Solved: Re: Split Outbound Data Traffic

dblumberg_butler_cco · ‎03-01-2012

I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1. I am having an issue where the users on the network are not able to use the internet when using the following config:

!

interface GigabitEthernet0/0.10

description Data

encapsulation dot1Q 50

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map policymap

!

interface GigabitEthernet0/0.20

description Voice

encapsulation dot1Q 60

ip address 172.20.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map policymap

!

interface Service-Engine0/0

ip unnumbered GigabitEthernet0/0.20

ip nat inside

ip virtual-reassembly

service-module ip address 172.20.10.2 255.255.255.0

service-module ip default-gateway 172.20.10.1

!

interface GigabitEthernet0/1

ip address 98.191.xx.xx 255.255.255.224 (ip address of new line)

ip access-group 111 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

access-list 111 permit tcp any any eq www

access-list 111 permit udp any any eq domain

!

route-map outside-nat permit 10

match ip address 100

match interface Serial0/0/0.501

!

route-map policymap permit 10

match ip address 111

set ip default next-hop 98.191.xx.xx (gateway to ip from g0/1)

--------

Please lend any assistance or ask any questions. Thank you

John Blakley · ‎03-02-2012

David,

If you need to allow outbound dns, you'll want to also nat that traffic over the wan like you did for web traffic. You'll probably need to add:

access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq 53

John

Please rate all helpful posts

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎03-02-2012

Can you post your nat configuration, and I notice that your acl on g0/1 is the same acl that your route-map policymap references. This may be because of your nat config....

HTH, John *** Please rate all useful posts ***

dblumberg_butler_cco · ‎03-02-2012

!

ip nat inside source static tcp 172.20.10.2 80 interface Serial0/0/0.501 8080

ip nat inside source route-map outside-nat interface Serial0/0/0.501 overload

!!!! below is for for smtp servers and outside data required server

ip nat inside source static 192.168.1.5 209.156.xx.xxx route-map outside-nat

ip nat inside source static 192.168.1.4 209.156.xx.xxx route-map outside-nat

John Blakley · ‎03-02-2012

Can you post your 100 acl?

HTH, John *** Please rate all useful posts ***

dblumberg_butler_cco · ‎03-02-2012

here is the complete acl

access-list 10 permit 172.20.0.0 0.0.255.255

access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 100 deny ip 172.20.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 100 deny ip 172.20.0.0 0.0.255.255 172.20.0.0 0.0.255.255

access-list 100 permit ip 172.20.0.0 0.0.255.255 any

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 111 permit tcp any any eq www

access-list 111 permit udp any any eq domain

access-list 150 remark L2L IPSec Rule

access-list 150 permit ip 192.168.0.0 0.0.15.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 172.20.0.0 0.0.255.255 192.168.2.0 0.0.0.255

access-list 190 remark Client IPSec Rule

access-list 190 permit ip 192.168.0.0 0.0.15.255 192.168.10.0 0.0.0.255

access-list 190 permit ip 172.20.0.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 199 permit esp any any

access-list 199 permit udp any host 209.156.xxx.xxx eq isakmp

access-list 199 permit udp any host 209.156.xxx.xxx eq non500-isakmp

access-list 199 permit tcp any host 209.156.xxx.xxx eq 22

access-list 199 permit tcp any host 209.156.xxx.xxx eq telnet

access-list 199 permit tcp any host 209.156.xxx.xxx eq 8080

access-list 199 permit tcp any host 209.156.xxx.xxx ack

access-list 199 permit tcp any host 209.156.xxx.xxx established

access-list 199 permit udp any eq domain host 209.156.xxx.xxx

access-list 199 permit tcp any host 209.156.xxx.xxx eq smtp

access-list 199 permit tcp any host 209.156.xxx.xxx eq 3389

access-list 199 permit tcp any host 209.156.xxx.xxx eq 443

access-list 199 permit tcp any host 209.156.xxx.xxx eq 143

access-list 199 permit tcp any host 209.156.xxx.xxx eq 3389

access-list 199 permit icmp any any

access-list 199 deny ip any any log

John Blakley · ‎03-02-2012

Based on your acl inbound, you're allowing traffic in on the interface that you're pushing your users through. Can you remove the acl to see if that fixes your issue? Otherwise, try putting this in your acl:

permit tcp any any established

I don't see a good reason for the acl to be applied inbound on your cable interface. All of your static natting points to your T1. I'd remove the acl completely from G0/1.

I also don't see you natting to the G0/1 interface in your nat statement, so try this:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www

route-map WWWOnly permit 10

match ip address 101

ip nat inside source route-map WWWOnly interface g0/1 overload

HTH, John *** Please rate all useful posts ***

dblumberg_butler_cco · ‎03-02-2012

When you say removing the ACL are you referring to just the 111? Thank you

John Blakley · ‎03-02-2012

Yes...this line:

interface GigabitEthernet0/1

ip address 98.191.xx.xx 255.255.255.224 (ip address of new line)

ip access-group 111 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

HTH, John *** Please rate all useful posts ***

dblumberg_butler_cco · ‎03-02-2012

So the web traffic works with one major caveat, the DNS is not working which is sorta a big issue, all the systems use main server for DNS traffic (192.168.1.5) and here is the DNS in the IOS:

!

ip dhcp pool data

network 172.20.0.0 255.255.255.0

dns-server 66.155.216.122 207.59.153.242 66.251.35.130 68.105.29.16 68.105.28.16

domain-name *.com

default-router 172.20.0.1

!

ip domain name *.com

ip name-server 66.155.216.122

ip name-server 207.59.153.242

ip name-server 66.251.35.130

ip name-server 68.105.28.16

ip name-server 68.105.29.16

!!!! where the dns servers for the cable modem are the 68.xxx numbers and the rest are for the t1 circuit

Is this issue server related or something on the router? i can ping on the router through both the t1 circuit g0/0.10 and through the cable modem circuit g0/1. Again thank you for your help

John Blakley · ‎03-02-2012

David,

If you need to allow outbound dns, you'll want to also nat that traffic over the wan like you did for web traffic. You'll probably need to add:

access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq 53

John

Please rate all helpful posts

HTH, John *** Please rate all useful posts ***

dblumberg_butler_cco · ‎03-02-2012

Worked like a charm and everything is up and running, thank you.

John Blakley · ‎03-02-2012

You're very welcome...glad to hear it, and thanks for the ratings!

HTH, John *** Please rate all useful posts ***