12-20-2013 01:25 PM - edited 03-07-2019 05:12 PM
I'm quite new to the whole cisco thing here. I am very hesitant to make changes as I'm not 200% certain I won't bring down the whole network. (We are a very small company)
We have a cisco 1811 router (yes I know its old)
Now we have a route map and I am trying to understand it to make it work the way we want. Basically we have a few servers, and we don't want certain servers to use our cable internet connection, we want it to use our T1. Our T1 is using an ASA5505 as a router. I don't know why, I know its not best practice but I was just hired and thats all I need to say about that. I'm trying to make due. Web traffic currently goes out our Cable interface, everything else, including transfer speed on speedtest.net goes out our T1. This makes for bad, bad VoIP phone calls. We also have a tunnel punched in the T1 from our other office as well as our Exchange2010 server using the T1. If our cable goes down everything goes to the T1 (by design). We have an extended access-list defined that our route-map uses for ip matching. I want to change the Access-list to not allow local network ips. I know if I put in allow ip any any it will break our network and NOTHING goes out the T1 line, and no one can get to our email server anymore. So, I was thinking of adding a few statements in, but was wondering if anyone could help me with the logic so I know if I'll break the network. I'd hate to have to pull out the rolled cable and use the console. (I really need to get a USB to Serial interface). Now you understand a little bit about my situation, now for all the numbers, etc.
Internal network 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (We only use 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes in and goes out our T1.
1811 Router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
track 40 ip sla 40 reachability
delay down 90 up 60
!
interface Vlan1
description ***LAN INTERFACE 90.0.0.x Network***$FW_INSIDE$
ip address 90.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map WEBPBR
!
interface Vlan10
description ****LAN INTERFACE 192.168.0.x NET*****$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip helper-address 90.0.0.2
ip virtual-reassembly
ip policy route-map WEBPBR
!
! Static Routes
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
ip route 0.0.0.0 0.0.0.0 197.164.245.109 200
ip route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
ip route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
ip route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
ip route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
ip access-list extended WEBTRAFFIC
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
deny tcp host 90.0.0.2 any eq www
deny tcp host 90.0.0.14 any eq www
deny tcp host 90.0.0.235 any eq www
deny ip host 192.168.0.40 any
deny ip any host 192.168.0.40
deny ip host 192.168.0.41 any
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
deny ip host 192.168.0.221 any
deny ip host 192.168.0.225 any
deny tcp host 90.0.0.10 any eq www
deny ip any host 192.168.0.225
deny tcp host 90.0.0.11 any eq www
deny tcp host 90.0.0.9 any eq www
deny tcp host 90.0.0.8 any eq www
deny tcp host 90.0.0.7 any eq www
deny tcp host 90.0.0.6 any eq www
deny tcp host 90.0.0.1 any eq www
deny tcp host 90.0.0.13 any eq www
deny tcp host 90.0.0.200 any eq www
permit tcp any any eq www
permit ip host 192.168.0.131 any
permit ip host 192.168.0.130 any
permit ip host 192.168.0.132 any
permit ip host 192.168.0.133 any
permit ip host 192.168.0.134 any
permit ip host 192.168.0.135 any
permit ip host 192.168.0.136 any
permit ip host 192.168.0.137 any
permit ip host 192.168.0.138 any
permit ip host 192.168.0.139 any
permit ip host 192.168.0.140 any
permit ip host 192.168.0.141 any
permit ip host 192.168.0.142 any
permit ip host 192.168.0.143 any
permit ip host 192.168.0.144 any
permit ip host 192.168.0.145 any
permit ip host 192.168.0.146 any
permit ip host 192.168.0.147 any
permit ip host 192.168.0.148 any
permit ip host 192.168.0.149 any
permit ip host 192.168.0.150 any
permit ip host 90.0.0.80 any
permit ip host 90.0.0.81 any
permit ip host 90.0.0.82 any
permit ip host 90.0.0.83 any
permit ip host 90.0.0.84 any
permit ip host 90.0.0.85 any
permit ip host 90.0.0.86 any
permit ip host 90.0.0.87 any
permit ip host 90.0.0.88 any
permit ip host 90.0.0.89 any
permit ip host 90.0.0.90 any
permit ip host 90.0.0.91 any
permit ip host 90.0.0.92 any
permit ip host 90.0.0.93 any
permit ip host 90.0.0.94 any
permit ip host 90.0.0.95 any
deny tcp host 90.0.0.3 any eq www
ip sla 40
icmp-echo 208.67.220.220 source-interface Vlan1
timeout 6000
frequency 20
ip sla schedule 40 life forever start-time now
route-map WEBPBR permit 2
match ip address WEBTRAFFIC
set ip next-hop verify-availability 197.164.245.109 1 track 40
******This is how we have it setup right now. If I would put in a few lines at the top of WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
**And then put at the bottom:
permit ip any any
will that break EVERYTHING so we can't communicate with anything? Or is that what I actually have to do so we get internal routing etc? Also I assume that I would put in the 15 IP addresses that are coming in the ASA as well? (We have 14 public IP addresses (one for T1 gateway) Would that go in as well? I don't want to try putting those in at the top and make it so no one can do anything. I hope I made it clear what I'm trying to do...
Message was edited by: Ryan Young
Solved! Go to Solution.
12-22-2013 06:38 PM
I have not read this thread thoroughly enough to be able to speak to the subtleties of whether this access will fully do what you want. But I can answer the specific question that you ask. Yes - the access list is processed top down and if some line higher in the access list does match then the processing for that packet will not get to the permit at the bottom of the access list.
HTH
Rick
12-21-2013 10:24 AM
Hi,
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
You don't want these subnets to be policy routed, you want them to use the path from the routing table ?
if so then as PBR is an ingress feature and those subnets will never be the destination ogf packets entering the interfaces where PBR is configured, you should reverse your ACL like this:
deny ip 192.168.0.0 0.0.0.255 any
deny ip 90.0.0.0 0.0.0.255 any
deny ip 192.168.116.0 0.0.0.255 any
the permit ip any any will force all traffic from any source! Etc with all internal networks
**And then put at the bottom:
permit ip any any
to any destination to be Policy based routed, I suppose this is not what you want.
Could you be more precise and tell us exactly
which traffic shouldn't be policy routed and which should
Regards
Alain
Don't forget to rate helpful posts.
12-22-2013 04:05 PM
Basically we want to policy route everything but a few servers through the cable modem interface fa0 everything else will go through our T1 router which is our 90.0.0.50.
If we choose permit ip any any everything goes out the policy routing. The way it currently is setup up top, only WWW (And the static IPs which are phones) goes out our Cable. EVERYTHING else goes out our T1. We want to reserve the T1 to our servers and site to site vpn tunnels. (And client vpn). I think I am going to put our phones on a different subnet so we can QoS our data better. Right now the only Quality of Service is our manual Policy based routing. (Remember I'm new to being a CCNA, and this company) So What I'm trying to do currently, is to stop internal networks from being policy based (else everything goes out our FA0) And stopping certain servers from using the policy routing to force it to go out our T1. So if I understand what we are currently doing, if I change the top WEBTRAFFIC from what it is to the following, Will it do what I'm wanting to right now? In the future I will create a new VLAN for the phone traffic and QoS that VLAN above everyone else. But since our VoIP phones use 8x8 instead of internal VoIP, I can't really automate the process.
This is what I'm thinking of doing with the access-list WEBTRAFFIC:
ip access-list extended WEBTRAFFIC
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.0.0 0.0.0.255
deny ip any 192.168.30.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
deny ip any ! T1 line IP subnet
deny ip host 90.0.0.2 any
deny ip host 90.0.0.14 any
deny ip host 90.0.0.235 any
deny ip host 192.168.0.40 any
deny ip host 192.168.0.41 any
deny ip host 192.168.0.225 any
deny ip host 90.0.0.10 any
deny ip host 90.0.0.11 any
deny ip host 90.0.0.9 any
deny ip host 90.0.0.8 any
deny ip host 90.0.0.7 any
deny ip host 90.0.0.6 any
deny ip host 90.0.0.1 any
deny ip host 90.0.0.13 any
deny ip host 90.0.0.200 any
deny ip host 90.0.0.3 any
permit ip any any
Now if my thinking is correct, the access-list goes in order from the top to the bottom, if it equals something at the top, then the permit does not apply correct?
Message was edited by: Ryan Young
12-22-2013 06:38 PM
I have not read this thread thoroughly enough to be able to speak to the subtleties of whether this access will fully do what you want. But I can answer the specific question that you ask. Yes - the access list is processed top down and if some line higher in the access list does match then the processing for that packet will not get to the permit at the bottom of the access list.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide