03-13-2008 08:51 AM - edited 03-03-2019 09:07 PM
Hi,
I have one 1841 routes with 2 internet providers (ADSL routers connected to 1841 FE interfaces).
One of those is primary and other serves as backup connection. Default route is 192.168.1.1 and secondary is 192.168.2.1
I want to route all traffic from specific local hosts to secondary ISP, while maintaining all the rest through primary ISP. Used route-map based ip policy.
My problem is that policy seems to work OK for all traffic except POP3 and some IM applications.
Any clue about where may be the problem? My configuration follows:
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description LAN$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip policy route-map ALPI
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 123
ip route 0.0.0.0 0.0.0.0 192.168.2.1 250
!
access-list 109 permit ip host 192.168.0.66 any
!
route-map ALPI permit 10
match ip address 109
set ip next-hop 192.168.2.1
!
Thanks in advance for your help,
Albert Moran
03-13-2008 10:09 AM
Albert
Your policy based routing selects traffic from a specific host (192.168.0.66) and redirects it. From your description I would have assumed that you were looking for certain traffic types rather than looking at a specific host. If some POP3 is not being policy routed it is because that POP3 traffic was not sourced from 192.168.0.66.
HTH
Rick
03-14-2008 06:26 AM
Thanks for your indications. I tried policy routing all POP3 traffic (from all hosts) through secondary ISP, but still does not work.
Also, I found that some mail accounts are able to connect and some others (different providers) do not. I will check the clients configuration, just in case.
Anyway, any other advice will be welcome.
Albert
03-14-2008 08:48 AM
Albert
Perhaps you can post the changed configs. If you do that and especially if you can provide any more detail about what is not working as expected then we might be able to identify the problem.
HTH
Rick
03-14-2008 12:33 PM
Albert,
I would suggest you take a look at 'sh ip nat trans' output during an POP3 connection attempt, as long as you have a entry to the correct outside IP address (as per your nat config vs secondary outgoing interface), you have proved your policy routing and NAT. Having proved this, your next move is to check your firewall config ensuring correct rules for POP3 from both outside interface IP address (primary & secondary).
Have a look at http://www.cisco.com/warp/public/556/5.html for order of packet operations to create troubleshooting steps based on packet operation, the zone based FW policy is the old CBAC as mentioned on the page.
Without seeing a more complete config, its hard to predict where the issue may be. But based on the above config with the access-list being focused on a POP3 client (as per other post), i would suggest there is no configuration error in the output you have shown.
04-03-2008 03:23 AM
Hi,
Sorry about my lack of answer, but I've been ill for a couple of weeks.
Now, again at work. I have checked NAT translations and they look correct, translates host ip and port 110 to secondary outgoing interface IP address.
I think firewall config is also correct. Both outside interfaces are in same zone and have the same FW policies. When going through primary interface, all works OK.
I made another test: Disabled policy routing, disconnected primary ISP line (FE0/0) and checked. When all traffic goes through secondary ISP interface (FE0/1) POP3 works OK. Is only when policy routing is enabled that host is unable to make POP3 connections.
Also, 'debug ip policy' output shows what looks like duplicated policy routing for POP3 packets, one to interface and other to IP address:
s=192.168.0.65 (Vlan1), d=62.42.230.11 (FastEthernet0/1), len 52, policy routed
s=192.168.0.65 (Vlan1), d=62.42.230.11, g=192.168.2.1, len 52, FIB policy routed
What is this 'FIB policy' about? Any other suggestion?
Thanks in advance,
Albert
04-05-2008 11:09 AM
Albert,
The FIB is the CEF table which IOS uses to lookup the next hop for a packet. What you have shown with the debug you pasted is correct, It does actually show the same interface (g0/1 and 192.168.2.1) are the same.
Question about your ISP service. You say your ISP has provided two routers which are connected to the router we are focused on here... Are the ADSL primary and secondary ccts and routers provided by the same ISP and is it a primary and back up service you have purchased ? What I am getting at it is... your ISP maybe routing all traffic back to your site via the primary unless the primary fails... maybe worth while checking with them to find out.
Regards,
Simon
04-06-2008 11:38 PM
Hi,
Sorry, maybe I didn't make it clear in my first post. I have 2 different ISP. Have two ADSL routers connected to my Cisco 1841, but they belong to independent providers.
Albert
04-08-2008 01:08 AM
can you post a sh ver ?
04-17-2008 04:46 AM
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(9)T1,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 30-Aug-06 15:13 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
TR13 uptime is 2 weeks, 1 hour, 50 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-9.T1.bin"
Cisco 1841 (revision 6.0) with 235520K/26624K bytes of memory.
Processor board ID FCZ110973AS
6 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide