Possible Asymmetric routing problem

BluePho982 · ‎10-13-2015

Hello everybody. I have a Cisco 2801 with dual ADSL WAN.
I can reach only one of the two IP WAN at time: I can ping one but not the other: an so i can reach 192.168.1.101 only sometimes.

I think it's a asymmetric routing problem, right ? How can I solve it?

This is my config:

ip dhcp pool LAN_1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8
!
!
ip cef
no ip domain lookup
multilink bundle-name authenticated

interface FastEthernet0/0
description -> SWITCH
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/3/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
...
no cdp enable
!
interface Dialer1
ip address y.y.y.y 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
ppp authentication chap callin
...
no cdp enable
!
ip forward-protocol nd
!
!
ip http server

ip nat inside source static tcp 192.168.1.101 80 interface Dialer1 80
ip nat inside source route-map lan-wan-pri interface Dialer0 overload
ip nat inside source route-map lan-wan-sec interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging esm config
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
route-map lan-wan-sec permit 10
match ip address 110
match interface Dialer1
!
route-map lan-wan-pri permit 10
match ip address 110
match interface Dialer0
!
!

trfinkenstadt · ‎10-13-2015

Hi,

When you say you can only reach 192.168.1.101 some of the time, you really mean you can only reach y.y.y.y:80 during that time? It looks like you are doing a loadbalancing NAT outbound from your site. You can solve this by doing a policy-based routing based on the source IP:Port coming in fast0/0 to force it out through dialer1:

Ip access-list extended PBR-WEB-ACL

permit tcp host 192.168.1.101 eq 80 any

!

route-map PBR-WEB-RM permit 10

match ip address PBR-WEB-ACL

set ip next-hop y.y.y.Y

!

int fast0/0

ip policy route-map PBR-WEB-ACL

HTH,

tim

BluePho982 · ‎10-15-2015

Even if I get the following result, I cant' reach the 192.168.1.101...

for example:

Pro Inside global         Inside local          Outside local         Outside global
tcp y.y.y.y:80      192.168.1.101:80      79.25.112.38:56132    79.25.112.38:56132
tcp y.y.y.y:80      192.168.1.101:80      79.25.112.38:56133    79.25.112.38:56133
tcp y.y.y.y:80      192.168.1.101:80      79.25.112.38:56134    79.25.112.38:56134
tcp y.y.y.y:80      192.168.1.101:80      79.25.112.38:56135    79.25.112.38:56135
tcp y.y.y.y:80      192.168.1.101:80      79.25.112.38:56136    79.25.112.38:56136
tcp y.y.y.y:80     192.168.1.101:80      79.25.112.38:56137    79.25.112.38:56137
tcp y.y.y.y:80      192.168.1.101:80      151.19.34.161:56999   151.19.34.161:56999
tcp y.y.y.y:80      192.168.1.101:80      ---                   ---

Extended IP access list 110
    10 permit ip 192.168.1.0 0.0.0.255 any
Extended IP access list 112
    10 permit tcp host 192.168.1.101 eq www any (183 matches)
    20 permit udp host 192.168.1.101 range 0 65535 any (48 matches)

Jason M. · ‎10-15-2015

Those outputs show inbound connections but do not confirm two way traffic. You should go with a PBR setup like trfinkenstadt mentioned.

BluePho982 · ‎10-16-2015

I tried a PBR config like this, but it doesn't work:

interface FastEthernet0/0
description -> SWITCH
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map webcam-routing-patch
duplex auto
speed auto

.......

ip http server
ip nat inside source static tcp 192.168.1.101 80 interface Dialer1 80
ip nat inside source route-map lan-wan-pri interface Dialer0 overload
ip nat inside source route-map lan-wan-sec interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging esm config
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 deny ip host 192.168.1.101 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit tcp host 192.168.1.101 eq www any
access-list 112 permit udp host 192.168.1.101 range 0 65535 any

route-map webcam-routing-patch permit 10
match ip address 112
set ip next-hop y.y.y.y
!
route-map lan-wan-sec permit 10
match ip address 110
match interface Dialer1
!
route-map lan-wan-pri permit 10
match ip address 111
match interface Dialer0
!
!
!

Jason M. · ‎10-16-2015

When you add "next-hop y.y.y.y" are you putting the default gateway as y.y.y.y or the actual interface IP of Dialer1? The next hop IP should be the gateway IP that Dialer1 uses.

BluePho982 · ‎10-16-2015

y.y.y.y is the public IP related to Dialer 1

Jason M. · ‎10-16-2015

Change that part of the route-map to the IP of the gateway that dialer1 uses then try it again. The public IP for dialer 1 isn't the next hop.

BluePho982 · ‎10-16-2015

There are only 3 IP address configured in the router related one to LAN and two to WANs What do you mean about "the IP of the gateway that dialer1 "?

The situation is that:

95.x.x.x.x -> IP public of Dialer 0

79.y.y.y.y. -> IP public of Dialer 1

192.168.1.1 -> Ip of Fa0/0 (gateway of the LAN)

Jon Marshall · ‎10-16-2015

What Jason means is you can't set the next hop to the router's own IP, you set it to the IP of the next L3 device your router connects to on that interface.

If you don't know that then in your PBR configuration change -

"set ip next-hop y.y.y.y"

to

"set interface Dialer1"

Jon

BluePho982 · ‎10-30-2015

the problem still remains. I've tried the following config too, but i can't reach the two public IP at the same time: i can ping the "95.x.x.x" or the "79.y.y.y."
alternately and randomly. So,
the same problem remains if I try to reach the 192.168.1.101 machine within the LAN: sometimes i can reach it, sometimes i can't.

boot-start-marker
boot system flash:c2801-entbase-mz.151-3.T.bin
boot-end-marker
!
!
logging buffered 4096 informational
logging monitor informational
!
no aaa new-model
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.101
!
ip dhcp pool LAN_1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
ip cef
no ip domain lookup
multilink bundle-name authenticated
!

interface FastEthernet0/0
description -> SWITCH
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/3/0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address 95.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip policy route-map avoid-asymm-95-IN-79-OUT
dialer pool 1
...
no cdp enable
!
interface Dialer1
ip address 79.y.y.y 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip policy route-map avoid-asymm-79-IN-95-OUT
dialer pool 2
...
no cdp enable
!
ip forward-protocol nd
!
!
ip http server
ip nat inside source static tcp 192.168.1.101 80 interface Dialer1 80
ip nat inside source route-map lan-wan-pri interface Dialer0 overload
ip nat inside source route-map lan-wan-sec interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging esm config
access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 113 permit tcp any host 79.y.y.y
access-list 113 permit icmp any host 79.y.y.y
access-list 114 permit tcp any host 95.x.x.x
access-list 114 permit icmp any host 95.x.x.x

route-map avoid-asymm-79-IN-95-OUT permit 10
match ip address 113
set tag 1
!
route-map avoid-asymm-79-IN-95-OUT permit 20
match tag 2
set interface dialer0
!
route-map avoid-asymm-95-IN-79-OUT permit 10
match ip address 114
set tag 2
!
route-map avoid-asymm-95-IN-79-OUT permit 20
match tag 1
set interface dialer1

route-map lan-wan-sec permit 10
match ip address 111
match interface Dialer1
!
route-map lan-wan-pri permit 10
match ip address 110
match interface Dialer0
!
end

Jason M. · ‎10-30-2015

If the only address that need special treatment is the .101 address then try this:

===============================================

ip access-list standard NATLIST
permit 192.168.1.0 0.0.0.255

ip nat inside source static tcp 192.168.1.101 80 interface Dialer1 80

ip nat inside source list NATLIST interface Dialer0 overload

ip nat inside source list NATLIST interface Dialer1 overload

ip access-list extended SERVER
permit tcp host 192.168.1.101 eq www any

route-map SERVER_PBR permit 10
match ip address SERVER
set interface dialer 1

interface FastEthernet0/0

ip policy SERVER_PBR

===============================================

Go ahead and remove that load balacing policy stuff. Also make sure your cef loadsharing is default which should be based on destination address.

BluePho982 · ‎11-02-2015

I've tried this config, but it doesnt' works: same problem: sometime i can reach the machine, sometime i can't