Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
4
Replies

PBR Portforwarding not working on Dual ISP

AndersBramsen
Level 1
Level 1

‎01-13-2013 12:47 PM - edited ‎03-04-2019 06:41 PM

Hi there....finaly got this thing allmost working

But I´m not able to point it to my secodary ISP (My other Public IP) 

What am i missing? anyone can point me in right dirrection ?

Exapl...if i would like my smtp to work on number 2ISP  it should be somethin like this right?

ip nat inside source static tcp 10.10.10.2 25 interface Gigabit 0 25

But that not working, only when i point it to my cel 0 interface

Is perhaps should mention

ADSL is Gigabit 0

3G is Cel 0

Since there is a dataplan i like to (move) some of the trafic to the slower ADSL, wich has flatrate....Unlimited data

ASA outside 10.10.10.2

Router Vlan1 10.10.10.1

Network inside 192.168.0.10

And asa doing nat i think and VPN

Here is running config

no aaa new-model

no ip source-route

ip cef

!

no ip bootp server

ip domain timeout 1

no ip domain lookup

ip domain name it-kon.dk

ip name-server 192.168.0.2

ip name-server 208.67.222.222

no ipv6 cef

!

!

multilink bundle-name authenticated

chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 60 "OK"

license udi pid C819HG+7-K9 sn FCZ1606C0BY

!

!

!

controller Cellular 0

gsm sim primary slot 1

gsm failovertimer 7

!

ip tcp synwait-time 10

no ip ftp passive

ip ssh version 2

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

no crypto ipsec nat-transparency udp-encapsulation

!

interface Cellular0

description To ISP 1 (3G)$FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 60

dialer in-band

dialer idle-timeout 900

dialer string gsm

dialer-group 2

async mode interactive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

description Wan port to ADSL

ip address dhcp client-id GigabitEthernet0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

ip address 10.10.10.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

ip policy route-map reroute10traffic

!

interface Dialer0

ip address negotiated

encapsulation slip

dialer pool 2

dialer idle-timeout 0

dialer string gsm

dialer persistent

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip dns view default

domain timeout 1

no dns forwarding

!

ip nat inside source static tcp 10.10.10.2 50 interface Cellular0 50

ip nat inside source static tcp 10.10.10.2 51 interface Cellular0 51

ip nat inside source static udp 10.10.10.2 500 interface Cellular0 500

ip nat inside source static udp 10.10.10.2 4500 interface Cellular0 4500

ip nat inside source static tcp 10.10.10.2 25 interface Cellular0 25

ip nat inside source static tcp 10.10.10.2 443 interface Cellular0 443

ip nat inside source static tcp 10.10.10.2 5567 interface Cellular0 5567

ip nat inside source static udp 10.10.10.2 5881 interface Cellular0 5881

!

ip nat inside source route-map nat_isp1 interface Cellular0 overload

ip nat inside source route-map nat_isp2 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 Cellular0

!

ip access-list extended nat_isp1

permit tcp 10.10.10.0 0.0.0.255 any

ip access-list extended nat_isp2

permit ip 10.10.10.0 0.0.0.255 any

!

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.10.10.0 0.0.0.3

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 23 permit any

access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq www

access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443

access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq smtp

access-list 101 permit udp 10.10.10.0 0.0.0.255 any eq domain

access-list 101 permit udp 10.10.10.0 0.0.0.255 any eq 5881

access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 5567

!

dialer-list 1 protocol ip list 1

dialer-list 2 protocol ip permit

!

route-map reroute10traffic permit 10

match ip address 101

match interface GigabitEthernet0

set ip next-hop 95.166.108.1

!

route-map nat_isp2 permit 10

match ip address nat_isp2

match interface GigabitEthernet0

set ip next-hop 95.166.108.1

!

route-map nat_isp1 permit 10

match ip address nat_isp1

match interface Cellular0

!

!

control-plane

!

!

banner login ^Access for authorized personal only!!!^

!

line con 0

no modem enable

line aux 0

line 3

exec-timeout 0 0

script dialer gsm

login

modem InOut

no exec

transport input all

rxspeed 21600000

txspeed 5760000

line vty 0 4

access-class 23 in

privilege level 15

logging synchronous

login local

transport input ssh

!

scheduler allocate 20000 1000

!

end

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎01-14-2013 01:52 AM

Hi,

provided you want outgoing SMTP as well as other traffic as referenced in ACL 101 to go through the ADSL link, you should do this:

route-map nat_isp2 permit 10

no set ip next-hop 95.166.108.1

route-map reroute10traffic permit 10

no match interface GigabitEthernet0

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

AndersBramsen
Level 1
Level 1

‎01-14-2013 02:22 AM

Hi Alain , thx for help..bit the problem is not from insider and out..its the orker Way
Outside to inside

Sent from Cisco Technical Support iPhone App

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to AndersBramsen

‎01-14-2013 09:01 AM

Hi,

The PBR config you have done is for outgoing traffic not incoming traffic.Inbound traffic engineering can be done with BGP but not on a per traffic type basis, it can also be done with PfR but I've never tried this yet so I'm not aware of the restrictions.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Abzal
Level 7
Level 7

‎01-14-2013 09:25 AM

Hi,

I'm not sure but it seems to me that problem is when  you put Static NAT on both outisde interfaces return traffic fails to  come back. That's why only with one Static NAT entry is working fine. It  just my theory. I can be wrong.

Here is an author had the same (not exactly) problem and a solution was found. You may tru it.

https://supportforums.cisco.com/message/3299022#3299022

I think this link also will be helpful for anyone to understand in what order packets get processed

http://book.soundonair.ru/cisco/ch24lev1sec1.html#ch24table01

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card