Solved: I have verified that pings (I - Page 2

WolfraiderNW · ‎09-11-2015

I know this is a simple question but for some reason I cannot get it to work.

We have 2 ISP connections to our 6506 that we are using as a router. We also have a fwsm installed. ISP A has given us a public ip range of 10.10.10.0/23 and the second has given us several public IP ranges. We want the ability to route most of our NAT networks through ISP 2 with a few out ISP 1. We are not looking at ISP failover or anything at this time. We have tried creating a static route and route-maps.

All NATing works through ISP2 with the default gateway. How do we route all the 10.10.10.0 traffic to use ISP1 only. I have created a test vlan with the public ip address of 10.10.10.1 and while I can ping inside the network, I cannot ping outside. I am missing something really simple I know.

WolfraiderNW · ‎09-16-2015

I have verified that pings (I used 8.8.8.8 to ping) from the 6500 is actually hitting the route-map when sent from the 802 vlan using traceroute. If the route-map is disabled I can see the traffic going through Springnet but with it enabled, the traffic goes through Telecom. I have applied the following changes but still cannot route out of the fwsm. traceroute shows request timed out

fwsm

no mtu Telecom 1500
no icmp permit any Telecom
no global (Telecom) 210 69.x.x.5-69.x.x.254 netmask 255.255.254.0
no static (nvctest,Telecom) 192.168.102.0  access-list nvctest_nat_static2 
no access-group Telecom_access_in in interface Telecom
no int vlan802

global (outside) 210 69.x.x.5-69.x.x.254 netmask 255.255.254.0
static (nvctest,outside) 192.168.102.0  access-list nvctest_nat_static2

6500 - removed vlan 802 from the fwsm

firewall vlan-group 1  10,21-26,30-34,39,99,200,201,701-703,801,900-902

Jon Marshall · ‎09-16-2015

If you ping using vlan 802 SVI as the source then not sure how PBR is being used as it should only apply to traffic going through the 6500 not from it.

However, that aside, in your static command can you reference the other acl ie.

static (nvctest,outside) 192.168.102.0 access-list nvctest_nat_static

and try again.

You may need to clear the xlate entry for the host you are testing from.

Jon

WolfraiderNW · ‎09-16-2015

Our Telecom ISP is directly on Te2/1 and is on a different ip subnet from vlan802. I believe the route-map still applies since it is applied to the 802 vlan. I also have it applied to the 801 vlan which is the outside vlan from the fwsm

Still the same issue, I cleared xlate

Jon Marshall · ‎09-16-2015

Okay can you post the latest configuration of both the 6500 and the FWSM as you did before.

Also is it right to say that a traceroute from a vlan 701 host works correctly ie. it is not the FWSM configuration blocking the ICMP ?

Jon

WolfraiderNW · ‎09-16-2015

yes, traceroute works fine from 701

6500

firewall multiple-vlan-interfaces
firewall module 1 vlan-group 1
firewall vlan-group 1  10,21-26,30-34,39,99,200,201,701-703,801,900-902
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
diagnostic bootup level minimal
access-list 10 permit 69.x.x.0 0.0.1.255
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
vlan 701
 name Test-Office
!
vlan 702
 name nvctest
!
vlan 801
 name FWSM-Outside
!
vlan 802
 name Telcom
interface Null0
 no ip unreachables
!
interface TenGigabitEthernet2/1
 description MoTeleCom ISP
 ip address 69.x.x.229 255.255.255.254
 ip nat outside
 ip flow ingress
interface GigabitEthernet4/1
 description Internal VLANs
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 ip dhcp snooping trust
interface GigabitEthernet4/3
 description Springnet ISP
 ip address 66.x.x.74 255.255.255.252
 ip nat outside
 ip flow ingress
interface Vlan701
 no ip address
!
interface Vlan702
 no ip address
!
interface Vlan801
 description FWSM Outside Network
 ip address 64.x.x.1 255.255.255.0
 ip policy route-map TelecomCommunity
!
interface Vlan802
 ip address 69.x.x.1 255.255.254.0
 ip policy route-map TelecomCommunity
ip nat translation timeout 1800
ip classless
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.x.x.73
ip route 64.x.x.0 255.255.255.0 64.x.x.2
ip route 76.x.x.0 255.255.252.0 76.x.x.2
route-map TelecomCommunity permit 10
 match ip address 10
 set ip next-hop x.x.148.228

fwsm

names
name 64.x.x.128 core
dns-guard
!
interface Vlan701
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0 
!
interface Vlan702
 nameif nvctest
 security-level 10
 ip address 192.168.102.1 255.255.255.0 
!
interface Vlan801
 nameif outside
 security-level 0
 ip address 64.x.x.2 255.255.255.0 
!

access-list optimization enable

access-list outside extended permit icmp any any 
access-list outside_access_in remark Permit ICMP Anywhere
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark Allow Core Servers Unrestricted Access
access-list outside_access_in extended permit ip core 255.255.255.224 any 
access-list outside_access_in remark Port ranges that are never allowed to connect
access-list outside_access_in extended deny object-group Blocked-Services any any 
access-list outside_access_in remark Allow access to ports on all public pool IPs
access-list outside_access_in extended permit ip any object-group Public-IP-Ranges 
access-list inside_nat_static extended permit ip 192.168.101.0 255.255.255.0 core 255.255.255.224 
access-list inside_access_in extended permit ip any any 
access-list nvctest_nat_static extended permit ip 192.168.102.0 255.255.255.0 core 255.255.255.224 
access-list nvctest_access_in extended permit ip any any 
access-list nvctest_nat_static2 extended permit ip 192.168.102.0 255.255.255.0 any 
no pager
logging enable
logging buffer-size 65535
logging buffered debugging
logging asdm informational
mtu nvctest 1500
mtu inside 1500
mtu outside 1500
no failover
icmp permit any nvctest
icmp permit any inside
icmp permit any outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 110 76.x.x.1-76.x.x.253
global (outside) 1 interface
global (outside) 210 69.x.x.5-69.x.x.254 netmask 255.255.254.0
nat (nvctest) 210 192.168.102.0 255.255.255.0
nat (inside) 110 192.168.101.0 255.255.255.0
static (inside,outside) 192.168.101.0  access-list inside_nat_static norandomseq 
static (nvctest,outside) 192.168.102.0  access-list nvctest_nat_static2 
access-group nvctest_access_in in interface nvctest
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.22.236.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:10:00
timeout mgcp-pat 0:10:00 sip 0:30:00 sip_media 0:10:00
timeout sip-invite 0:10:00 sip-disconnect 0:10:00
timeout pptp-gre 0:02:00
timeout uauth 0:10:00 absolute
dhcprelay enable nvctest
dhcprelay enable inside

Jon Marshall · ‎09-16-2015

On the FWSM you are still referencing the wrong acl with your static NAT statement ie.

you are referencing "nvctest_nat_static2" which has a destination of any whereas you should be referencing "nvctest_nat_static" which has a destination of the core subnet only.

Basically as far as I can tell you are telling the FWSM to not do NAT on the 192.168.102.x IPs going to any destination at the moment.

Can you update that static statement to reference the correct acl and retest.

Jon

WolfraiderNW · ‎09-16-2015

Same thing, no response

static (nvctest,outside) 192.168.102.0  access-list nvctest_nat_static

I also tried

static (nvctest,outside) 192.168.102.0 69.x.x.0 netmask 255.255.254.0

Jon Marshall · ‎09-16-2015

Okay, can you remove the SVI for vlan 802 on the 6500 as it is not doing anything.

Can you also say where the traceroute is failing ie. do you see it get to the FWSM from a client in the nvctest vlan, do you see it getting to the 6500 vlan 801 interface etc.

Jon

WolfraiderNW · ‎09-16-2015

I have removed it. I am running tracert from a client computer on the 702 vlan and for some reason traceroute times out completely. I ran a ping to 8.8.8.8 and got the following responses.

nat (nvctest) 210 192.168.102.0 255.255.255.0

Request timed out

nat (nvctest) 110 192.168.102.0 255.255.255.0

reply from 8.8.8.8

Jon Marshall · ‎09-16-2015

Did you see my last post about adding a route to the 6500 ?

Jon

WolfraiderNW · ‎09-16-2015

That was it, thank you very much

Jon Marshall · ‎09-16-2015

No problem, glad we got there in the end :-)

Jon

WolfraiderNW · ‎09-16-2015

Me too, figured I missed something simple

Jon Marshall · ‎09-16-2015

Can you add this to the 6500 -

"ip route 69.x.x.0 255.255.254.0 64.x.x.2"

Jon

Cisco 6506 with 2 ISP connections