01-17-2014 09:46 AM - edited 03-07-2019 05:38 PM
I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet. but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
Any help would be greatly appreciated
This is my current config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MOVLABT3-CA-ES
!
boot-start-marker
boot-end-marker
!
!
card type t3 1
card type t3 2
enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1015775704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1015775704
revocation-check none
rsakeypair TP-self-signed-1015775704
!
!
crypto pki certificate chain TP-self-signed-1015775704
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
6E67990A 9A7B49F9 8D1A8CA0 51AAF2
quit
license udi pid C3900-SPE150/K9 sn FOC16313DE8
hw-module sm 1
!
hw-module sm 2
!
!
!
!
!
controller T3 1/0
cablelength 75
!
controller T3 2/0
cablelength 75
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip nat outside
ip virtual-reassembly in
dsu bandwidth 44210
!
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
!
no ip classless
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 206.135.100.201
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
!
snmp-server community RO-N1mS0ft RO
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
01-17-2014 10:31 AM
The following configuration replaces the one i sent before -
int gi0/1
ip policy route-map PBR
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
route-map PBR permit 10
match ip address 101
set ip next-hop 205.214.40.5
the above will send all traffic entering gi0/1 out via s2/0
If you also want to be able to ping the gi0/1 from the internet just add this line
ip local policy route-map PBR
you only need PBR for the gi0/1 interface, all other traffic will be sent using the default route. Note that there is no checking if the next hop is up either with the default route or the PBR next hop. If you want failover then you would need to add IP SLA config to achieve this.
Jon
01-17-2014 09:56 AM
So what do you want to do ie. send traffic from gi0/1 via the other link ?
If so -
ip policy local route-map PBR
access-list 101 permit ip host 206.135.120.114
route-map PBR permit 10
match ip address 101
set ip next-hop 205.214.40.5
but i am not sure this is exactly what you want. Can you clarify ?
Jon
01-17-2014 09:58 AM
I like to keep
gig 0/0 route to serial 1/0
gig 0/1 route to serial 2/0
01-17-2014 10:05 AM
Yes, but do you mean traffic coming into gi0/0 and gi0/0 from internal LAN clients ?
The configuration i supplied only applies to traffic generated by the router ie. your ping goes to the gi0/1 interface and then the router sends a response.
But for traffic through the router ie. from clients inside the gi0/0 and gi0/1 interfaces the configuration does nothing. Usually PBR is used for traffic passing through the router not traffic generated by the router itself.
One further point. You have public IPs on your gi0/0 and gi0/1 interfaces. Is this really want you want ? If so why do you have "ip nat inside" configured on them ie. there is no need to NAT because they are public IPs anyway. That said you have not NAT statements so nothing is being translated anyway.
So can you clarify exactly what you want to achieve in terms of traffic and explain the NAT setup then we should be able to give you a solution.
Jon
01-17-2014 10:22 AM
NAT I took away I just forgot to remove them from the independent interfaces.
To answer the question
internet traffic coming or outgoing into gi0/0 to internal LAN clients through an independent path.
internet traffic coming or outgoing into gi0/1 to internal LAN clients through an independent path.
Since each has their own public bank of public address. the NAT is going away, there is no need to have it there, I won't be doing any nating.
01-17-2014 10:31 AM
The following configuration replaces the one i sent before -
int gi0/1
ip policy route-map PBR
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
route-map PBR permit 10
match ip address 101
set ip next-hop 205.214.40.5
the above will send all traffic entering gi0/1 out via s2/0
If you also want to be able to ping the gi0/1 from the internet just add this line
ip local policy route-map PBR
you only need PBR for the gi0/1 interface, all other traffic will be sent using the default route. Note that there is no checking if the next hop is up either with the default route or the PBR next hop. If you want failover then you would need to add IP SLA config to achieve this.
Jon
01-17-2014 11:12 AM
This is what it looks like now, and I still can't ping gig 0/1 from the internet
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip virtual-reassembly in
ip policy route-map pbr
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip virtual-reassembly in
dsu bandwidth 44210
!
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
!
ip local policy route-map PBR
no ip classless
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 206.135.100.201
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
!
route-map pbr permit 10
match ip address 101
set ip next-hop 205.214.40.5
!
!
snmp-server community RO-N1mS0ft RO
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
01-17-2014 11:25 AM
I have just done a traceroute to the gi0/1 IP address and it never gets to your router ie. there is a routing loop within one of the ISPs.
Are you sure the subnet associated with gi0/1 is being routed to the s2/0 interface by the ISP who owns that block ?
Jon
01-17-2014 11:28 AM
Yes I am sure
01-17-2014 11:30 AM
01-17-2014 11:46 AM
I just called the supplier and verified the IP addresses
GW 206.135.120.113
usable 114-126
114 is being used on Int gig 0/1
There is only one static route which is seen by Ser 1/0
ip route 0.0.0.0 0.0.0.0 206.135.100.201
but Ser 2/0 which is attached to gig 0/1 is not being seen from the outside
01-17-2014 11:55 AM
I just called the supplier and verified the IP addresses
GW 206.135.120.113
usable 114-126
what do you mean by the bit in bold ? Does the supplier know that this IP block is sitting behind a serial interface with a different IP address.
I think your supplier is using the address in bold as their end of the connection. But that won't work because you have used this IP block on your internal gi0/1 interface.
Is the link via s2/0 provided by the same supplier who owns the above subnet. If so they need to be sending any traffic for that subnet to the s2/0 interface. They are obviously not because of the traceroute i posted.
If the s2/0 link is provided by the same supplier as the gi/01 IP address block you need to talk to them and tell them that what your setup is.
If the s2/0 link is owned by a different supplier then can you please explain exactly who owns what.
The basic problem is that the gi0/1 subnet is not being sent to your router from the internet. There is nothing you can do on the router until you get that sorted out.
Jon
01-17-2014 01:34 PM
While I wait for the provider I'll provide a show ip command
Gateway of last resort is 206.135.100.201 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 206.135.100.201
205.214.40.0/24 is variably subnetted, 3 subnets, 2 masks
C 205.214.40.4/30 is directly connected, Serial2/0
C 205.214.40.5/32 is directly connected, Serial2/0
L 205.214.40.6/32 is directly connected, Serial2/0
206.135.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 206.135.100.200/30 is directly connected, Serial1/0
L 206.135.100.202/32 is directly connected, Serial1/0
206.135.120.0/24 is variably subnetted, 2 subnets, 2 masks
C 206.135.120.112/28 is directly connected, GigabitEthernet0/1
L 206.135.120.114/32 is directly connected, GigabitEthernet0/1
207.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 207.168.4.48/28 is directly connected, GigabitEthernet0/0
L 207.168.4.49/32 is directly connected, GigabitEthernet0/0
Also a sh route-map
route-map PBR, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop 205.214.40.5
Policy routing matches: 1 packets, 44 bytes
01-17-2014 01:38 PM
My question would be to resolve the issue of having
Gateway of last resort is 206.135.100.201 to network 0.0.0.0
Do the route map to both interfaces instead of having a static route just on one interface not the other.
Just trying to understand more what I am doing or what's going on.
01-17-2014 01:41 PM
It doesn't matter what you do on the router, until that network is routed to your s2/0 interface there is nothing you can do to get this working,
Using PBR for both links would make no difference and would just complicate the configuration.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide