02-14-2012 08:56 AM - edited 03-04-2019 03:15 PM
I am getting ready to deploy IP sla with policy based routing. I feel pretty confident that my IP sla and PBR configuration is correct, although I attached their configuration to the bottom of my post. My question is with the NAT statements; as long as both interfaces are up all traffic will flow through the Comcast connection except for tcp traffic (25,135). Both interfaces are set so that if they should fail all traffic will go to the up interface. This is where the NAT statement is confusing me, do I need two or one ACL for this and are my ACLs for the NAT correct? My Edge is a Cisco 2921 router, this router connects to an ASA firewall on the inside of the network.
Here is my CURRENT NAT configuration on the Cisco 2921: (currently only one ISP)
ip nat inside source route-map CAVTEL interface GigabitEthernet0/1 overload
ip nat inside source static tcp 172.20.5.49 25 190.90.90.90 25 extendable
ip nat inside source static tcp 172.20.5.49 80 190.90.90.90 80 extendable
ip nat inside source static tcp 172.20.5.49 135 190.90.90.90 135 extendable
ip nat inside source static tcp 172.20.5.49 443 190.90.90.90 443 extendable
ip nat inside source static tcp 172.20.5.53 3389 190.90.90.90 3389 extendable
route-map CAVTEL permit 10
match interface GigabitEthernet0/1
Here is what I am thinking for the new NAT statement (with the two ISPs):
IP access-list extended CAVTEL-NAT
Permit tcp host 172.20.5.49 25 host 190.90.90.90 eq 25 extendable
Permit tcp host 172.20.5.49 135 host 190.90.90.90 eq 135 extendable
Permit tcp host 172.20.5.53 3389 host 190.90.90.90 eq 3389 extendable
Permit tcp host 172.20.5.49 80 host 190.90.90.90 eq 80 extendable
Permit tcp host 172.20.5.49 443 host 190.90.90.90 eq 443 extendable
Permit tcp ip 172.20.0.0 0.0.7.255 any
IP access-list extended COMCAST-NAT
Permit tcp host 172.20.5.49 25 host 75.75.75.75 eq 25 extendable
Permit tcp host 172.20.5.49 135 host 75.75.75.75 eq 135 extendable
Permit tcp host 172.20.5.53 3389 host 75.75.75.75 eq 3389 extendable
Permit tcp host 172.20.5.49 80 host 75.75.75.75 80 extendable
Permit tcp host 172.20.5.49 443 host 75.75.75.75 eq 443 extendable
Permit tcp ip 172.20.0.0 0.0.7.255 any
Route-map CAVTEL permit 10
Match ip address CAVTEL-NAT
Match interface G0/1
Route-map COMCAST permit 20
Match ip address COMCAST-NAT
Match interface G0/2
ip nat inside source route-map CAVTEL interface G0/1 overload
ip nat inside source route-map COMCAST interface G0/2 overload
Will this work and if so is it the best solution for what I am trying to accomplish?
IP SLA CONFIGURATION
Ip sla 1
Icmp-echo 8.8.8.8
Frequency 4
Ip sla schedule 1 life forever start-time now
Ip sla 2
Icmp-echo 190.90.90.91
Frequency 4
Ip sla schedule 2 life forever start-time now
Track 10 rtr 1 reachability
Delay down 1 up 1
Track 20 rtr 2 reachability
Delay down 1 up 1
Ip route 0.0.0.0 0.0.0.0 75.75.75.76 track 10
Ip route 0.0.0.0 0.0.0.0 190.90.90.91 track 20
ACCESS LISTS FOR PBR
IP Access-list extended PBR-CAVTEL
Permit tcp 172.20.0.0 0.0.7.255 any eq 25
Permit tcp 172.20.0.0 0.0.7.255 any eq 135
IP Access-list extended PBR-COMCAST
Permit ip any any
ROUTE MAPS for POLICY Routing
Route-map PBR permit 10
Match ip address PBR-CAVTEL
Set next-hop verify-availability 190.90.90.91
Route-map PBR permit 20
Match ip address PBR-COMCAST
Set next-hop verify-availability 75.75.75.76
02-15-2012 12:19 PM
I implemented my configuration with some slight modifications and as I feared I had an issue with the e-mail. Once the Comcast (primary) connection come online the e-mail stopped working, as far as I could tell everything else worked fine. When both interfaces are up I want all traffic except for e-mail to flow through the COMCAST connection, e-mail should flow through the CAVTEL (secondary) connection. If either connection should fail then all traffic should flow through the up interface. IP sla appears to be working fine. I shut down the interfaces and brought them back up and then checked the IP sla statistics and all seemed to work properly.
I am not sure if my issue is my port forwarding as the router is connected on the inside interface to an ASA firewall, or if the problem is with my policy routing. Here is my currnet config.
Current configuration : 4992 bytes
!
! Last configuration change at 19:02:49 UTC Wed Feb 15 2012 by
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2921/K9
!
!
redundancy
!
!
ip ssh version 2
!
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
!
!
!
interface GigabitEthernet0/0
description INSIDE-TO-ASA100Mbps
ip address 172.20.10.9 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
interface GigabitEthernet0/1
description OUTSITE-T1-CAVILER
ip address 88.88.88.88 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/2
description OUTSIDE-TO-COMCAST
ip address 75.75.75.75 255.255.255.252
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
!
!
router eigrp 1
network 172.20.10.8 0.0.0.7
network 172.21.10.8 0.0.0.7
redistribute static
passive-interface default
no passive-interface GigabitEthernet0/0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map CAVTEL interface GigabitEthernet0/1 overload
ip nat inside source route-map COMCAST interface GigabitEthernet0/2 overload
ip nat inside source static tcp 172.20.5.49 25 75.75.75.75 25 extendable
ip nat inside source static tcp 172.20.5.49 80 75.75.75.75 80 extendable
ip nat inside source static tcp 172.20.5.49 135 75.75.75.75 135 extendable
ip nat inside source static tcp 172.20.5.49 443 75.75.75.75 443 extendable
ip nat inside source static tcp 172.20.5.53 3389 75.75.75.75 3389 extendable
ip nat inside source static tcp 172.20.5.49 25 88.88.88.88 25 extendable
ip nat inside source static tcp 172.20.5.49 80 88.88.88.88 80 extendable
ip nat inside source static tcp 172.20.5.49 135 88.88.88.88 135 extendable
ip nat inside source static tcp 172.20.5.49 443 88.88.88.88 443 extendable
ip nat inside source static tcp 172.20.5.53 3389 88.88.88.88 3389 extendable
ip route 0.0.0.0 0.0.0.0 75.75.75.76 track 10
ip route 0.0.0.0 0.0.0.0 88.88.88.89 track 20
ip route 8.8.8.8 255.255.255.255 75.75.75.76
!
ip access-list standard NATPermit
permit 172.20.0.0 0.0.7.255
permit 172.20.20.0 0.0.0.255
permit 172.20.100.0 0.0.0.255
permit 172.20.10.0 0.0.0.7
permit 172.20.10.8 0.0.0.7
!
ip access-list extended OUTSIDE-ACCESS-IN
permit tcp any host 172.20.5.53 eq 3389
permit tcp any host 172.20.5.49 eq 443
permit tcp any host 172.20.5.49 eq www
permit tcp any host 172.20.5.49 eq smtp
ip access-list extended PBR-CAVTEL
permit tcp 172.20.0.0 0.0.7.255 any eq smtp
permit tcp 172.20.0.0 0.0.7.255 any eq 135
ip access-list extended PBR-COMCAST
permit ip any any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 88.88.88.89 source-interface GigabitEthernet0/1
frequency 5
ip sla schedule 2 life forever start-time now
logging 172.20.5.55
!
!
!
!
route-map CAVTEL permit 10
match ip address NATPermit
match interface GigabitEthernet0/1
!
route-map PBR permit 10
match ip address PBR-CAVTEL
set ip next-hop verify-availability 88.88.88.89 1 track 20
!
route-map PBR permit 20
match ip address PBR-COMCAST
set ip next-hop verify-availability 75.75.75.76 2 track 10
!
route-map COMCAST permit 10
match ip address NATPermit
match interface GigabitEthernet0/2
02-15-2012 02:58 PM
02-16-2012 06:16 AM
Thanks Marwanshawi, but I had already looked over that doc.
Actually after looking over everything again and again and not seeing an error, it finally hit me. It had nothing to do with the router or firewall, it was an exchange and DNS issue. I needed to add a new DNS record and adjust the Exchange send connector. Now that I have done that the mail flow goes on uninterrupted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide