Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
3
Replies

Pbr based ports , not working

Thiago Cella
Level 1
Level 1

‎09-04-2014 08:11 PM - edited ‎03-04-2019 11:41 PM

Hi,

I need that incoming connection to port 3389 come to ISP1, and incoming connection to port 5800 come to ISP2. I configured the follow config, but not working, could you help me?

And i need another config, the IP SLA to configure outbound traffic from inside to any destination ( except ports 3389 and 5800), the ISP1 is the primary link , when this link is down, the ISP2 stay actived to outbound traffic.

 

interface GigabitEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map internet
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 2.2.2.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto


 speed auto
!
interface GigabitEthernet0/2
 ip address 3.3.3.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!

ip nat inside source list nat-isp1 interface GigabitEthernet0/1 overload
ip nat inside source list nat-isp2 interface GigabitEthernet0/2 overload

ip access-list extended nat-isp1
 permit ip any any

ip access-list extended nat-isp2
 permit ip any any

 

ip nat inside source static tcp 1.1.1.3 5800 3.3.3.2 5800 extendable
ip nat inside source static tcp 1.1.1.3 3389 2.2.2.2 3389 extendable


ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 0.0.0.0 0.0.0.0 3.3.3.1


ip access-list extended pbr-isp1
 permit tcp any any eq 3389

ip access-list extended pbr-isp2
 permit tcp any any eq 5800


route-map internet permit 20
 match ip address pbr-isp1
 set ip next-hop 2.2.2.1
 set interface GigabitEthernet0/1
!
route-map internet permit 30
 match ip address pbr-isp2
 set ip next-hop 3.3.3.1
 set interface GigabitEthernet0/2
!

 

pbr

Labels:
0 Helpful
3 Replies 3

LukaszTJB
Level 1
Level 1

‎09-05-2014 02:59 AM

Hello,

 

you do have to configure two route-maps for the nat translation

 

route-map ISP1 permit 10

match interface gig 0/1

match ip address nat-isp1

 

route-map ISP2 permit 10

match interface gig 0/2

match ip address nat-isp1 <you can reuse the same ACL if there is no need for different entries>

 

ip nat inside route-map ISP1 interface gig0/1 overload

ip nat inside route-map ISP2 interface gig0/2 overload

 

The "set interface xy" in the 'internet' route-map are not necessary. however you have to configure a permit 40 sequence (route-map internet permit 40) without any statements to ensure that all other traffic is handled by the normal routing table.

 

kind regards

 

Lukasz

 

EDIT:

The pbr-isp1 and pbr-isp2 ACLs are wrong, too:

 

The TCP Ports 3389 and 5800 are in that case the source ports not the destination ports. The ACL should look like

ip access-list extended pbr-isp1
 permit tcp any eq 3389 any

ip access-list extended pbr-isp2
 permit tcp any eq 5800 any

 

0 Helpful

Thiago Cella
Level 1
Level 1
In response to LukaszTJB

‎09-09-2014 05:18 PM

Hi LukaszTJB ,

 

Sorry for the late, I need help again, i´ve configured this way,the IPsla is working, but when the ISP2 come up, the nat table dont clear automatic, i tried EEM but no success.

 

I need another thing, supose the active link is ISP1, i need the incommig from ISP2 connections by port 5800 working.

 

=====================================================================

 

Interfaces:
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map internet
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 2.2.2.2  255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 3.3.3.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
!

=============================================================

NATs:


ip nat inside source route-map ISP2 interface GigabitEthernet0/1 overload
ip nat inside source route-map ISP1 interface GigabitEthernet0/2 overload

 

==================================================================

Routes and IP SLA:


ip route 0.0.0.0 0.0.0.0.0 2.2.2.1 track 10

ip route 0.0.0.0 0.0.0.0.0  3.3.3.1 254
!
track 10 ip sla 1 reachability

ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
 threshold 5
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla responder
!
!

=======================================================

Configs to ISP1:

ip access-list extended acl-ISP1
 deny   tcp any eq 5800 any
 permit ip any any
 permit icmp any any

ip access-list extended nat-ISP1
 permit ip 1.1.1.0 0.0.0.255 any
!

route-map internet permit 10
 match ip address acl-ISP1
 match interface GigabitEthernet0/2
 set ip next-hop 2.2.2.1

 

route-map ISP1 permit 10
 match ip address nat-ISP1
 match interface GigabitEthernet0/2
!

==============================================================

Configs to ISP2:

 

ip nat inside source static tcp 1.1.1.3 5800 3.3.3.2 5800 extendable

ip access-list extended nat-ISP2
 permit ip 1.1.1.0 0.0.0.255 any
 

ip access-list extended acl-ISP2
 permit   tcp any eq 5800 any
 deny  ip any any

route-map internet permit 20
 match ip address acl-ISP2
 match interface GigabitEthernet0/1
 set ip next-hop 3.3.3.1
!
route-map ISP2 permit 10
 match ip address nat-ISP2
 match interface GigabitEthernet0/1
!

 

=============================================================

 

EEM :

 

event manager applet Clear_NAT

event track 10 state any

action 0.0 cli command "enable"

action 1.0 cli command "clear ip nat translation forced *"

action 3.0 syslog msg "WAN failover, cleared NAT"

 

 

0 Helpful

LukaszTJB
Level 1
Level 1
In response to Thiago Cella

‎09-10-2014 12:35 AM

Hello,

the configuration has changed here bit. Default Routes are not equal cost any more. Now you have a preferred route through isp1 while isp2 has a metric of 254 and comes only into play if ISP1 SLA goes into state down.

The IP SLA configuration doesn't make sense to me here. You want to track the state of ISP1 and the default route, but you are using as source interface gig0/2 which is connected to ISP2 (according to the IP addresses). I can't see a static route to 8.8.8.8 either. The SLA should never go into the Up State because there is no route to the google dns.

You should change the source-interface to gig0/0 for ip sla 1 and add a static route to the google dns (ip route 8.8.8.8 255.255.255.255 2.2.2.1)

With the routing table in your recent post you can configure the route-map a bit different. Configure only the tcp port 5800 to use ISP2 and let the routing table handle the rest:

 

route-map internet permit 10

match ip address acl-ISP2

set ip next-hop 3.3.3.1

route-map internet permit 20

 

The Line "route-map internet permit 20" with no other statements is important to ensure all other traffic is handled by the normal routing table and go to ISP1.

 

To clear the NAT Table if ISP1 goes down you can try

 

EEM :

 

event manager applet Clear_NAT

event track 10 state down

action 0.0 cli command "enable"

action 1.0 cli command "clear interface gigabitEthernet 0/1"

action 2.0 syslog msg "WAN failover, cleared NAT"

 

This should clear all translations associated with gig0/1. I'm not sure if it works with static IP configuration, but it works for dynamic IP addresses for sure.

If I misunderstood you here please clarify your goals and post your full configuration. You can mask all security sensible information like password hashes, host names, ip addresses, certificates etc.

kind regards

Lukasz

0 Helpful
Customers Also Viewed These Support Documents