01-08-2017 05:56 AM - edited 03-05-2019 07:48 AM
i have 2 ISPs connected to my network and VPN connection with HQ
i have 2 subnets on this branch, i want 172.29.3.0 255.255.255.128 to go through dialer1 and 172.29.3.128 255.255.255.128 to go through FE0/1 which connected to adsl modem
below is configuration but its not working, Please amend if i have any problem with it
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.29.3.1 172.29.3.10
ip dhcp excluded-address 172.29.3.129 172.29.3.139
!
ip dhcp pool Data
network 172.29.3.0 255.255.255.128
default-router 172.29.3.1
dns-server 192.168.0.29 192.168.0.2 4.2.2.2 4.2.2.3
!
ip dhcp pool Data2
network 172.29.3.128 255.255.255.128
default-router 172.29.3.129
dns-server 192.168.0.29 192.168.0.2 4.2.2.2 4.2.2.3
!
!
no ip domain lookup
no ipv6 cef
interface FastEthernet0/0.2
description <<DATA VLAN INTERFACE>>
encapsulation dot1Q 2
ip address 172.29.3.1 255.255.255.128
ip nat inside
ip virtual-reassembly
\
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip address 172.29.3.129 255.255.255.128
ip nat inside
ip virtual-reassembly
interface Serial0/1/0.16 point-to-point
ip address 172.30.200.2 255.255.255.252
ip nat inside
ip virtual-reassembly
snmp trap link-status
frame-relay interface-dlci 16
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap chap callin
ip policy route-map LO
interface FastEthernet0/1
ip address 192.168.100.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
ip policy route-map CHEM
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 10.0.0.0 255.0.0.0 Serial0/1/0.16
ip route 172.16.0.0 255.248.0.0 Serial0/1/0.16
ip nat inside source route-map LO interface dialer1 overload
ip nat inside source route-map CHEM interface Ethernet0/1 overload
!
ip access-list extended ACL-LO
permit ip 172.29.3.0 0.0.0.127 any
ip access-list extended ACL-CHEM
permit ip 172.29.3.128 0.0.0.127 any
!
!
route-map LO permit 10
match ip address ACL-LO
set ip next-hop dialer1
!
route-map CHEM permit 20
match ip address ACL-CHEM
set ip next-hop FastEthernet0/1
Regards,
Amr
Solved! Go to Solution.
01-09-2017 07:31 AM
Amr
I think that you do not really understand what I was trying to explain. There are two forms of the set statement in the route map that you need to consider. One form of the set statement is set ip next-hop and the other form of the set statement is set interface. When you use set ip next-hop then you need to use an IP address and when you use set interface then you need to use an interface. It is incorrect and would not work as expected if you configure set ip next-hop dialer1. If you want to specify dialer1 then you need to use the set interface version of the command.
My preference would be to use set ip next-hop in both of the set statements. If you want to use set interface dialer1 that is probably ok. But I suggest that you not use set interface FastEthernet0/1.
Your original post did mention a VPN. But there has not been anything in what you posted that shows any VPN. So it is difficult to determine what is preventing the VPN from working. There is perhaps a clue to the problem when you mention that the VPN is associated with the serial interface. In looking at the partial config that you posted I do see this route which uses the serial interface.
ip route 172.16.0.0 255.248.0.0 Serial0/1/0.16
If you remember that PBR over rides the normal routing table then you can see that with the route maps applied to the LAN subinterfaces that traffic will no longer follow this static route. The way to fix this issue is to change the access list used by PBR. The new access list should deny traffic to the HQ networks and then permit other traffic. It might look something like this
ip access-list extended ACL-LO
deny ip 172.29.3.0 0.0.0.127 172.16.0.0 0.7.255.255
permit ip 172.29.3.0 0.0.0.127 any
HTH
Rick
01-08-2017 07:27 AM
Hi Amr,
I don't see route-maps applied on LAN interfaces:
interface FastEthernet0/0.2
ip policy route-map LO
interface FastEthernet0/0.4
ip policy route-map CHEM
By the way you can create one route-map and apply it on both LAN interfaces, different ACLs will do the trick.
Also I'm not sure if your NAT config is OK:
ip nat inside source route-map LO interface Ethernet0/1 overload
ip nat inside source route-map CHEM interface Ethernet0/2 overload
Instead of route-maps I would use ACLs which you already created.
More importantly:
It seems to me NAT config should look like this:
ip nat inside source list ACL-LO interface Dialer1 overload
ip nat inside source list ACL-CHEM interface Ethernet0/1 overload
Do you have any requirements for failure in case on of the uplinks will go down?
01-09-2017 12:11 AM
Hello blau grana,
You right with your NAting statements, and about route-map, please review these changes i created two route-maps for NATing and the other two route-maps are to match LAN sub-interfaces
route-map ISP1 permit 10
match ip address ACL-LO
match interface dialer1
!
route-map ISP2 permit 10
match ip address ACL-CHEM
match interface FastEthernet0/1
interface FastEthernet0/0.2
description <<DATA VLAN INTERFACE>>
encapsulation dot1Q 2
ip address 172.29.3.1 255.255.255.128
ip policy route-map LO
ip nat inside
ip virtual-reassembly
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip address 172.29.3.129 255.255.255.128
ip policy route-map CHEM
ip nat inside
ip virtual-reassembly
ip nat inside source route-map ISP1 interface dialer1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
Regards,
Amr
01-09-2017 05:07 AM
Hello blau grana,
After applying the route-map on LAN sub-interfaces i can't access HQ VPN through Serial0/1/0.16. any help on that
Regards,
Amr
01-08-2017 12:11 PM
Hello
Your NAT route-maps for dual wan links and PBR config look okay, However the nat interfaces for translation is incorrect:
Try this:
no ip nat inside source route-map LO interface Ethernet0/1 overload
no ip nat inside source route-map CHEM interface Ethernet0/2 overload
ip nat inside source route-map LO interface dialer1 overload
ip nat inside source route-map CHEM interface FastEthernet0/1 overload
int dialer 1
ip tcp adjust-mss 1452
res
Paul
01-08-2017 12:30 PM
It looks to me like the original poster is applying the route map for PBR to the outbound interface (which is a very common mistake). The route map should be applied to the interface which receives the traffic which would be the subinterfaces on FastEth0/0.
When you have two outbound interfaces and you want to do nat differently depending on which interface is being used it is a common solution to use route maps to control the translation. But in the route map there should be two match statements, one match for the access list and the other match for the interface. These route maps are not written this way and so I would not consider them to be correct.
I believe that there are issues when you attempt to use the same route map for two purposes and this config uses LO and CHEM for both PBR and for NAT. I would suggest changing the config so that the existing route maps are used for PBR (and assigned to the appropriate interface) and new route maps are created for nat.
HTH
Rick
01-08-2017 01:21 PM
Hello
LOL - Good spot Richard , Didnt register even though I thought i checked for that.
res
Paul
01-08-2017 01:50 PM
Paul
Easy to miss something like this (I know that I have my share of similar misses). One of the very good things about these forums is having multiple people looking at the questions and so multiple opportunities to find the mistakes.
HTH
Rick
01-09-2017 12:12 AM
Hello Richard,
Thanks for your explanation. according to this please review these changes
route-map ISP1 permit 10
match ip address ACL-LO
match interface dialer1
!
route-map ISP2 permit 10
match ip address ACL-CHEM
match interface FastEthernet0/1
interface FastEthernet0/0.2
description <<DATA VLAN INTERFACE>>
encapsulation dot1Q 2
ip address 172.29.3.1 255.255.255.128
ip policy route-map LO
ip nat inside
ip virtual-reassembly
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip address 172.29.3.129 255.255.255.128
ip policy route-map CHEM
ip nat inside
ip virtual-reassembly
ip nat inside source route-map ISP1 interface dialer1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
Regards,
Amr
01-09-2017 01:41 AM
Amr
I believe that these changes will solve the issue with nat.
In looking further into what was in an earlier post I believe that we still have an issue with the PBR config because it is inconsistent in how it uses the set statements. For reference here is what was in an earlier post
route-map LO permit 10
match ip address ACL-LO
set ip next-hop dialer1
!
route-map CHEM permit 20
match ip address ACL-CHEM
set ip next-hop FastEthernet0/1
The issue is that you are trying to do set ip next-hop but then point to an interface. Either you keep the set ip next-hop and then supply the next hop address or you change the set to use set interface dialer1.
From a syntax perspective either alternative works. From a practical perspective I am concerned about doing set interface when the outbound interface is Ethernet. So I would suggest that you use the set ip next-hop.
HTH
Rick
01-09-2017 02:29 AM
Hello Richard,
Sorry, but to ensure that i understood this, you mean when i point to dailer interface preferred to use (set ip next-hop dialer1) but when i point to ethernet interface its better to use (set ip next-hop --next hop ip--). is that right?
Thank you very much for your explanations and support
Regards,
Amr
01-09-2017 07:31 AM
Amr
I think that you do not really understand what I was trying to explain. There are two forms of the set statement in the route map that you need to consider. One form of the set statement is set ip next-hop and the other form of the set statement is set interface. When you use set ip next-hop then you need to use an IP address and when you use set interface then you need to use an interface. It is incorrect and would not work as expected if you configure set ip next-hop dialer1. If you want to specify dialer1 then you need to use the set interface version of the command.
My preference would be to use set ip next-hop in both of the set statements. If you want to use set interface dialer1 that is probably ok. But I suggest that you not use set interface FastEthernet0/1.
Your original post did mention a VPN. But there has not been anything in what you posted that shows any VPN. So it is difficult to determine what is preventing the VPN from working. There is perhaps a clue to the problem when you mention that the VPN is associated with the serial interface. In looking at the partial config that you posted I do see this route which uses the serial interface.
ip route 172.16.0.0 255.248.0.0 Serial0/1/0.16
If you remember that PBR over rides the normal routing table then you can see that with the route maps applied to the LAN subinterfaces that traffic will no longer follow this static route. The way to fix this issue is to change the access list used by PBR. The new access list should deny traffic to the HQ networks and then permit other traffic. It might look something like this
ip access-list extended ACL-LO
deny ip 172.29.3.0 0.0.0.127 172.16.0.0 0.7.255.255
permit ip 172.29.3.0 0.0.0.127 any
HTH
Rick
01-11-2017 01:53 AM
Dear Richard,
Many thanks for your support and explanations. it sounds working now on my testing environment. I will configure it on branch next available downtime
Regards,
Amr
01-11-2017 02:42 PM
Amr
I am glad that you have it working in your test environment and that my suggestions were helpful. I am optimistic that it will work when you configure it on the branch router.
HTH
Rick
01-21-2017 11:00 PM
Dear Richard,
When i configure branch router, the first subnet 172.29.3.0 works fine but the other subnet 172.29.3.128 follows internet route-map correctly but can't reach HQ through VPN. Can you please give me any suggestions on that
Regards,
Amr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide