NAT over two WANs

Flyberius · ‎09-05-2012

Hi,

I have an 1811 with dual WAN set up. There is a policy based route which sends all traffic from workstations out over our ADSL line whilst allowing certain servers access accross our Bonded ADSL. This works nicely.

There are NAT rules set up as well that allow access to the servers and some machines from both external WAN addresses. Unfortunately it seems that only the servers denied by the PBR are capable of being RDPd to on both external addresses.

For example, the server on local ip 192.168.2.240 can be RDPd to externally on 80.229.x.x:33899 and 141.0.x.b:33899 but the workstation on 192.168.2.50 can only be reached via 80.229.x.x:33893 but not 141.0.x.x:33897.

I imagine denying the various workstations on the PBR access list will allow them to be accessed from both external IP addresses, but ideally I still want them to use the ADSL for their outbound connections.

hostname mydomainFirewall

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

username xxxxx privilege 15 secret 5 $1$cJt8$sh/b4HM9bdUQkgvRylyOV.

username xxx privilege 15 secret 5 $1$rPuf$JJA4UwlqbRwLc.sarSgMp.

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

ip cef

!

ip domain name mydomain.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip ips po max-events 100

no ftp-server write-enable

vty-async

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxxxxxx address 31.24.x.x no-xauth

crypto isakmp key xxxxxxxxxxxx address 109.238.x.x

crypto isakmp keepalive 10 periodic

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to31.24.x.x

set peer 31.24.x.x

set transform-set ESP-3DES-SHA

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to109.238.x.x

set peer 109.238.x.x

set transform-set ESP-3DES-SHA1

match address 102

!

interface FastEthernet0

description $ETH-WAN$

ip address 141.0.a.b 255.255.255.248

ip access-group WAN_Fast in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map SDM_CMAP_1

!

interface FastEthernet1

description $ETH-WAN$

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface FastEthernet2

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

no ip address

no cdp enable

!

interface FastEthernet5

no ip address

no cdp enable

!

interface FastEthernet6

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet7

no ip address

no cdp enable

!

interface FastEthernet8

no ip address

no cdp enable

!

interface FastEthernet9

no ip address

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$

ip address 192.168.2.2 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map PBR_VLAN1

!

interface Async1

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 141.0.a.a

ip route 192.168.4.0 255.255.255.0 192.168.2.254

!

ip http server

ip http access-class 52

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet1 overload

ip nat inside source static tcp 192.168.2.51 3389 80.229.x.x 3389 route-map SDM_RMAP_2 extendable

ip nat inside source static tcp 192.168.2.50 3389 80.229.x.x 33891 route-map SDM_RMAP_2 extendable

ip nat inside source static tcp 192.168.2.53 3389 80.229.x.x 33892 route-map SDM_RMAP_2 extendable

ip nat inside source static tcp 192.168.2.51 3389 80.229.x.x 33893 route-map SDM_RMAP_2 extendable

ip nat inside source static tcp 192.168.2.240 3389 80.229.x.x 33899 route-map SDM_RMAP_2 extendable

ip nat inside source static tcp 192.168.2.240 5001 141.0.a.b 5001 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 192.168.2.51 3389 141.0.a.b 33897 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 192.168.2.53 3389 141.0.a.b 33898 route-map SDM_RMAP_1 extendable

ip nat inside source static tcp 192.168.2.240 3389 141.0.a.b 33899 route-map SDM_RMAP_1 extendable

ip nat inside source static 192.168.2.200 141.0.a.c route-map SDM_RMAP_1

ip nat inside source static 192.168.2.204 141.0.a.d route-map SDM_RMAP_1

!

ip access-list extended WAN_Fast

remark CCP_ACL Category=17

remark IPSec Rule

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit udp host 109.238.x.x host 141.0.a.b eq non500-isakmp

permit udp host 109.238.x.x host 141.0.a.b eq isakmp

permit esp host 109.238.x.x host 141.0.a.b

permit ahp host 109.238.x.x host 141.0.a.b

remark IPSec Rule

permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit udp host 31.24.x.x host 141.0.a.b eq non500-isakmp

permit udp host 31.24.x.x host 141.0.a.b eq isakmp

permit esp host 31.24.x.x host 141.0.a.b

permit ahp host 31.24.x.x host 141.0.a.b

permit tcp any host 141.0.a.c eq smtp

permit tcp any host 141.0.a.c eq www

permit tcp any host 141.0.a.c eq 443

permit tcp any host 141.0.a.d eq 3389

permit tcp any host 141.0.a.c eq 3389

permit tcp any host 141.0.a.c eq 990

permit tcp any host 141.0.a.c eq 999

permit tcp any host 141.0.a.c eq 5721

permit tcp any host 141.0.a.c eq 5678

permit tcp any host 141.0.a.c eq 5679

permit tcp any host 141.0.a.c eq 26675

deny ip any host 141.0.a.c

deny ip any host 141.0.a.d

permit ip any any

ip access-list extended WAN_Slow

permit ip any any

ip access-list extended workstations

deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip host 192.168.2.200 any

deny ip host 192.168.2.202 any

deny ip host 192.168.2.204 any

deny ip host 192.168.2.240 any

permit ip 192.168.2.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

deny ip any any

!

access-list 51 remark CCP_ACL Category=16

access-list 51 permit 192.168.2.0 0.0.0.255

access-list 52 permit 192.168.3.0 0.0.0.255

access-list 52 permit 192.168.2.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 permit ip 192.168.4.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

no cdp run

!

route-map PBR_VLAN1 permit 10

match ip address workstations

set ip next-hop dynamic dhcp

!

route-map SDM_RMAP_1 permit 1

match ip address 101

match interface FastEthernet0

!

route-map SDM_RMAP_2 permit 1

match ip address 101

match interface FastEthernet1

!

control-plane

!

line con 0

login local

line 1

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

access-class 52 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 52 in

privilege level 15

login local

transport input telnet ssh

!

no scheduler allocate

end

Flyberius · ‎09-05-2012

I have done some testing and it is definately the route map that is causing this to occur. It seems that the "permit ip 192.168.2.0 0.0.0.255 any" statement in the ACL workstations is sucking up all the traffic and sending it out over the ADSL on FastEthernet1, As I cannot know what port the connecting device is using for its return address is there any way I can prevent this from happening?