Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1331
Views
0
Helpful
1
Replies

PBR & Dual WAN Connections & Cisco Client VPN and Site-to-site VPN

drstokes76
Level 1
Level 1

‎01-12-2011 07:43 AM - edited ‎03-04-2019 11:03 AM

I have been trying with some success to setup a Cisco 1841 router with 2 internet connections.

I have one SDSL (connected to F0/1) and an ADSL connection (Dialer0)

I want priority business traffic to use the SDSL

Normal web browsing to use the ADSL

Site-to-site VPN traffic should go over the SDSL as well as client connections

We also have a number of servers in the DMZ which use IPs on the SDSL line.

I had managed to setup most of what I needed but I keep hitting some problems when I come to testing things like client VPNs (where the return traffic is going out the wrong interface).

I have NAT statements using route-maps to NAT with the interface IP using the overload command.

I'd put in static routes for accessing our servers in another DC over the S2S VPN

The default route is set as Dialer0 (ASDL).

I thought I'd get away without using Policy Based Routing but I think I'm going to have use it but keep running up against problems.

A simpler config I guess would be to have all traffic go out the SDSL except for web browsing, Messenger traffic, and guest network traffic.  Could someone advise how I can use PBR to do this.  I've seen some examples saying use the same Route-map for the PBR and for NAT and others that say use separate ones and in the NAT Route-maps also match on interface although this never seems to work.

I also have a problem where some internal addresses are being NAT'd to the external IP of the router and then this IP is being NATd again to a different port.  I think this may be because I have multiple NAT statements although I can't see one that would NAT the external address again.

I do have a config but its fairly large and probably needs to have a lot of IPs taken out of it before I can submit it here.

Labels:
0 Helpful
1 Reply 1

drstokes76
Level 1
Level 1

‎01-12-2011 10:09 AM

I guess it may be easier if I break down my issues.

The first is I can ping a website by name without problem but I cannot browse to.

If I do a show ip nat translations I can see NAT translations for the client's local IP to that of the router

But then I see a further translation for the router's IP to another port.  I had this previously when I had more than 1 IP NAT statement but I only have the 1 for this inferface (dialer0) now.

tcp 213.120.5.9:60853 172.17.1.1:60853      173.194.37.104:80     173.194.37.104:80

tcp 213.120.5.9:1084  213.120.5.9:60853 173.194.37.104:80     173.194.37.104:80

I have following NAT statements:
ip nat inside source route-map RMAP-AsteriskNAT pool AsteriskNAT
ip nat inside source route-map RMAP-NAT-ADSL interface Dialer0 overload  ------- only this one should get used (213.120.5.9 is the IP on the interface)
ip nat inside source route-map RMAP-SDSL interface FastEthernet0/1 overload
!
interface FastEthernet0/0.110
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 110
ip address 172.17.1.254 255.255.255.0
ip access-group ACL-in-LiveClients in
ip inspect CCP_MEDIUM in
ip nat inside
ip virtual-reassembly
ip policy route-map RMAP-PBR
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address 87.xx.xx.109 255.255.255.240
ip access-group ACL-in-Outside in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip inspect CCP_MEDIUM out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
snmp trap ip verify drop-rate
crypto map VPN-xxxx-Office
!
interface Dialer0
ip address negotiated
ip access-group ACL-in-Outside in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxx
!
sh route-map RMAP-PBR
route-map RMAP-PBR, deny, sequence 5
  Match clauses:
    ip address (access-lists): ACL-Internal-to-Internal
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RMAP-PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): ACL-Internal-to-SDSL
  Set clauses:
    ip next-hop 87.86.xx.xx
  Policy routing matches: 0 packets, 0 bytes
route-map RMAP-PBR, permit, sequence 20
  Match clauses:
    ip address (access-lists): ACL-Internal-to-ADSL
  Set clauses:
    interface Dialer0
  Policy routing matches: 806 packets, 84389 bytes
!
Extended IP access list ACL-Internal-to-ADSL
    5 permit icmp object-group Network-LiveClients any (2421 matches)
    10 permit ip object-group Network-LiveClients any (6483 matches)
    20 permit ip object-group Network-Guest any
    30 deny ip any any log (244 matches)
!
Network object group Network-Guest
192.168.254.0 255.255.255.0
!
Network object group Network-LiveClients
172.17.1.0 255.255.255.0
Hope someone can help
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card