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map PBR
load-interval 30
!
interface Dialer1
description ** AUTENTICACAO COM RADIUS **
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname teste@teste
ppp chap password 1234
ppp pap sent-username teste@teste password 1234
ppp ipcp dns request
ppp ipcp wins request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 name ADSL
ip route 0.0.0.0 0.0.0.0 10.48.50.1 name INTRANET
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map ADSL interface Dialer1 overload
ip nat inside source route-map INTRANET interface FastEthernet0 overload
!
access-list 110 permit ip 172.10.1.0 0.0.0.255 any
access-list 130 remark ADSL
access-list 130 deny ip any 10.0.0.0 0.255.255.255
access-list 130 permit ip any any
access-list 140 remark INTRANET
access-list 140 permit ip any 10.0.0.0 0.255.255.255
access-list 140 deny ip any any
dialer-list 1 protocol ip permit
!
route-map ADSL permit 10
match ip address 110
match interface Dialer1
!
route-map INTRANET permit 10
match ip address 110
match interface FastEthernet0
!
route-map PBR permit 10
match ip address 130
set interface Dialer1
!
route-map PBR permit 20
match ip address 140
set interface FastEthernet0
!
end
12-05-2013 06:36 AM
Failover doesn't work smoothly in my experience. If one link fails you need to clear the NAT table, else some egress traffic will have the wrong WAN IP.
You can get around this, but all connections get reset if one link fails.
track 10 interface FastEthernet0 ip routing
delay down 5 up 30
!
track 20 interface Dialer1 ip routing
delay down 5 up 30
!
event manager applet CLEAR-NAT-TABLE-DI0
event track 10 state any
action 1 cli command "enable"
action 2 cli command "clear ip nat translations *"
event manager applet CLEAR-NAT-TABLE-DI1
event track 20 state any
action 1 cli command "enable"
action 2 cli command "clear ip nat translations *"
12-05-2013 01:34 AM
Cadet is right you should rotue private networks to one interface (or gateway) and public to the other. And I would use also a different NAT acl for each service, one that allows public ip addresses and deny private and the other ACL opposite
kind regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide