Solved: Re: Routing problems with the cisco 1841

maartenvanmalland · ‎07-10-2007

Here at our office we're using a cisco 1841 with both a SDSL connection as an ADSL connection. This is all working great actually, the ADSL connection provides our LAN the internet and the SDSL connection is completely seperate and hosts our webserver with it's own IP (so no LAN configured for that connection). Obviously, the ADSL connection has NAT enabled and the SDSL connection is completely NAT disabled. Our problem was like this: At our LAN we couln't connect to our website (so basically we couldn't connect to the IP-range of the SDSL connection). Now we discovered where the problem lies. In the cisco router there are 2 ACL rules defined: Rule #150 has 2 subrules which are

1) Permit, source=any, destination=IP range from SDSL connection.

2) Permit, source=IP range from SDSL connection, destination=any

Now, when we delete the second rule we can connect from our LAN to the SDSL IP's but the rest of the world can't connect to it anymore. When we have both this rules enabled, the rest of the world can connect to the SDSL IP's but we can't connect from our LAN. Also i should mention that when we look with tcpdump we see packages arriving at the SDSL IP's and the replies are there as well, but the route back to the LAN seems to be disabled. There is no firewall installed whatsoever btw. Please give us any information you can think of, because we are totally stunned of how this can happen.

Richard Burts · ‎07-23-2007

Maarten

I agree with Peter that your problem is that the Policy Based Routing that is configured is matching responses which should go back to your LAN and sending them out the dialer interface. I would suggest that you need to modify access-list 150 to deny traffic to your LAN before you permit other traffic. I would suggest that you paste this into your router:

no access-list 150

!

access-list 150 remark SDM_ACL Category=1

access-list 150 deny ip 192.168.0.0 0.0.0.255 80.127.207.192 0.0.0.15

access-list 150 deny ip 80.127.207.192 0.0.0.15 192.168.0.0 0.0.0.255

access-list 150 permit ip any 80.127.207.192 0.0.0.15

access-list 150 permit ip 80.127.207.192 0.0.0.15 any

Give this a try and let us know if it fixes your problem.

HTH

Rick

HTH

Rick

View solution in original post

a.shaik · ‎07-10-2007

Could you please add configuration of this router.Network diagram is also welcome.

From your description, I don't known where acl 150 is applied.

Regards

Shaik ASSANA

maartenvanmalland · ‎07-10-2007

I have attached the running configuration of the router. I do not have a network diagram readily available, but i'll try my ASCII art on it:

SDSL ADSL

| |

----------

Cisco 1841

----------

| |Lan with NAT enabled

|

|Completely seperated SDSL IP's

EDIT: the forums fubars my little drawing, but the diagram can be derived from my description i think.

PETER EIJSBERG · ‎07-10-2007

If I understand it correctly, accesslist 150 is used in route-map sdsl to set the outgoing interface to the DSL port. But that acl matches with 80.127.bla both as source and destination address, so it will also send return traffic (from the DSL interface) back into the DSL interface.... Basically blackholing the traffic that way. Seems to me that this may be one of the reasons why it wont work.

If this is the case, if you turn on debugging on the interface you would see encapsulation errors and so on.

maartenvanmalland · ‎07-10-2007

Okay, that makes sense. Where can i configure that "route-map sdsl"? I have looked everywhere but i can't find it anywhere.

PETER EIJSBERG · ‎07-10-2007

I'm pretty sure now that the policy routing on FastEth 0/1 is the source of your problems. Best way to proceed would be to clearly redefine how you want the routing policy to be (which flows from where to where), and then decide where you will enforce it (applying policies to interfaces). In any event, you will need two policies instead of one, to route traffic to/from the LAN and to/from the Internet.

By the way: The route-map is all the way down in the config, and the ip policy map is applied on FasEth0/1

Richard Burts · ‎07-23-2007