cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

308
Views
0
Helpful
0
Replies
Highlighted
Beginner

NAT PBR HSRP and 'connection rejected'

Hi there.

Doing a lab to play with a combination of features.

Having trouble with connections between 2 VLANs.

I am doing NAT, Policy Based Routing (PBR) and HSRP on two routers.

The routers are cisco 1921 running (C1900-UNIVERSALK9-M), Version 15.3(2)T

From vlan 25, I can ping to NATed external address for hosts on vlan 26.

From vlan 26, I can ping to NATed external address for hosts on vlan 25.

But, I can ***NOT*** SSH from vlan 25 to ANY host (the external NAT address) on vlan 26 or vise versa....

I can't SSH from vlan25 hosts to the inside address of vlan26 hosts as PBR forces all connections to the outside router

I tried completely removing all ACLs, removing PBR, you name it. Nothing works.

All hosts are CentOS 6.4.

The truely odd thing is, when I run 'tcpdump' on the target system to look for packets, even though the PING works, I see no packets on the target system.

This tells me the echo-reply is NOT coming from the target systems but rather the Router.

network description:

On Gi0/0 I have 2 vlans (25 and 26) - 192.168.25.0/25 and 192.168.26.0/24

On Gi0/1 I have 2 vlans (1025 and 1026) 10.10.10.174/28 and 10.10.10.190/28

I have PBR to force packets from vlan 25 out via vlan 1025 and packets from vlan 26 out via vlan 1026.

Access rules allow select connections by filtering **outbound** traffice on the Gi0/0 inside subinterfaces.

Any help would be really appreciated.

-----------------------

Current configuration : 21440 bytes

!

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

ip cef

!

vtp mode transparent

!

track 1 interface GigabitEthernet0/1 line-protocol

!

track 2 interface GigabitEthernet0/0 line-protocol

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.25

description NET-INT-VLAN-25-NET25

encapsulation dot1Q 25

ip address 192.168.25.2 255.255.255.0

ip access-group ACL_RULES_VLAN-25-NET25 out

ip nat inside

ip virtual-reassembly in

ip policy route-map RMAP_VLAN-25-NET25

standby version 2

standby 25 ip 192.168.25.1

standby 25 timers msec 300 1

standby 25 priority 150

standby 25 preempt delay minimum 30

standby 25 name HSRP-25

standby 25 track 1 decrement 50

!

interface GigabitEthernet0/0.26

description NET-INT-VLAN-26-NET26

encapsulation dot1Q 26

ip address 192.168.26.2 255.255.255.0

ip access-group ACL_RULES_VLAN-26-NET26 out

ip nat inside

ip virtual-reassembly in

ip policy route-map RMAP_VLAN-26-NET26

standby version 2

standby 26 ip 192.168.26.1

standby 26 timers msec 300 1

standby 26 priority 150

standby 26 preempt delay minimum 30

standby 26 name HSRP-26

standby 26 track 1 decrement 50

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.1025

description NET-EXT-VLAN-1025-NET25

encapsulation dot1Q 1025

ip address 10.10.10.189 255.255.255.240

ip nat outside

ip virtual-reassembly in

standby version 2

standby 1025 ip 10.10.10.190

standby 1025 timers msec 300 1

standby 1025 priority 150

standby 1025 preempt delay minimum 30

standby 1025 name HSRP-1025

standby 1025 track 2 decrement 50

!

interface GigabitEthernet0/1.1026

description NET-EXT-VLAN-1026-NET26

encapsulation dot1Q 1026

ip address 10.10.10.173 255.255.255.240

ip nat outside

ip virtual-reassembly in

standby version 2

standby 1026 ip 10.10.10.174

standby 1026 timers msec 300 1

standby 1026 priority 150

standby 1026 preempt delay minimum 30

standby 1026 name HSRP-1026

standby 1026 track 2 decrement 50

!

interface GigabitEthernet0/0/0

no ip address

!

interface GigabitEthernet0/0/1

no ip address

!

interface GigabitEthernet0/0/2

no ip address

!

interface GigabitEthernet0/0/3

no ip address

!

interface Vlan1

no ip address

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool NAT_POOL_VLAN-25-NET25 10.10.10.190 10.10.10.190 prefix-length 28

ip nat pool NAT_POOL_VLAN-26-NET26 10.10.10.174 10.10.10.174 prefix-length 28

ip nat inside source route-map PAT_RMAP_VLAN-25-NET25 pool NAT_POOL_VLAN-25-NET25 overload

ip nat inside source route-map PAT_RMAP_VLAN-26-NET26 pool NAT_POOL_VLAN-26-NET26 overload

ip nat inside source static 192.168.26.10 10.10.10.165

ip nat inside source static 192.168.26.11 10.10.10.166

ip nat inside source static 192.168.25.10 10.10.10.180

ip nat inside source static 192.168.25.11 10.10.10.181

!

ip access-list extended ACL_RULES_VLAN-25-NET25

remark Allow established TCP connections to NET25

permit tcp any 192.168.25.0 0.0.0.255 established

permit tcp any host 192.168.25.10 eq 2222

permit tcp any host 192.168.25.11 eq 2222

permit udp any host 192.168.25.10 eq domain

permit udp any host 192.168.25.11 eq domain

permit icmp any host 192.168.25.10 echo-reply

permit icmp any host 192.168.25.10 echo

permit icmp any host 192.168.25.11 echo-reply

permit icmp any host 192.168.25.11 echo

permit udp any eq domain host 192.168.25.10

permit udp any eq domain host 192.168.25.11

deny   ip any any log

ip access-list extended ACL_RULES_VLAN-26-NET26

remark Allow established TCP connections to NET26

permit tcp any 192.168.26.0 0.0.0.255 established

permit tcp any host 192.168.26.10 eq 2222

permit tcp any host 192.168.26.11 eq 2222

permit udp any host 192.168.26.10 eq domain

permit udp any host 192.168.26.11 eq domain

permit icmp any host 192.168.26.10 echo-reply

permit icmp any host 192.168.26.10 echo

permit icmp any host 192.168.26.11 echo-reply

permit icmp any host 192.168.26.11 echo

permit udp any eq domain host 192.168.26.10

permit udp any eq domain host 192.168.26.11

deny   ip any any log

!

route-map RMAP_VLAN-25-NET25 permit 10

set ip next-hop 10.10.10.177

!

route-map PAT_RMAP_VLAN-25-NET25 permit 10

match interface GigabitEthernet0/1.1025

!

route-map RMAP_VLAN-26-NET26 permit 10

set ip next-hop 10.10.10.161

!

route-map PAT_RMAP_VLAN-26-NET26 permit 10

match interface GigabitEthernet0/1.1026

!

!

!

control-plane

!

!

!

line con 0

length 50

width 150

stopbits 1

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

rotary 1

length 50

width 150

transport input ssh

!

scheduler allocate 20000 1000

!

end

rtr-acc-1#

Everyone's tags (4)
CreatePlease to create content
Content for Community-Ad