Routing problem with multihomed router.

Discussion in 'Cisco' started by Agustin, Sep 5, 2006.

  1. Agustin

    Agustin Guest

    Hi everyone,
    I am having a little bit of a problem trying to configure a router with
    two isp conneted to it.
    The problem is this:
    I have ISP1 and ISP2, each one with their particular gateway. After I
    configured everything (dyn nat, static nat, vpn, etc) everything works
    fine, except for the routing. I want to use ISP1 for vpn routing (which
    I do with static routes) and ISP2 for every other traffic (so i just
    create a last resort gw 0.0.0.0 0.0.0.0 ISP2) but I will also would
    like to access the other interface from the open internet which I can't
    do it now because the router doesn't know how to route packet and
    instead it tries to send it trought the Last resort gw (LSG) . I've try
    to put two LSG but it seems to be picking the ISP1 probably because in
    the routing table I have 4 routes with ISP1 and only 1 with the other
    one so probably it believes that it can "save" more routes using this
    one. The problem is that, this way all the dynamic nat map is build
    upon the inteface that I don't want to use. Is there a way to tell the
    router that if it receives a packet in interface 2 it replys trought
    that one? Should I use route maps? and if I do, how?
    Altought the best thing to accomplish is forcing the router to pick as
    LSG the interface that I want, cause now this is the case
    ip route 0.0.0.0 0.0.0.0 ISP 1
    ip route 0.0.0.0 0.0.0.0 ISP 2
    ip route X.X.X.X 255.255.255.255 ISP 1
    ip route 172.16.0.0 255.255.240.0 ISP 1
    ip route 192.168.0.0 255.255.128.0 ISP 1
    ip route X.X.X.X 255.255.255.224 ISP 1

    Having those routes in my config it picks the LSP with the ISP 1 as the
    default one, but I want it to be the other way around.
    How should I do?
    Thank everyone in advance.
    Agustin, Sep 5, 2006
    #1
    1. Advertising

  2. Agustin wrote:
    > Hi everyone,
    > I am having a little bit of a problem trying to configure a router with
    > two isp conneted to it.
    > The problem is this:
    > I have ISP1 and ISP2, each one with their particular gateway. After I
    > configured everything (dyn nat, static nat, vpn, etc) everything works
    > fine, except for the routing. I want to use ISP1 for vpn routing (which
    > I do with static routes) and ISP2 for every other traffic (so i just
    > create a last resort gw 0.0.0.0 0.0.0.0 ISP2) but I will also would
    > like to access the other interface from the open internet which I can't
    > do it now because the router doesn't know how to route packet and
    > instead it tries to send it trought the Last resort gw (LSG) . I've try
    > to put two LSG but it seems to be picking the ISP1 probably because in
    > the routing table I have 4 routes with ISP1 and only 1 with the other
    > one so probably it believes that it can "save" more routes using this
    > one. The problem is that, this way all the dynamic nat map is build
    > upon the inteface that I don't want to use. Is there a way to tell the
    > router that if it receives a packet in interface 2 it replys trought
    > that one? Should I use route maps? and if I do, how?
    > Altought the best thing to accomplish is forcing the router to pick as
    > LSG the interface that I want, cause now this is the case
    > ip route 0.0.0.0 0.0.0.0 ISP 1
    > ip route 0.0.0.0 0.0.0.0 ISP 2
    > ip route X.X.X.X 255.255.255.255 ISP 1
    > ip route 172.16.0.0 255.255.240.0 ISP 1
    > ip route 192.168.0.0 255.255.128.0 ISP 1
    > ip route X.X.X.X 255.255.255.224 ISP 1
    >
    > Having those routes in my config it picks the LSP with the ISP 1 as the
    > default one, but I want it to be the other way around.
    > How should I do?
    > Thank everyone in advance.


    if you are routing only vpn traffic through ISP1 , why do you have a
    default route?
    christian koch, Sep 5, 2006
    #2
    1. Advertising

  3. christian koch wrote:
    > Agustin wrote:
    > > Hi everyone,
    > > I am having a little bit of a problem trying to configure a router with
    > > two isp conneted to it.
    > > The problem is this:
    > > I have ISP1 and ISP2, each one with their particular gateway. After I
    > > configured everything (dyn nat, static nat, vpn, etc) everything works
    > > fine, except for the routing. I want to use ISP1 for vpn routing (which
    > > I do with static routes) and ISP2 for every other traffic (so i just
    > > create a last resort gw 0.0.0.0 0.0.0.0 ISP2) but I will also would
    > > like to access the other interface from the open internet which I can't
    > > do it now because the router doesn't know how to route packet and
    > > instead it tries to send it trought the Last resort gw (LSG) . I've try
    > > to put two LSG but it seems to be picking the ISP1 probably because in
    > > the routing table I have 4 routes with ISP1 and only 1 with the other
    > > one so probably it believes that it can "save" more routes using this
    > > one. The problem is that, this way all the dynamic nat map is build
    > > upon the inteface that I don't want to use. Is there a way to tell the
    > > router that if it receives a packet in interface 2 it replys trought
    > > that one? Shoul


    posd I use route maps? and if I do, how?
    > > Altought the best thing to accomplish is forcing the router to pick as
    > > LSG the interface that I want, cause now this is the case
    > > ip route 0.0.0.0 0.0.0.0 ISP 1
    > > ip route 0.0.0.0 0.0.0.0 ISP 2
    > > ip route X.X.X.X 255.255.255.255 ISP 1
    > > ip route 172.16.0.0 255.255.240.0 ISP 1
    > > ip route 192.168.0.0 255.255.128.0 ISP 1
    > > ip route X.X.X.X 255.255.255.224 ISP 1
    > >
    > > Having those routes in my config it picks the LSP with the ISP 1 as the
    > > default one, but I want it to be the other way around.
    > > How should I do?
    > > Thank everyone in advance.

    >
    > if you are routing only vpn traffic through ISP1 , why do you have a
    > default route?


    also please post your config, please dont include password information
    christian koch, Sep 5, 2006
    #3
  4. Agustin

    Agustin Guest

    This is the config with out the the things that can be omitted and the
    ones that has to.
    I want to have default route also to VLAN7 to enable it to be contacted
    for roaming vpn from anywhere.
    Thanks.

    version 12.3

    no service pad

    service tcp-keepalives-in

    service tcp-keepalives-out

    service timestamps debug datetime msec localtime show-timezone

    service timestamps log datetime msec localtime show-timezone

    service password-encryption

    service sequence-numbers

    !



    boot-start-marker

    boot-end-marker

    !

    !

    mmi polling-interval 60

    no mmi auto-configure

    no mmi pvc

    mmi snmp-timeout 180

    aaa new-model

    !

    !

    aaa authentication login userauthen local

    aaa authentication login radiusauth group radius local

    aaa authorization exec default local

    aaa authorization exec radiusexec local group radius

    aaa authorization network groupauthor local

    aaa authorization network radiusgroup local group radius

    aaa session-id common

    ip subnet-zero

    no ip source-route

    no ip gratuitous-arps

    ip cef

    !

    !

    ip inspect max-incomplete high 3000

    ip inspect max-incomplete low 2900

    ip inspect one-minute high 3000

    ip inspect one-minute low 2900

    ip inspect udp idle-time 300

    ip inspect dns-timeout 15

    ip inspect tcp synwait-time 20

    ip inspect tcp max-incomplete host 50 block-time 1

    ip inspect name firewall cuseeme

    ip inspect name firewall ftp

    ip inspect name firewall http

    ip inspect name firewall rcmd

    ip inspect name firewall realaudio

    ip inspect name firewall smtp

    ip inspect name firewall sqlnet

    ip inspect name firewall streamworks

    ip inspect name firewall tcp

    ip inspect name firewall tftp

    ip inspect name firewall udp

    ip inspect name firewall vdolive

    no ip dhcp conflict logging

    !



    ip dhcp class C

    !

    ip ips po max-events 100

    no ip bootp server

    no ip domain lookup

    no ftp-server write-enable

    !

    !

    class-map match-any SDMScave-FastEthernet0/1

    match protocol napster

    match protocol fasttrack

    match protocol gnutella

    class-map match-any SDMTrans-FastEthernet0/1

    match protocol citrix

    match protocol finger

    match protocol notes

    match protocol novadigm

    match protocol pcanywhere

    match protocol secure-telnet

    match protocol sqlnet

    match protocol sqlserver

    match protocol ssh

    match protocol telnet

    match protocol xwindows

    class-map match-any SDMVoice-FastEthernet0/1

    match protocol rtp audio

    class-map match-any SDMSVideo-FastEthernet0/1

    match protocol cuseeme

    match protocol netshow

    match protocol rtsp

    match protocol streamwork

    match protocol vdolive

    class-map match-any SDMIVideo-FastEthernet0/1

    match protocol rtp video

    class-map match-any SDMManage-FastEthernet0/1

    match protocol dhcp

    match protocol dns

    match protocol imap

    match protocol kerberos

    match protocol ldap

    match protocol secure-imap

    match protocol secure-ldap

    match protocol snmp

    match protocol socks

    match protocol syslog

    class-map match-any SDMRout-FastEthernet0/1

    match protocol bgp

    match protocol egp

    match protocol eigrp

    match protocol ospf

    match protocol rip

    match protocol rsvp

    class-map match-any SDMSignal-FastEthernet0/1

    match protocol h323

    match protocol rtcp

    class-map match-any SDMBulk-FastEthernet0/1

    match protocol exchange

    match protocol ftp

    match protocol irc

    match protocol nntp

    match protocol pop3

    match protocol printer

    match protocol secure-ftp

    match protocol secure-irc

    match protocol secure-nntp

    match protocol secure-pop3

    match protocol smtp

    match protocol tftp

    !

    !

    policy-map SDM-Pol-FastEthernet0/1

    class SDMManage-FastEthernet0/1

    bandwidth remaining percent 5

    set dscp cs2

    class SDMVoice-FastEthernet0/1

    priority percent 68

    set dscp ef

    class SDMRout-FastEthernet0/1

    bandwidth remaining percent 5

    set dscp cs6

    class SDMTrans-FastEthernet0/1

    bandwidth remaining percent 48

    set dscp af21

    class SDMSignal-FastEthernet0/1

    bandwidth remaining percent 28

    set dscp cs3

    !

    !

    interface Null0

    no ip unreachables

    !

    interface Loopback0

    no ip address

    !

    interface FastEthernet0/0

    no ip address

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip inspect firewall in

    ip nat inside

    ip virtual-reassembly

    ip route-cache flow

    duplex auto

    speed auto

    no cdp enable

    no mop enabled

    !

    interface FastEthernet0/0.1

    encapsulation dot1Q 2

    ip address 192.168.132.1 255.255.255.0

    ip access-group 107 in

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip nbar protocol-discovery

    ip inspect firewall in

    ip nat inside

    ip virtual-reassembly

    no cdp enable

    !

    interface FastEthernet0/0.2

    encapsulation dot1Q 3

    ip dhcp client lease 10 0 0

    ip address 10.0.0.1 255.255.255.0

    ip access-group 103 in

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip inspect firewall in

    ip nat inside

    ip virtual-reassembly

    no ip route-cache same-interface

    no cdp enable

    !

    interface FastEthernet0/0.4

    encapsulation dot1Q 4

    ip address 192.168.133.1 255.255.255.0

    ip access-group 108 in

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip inspect firewall in

    ip nat inside

    ip virtual-reassembly

    no ip route-cache same-interface

    no cdp enable

    !



    interface FastEthernet0/1/0

    switchport access vlan 7

    no ip address

    duplex half

    speed 10

    no cdp enable

    !

    interface FastEthernet0/1/1

    switchport access vlan 8

    no ip address

    duplex half

    speed 10

    no cdp enable

    !

    interface FastEthernet0/1/2

    no ip address

    shutdown

    no cdp enable

    !

    interface FastEthernet0/1/3

    switchport trunk native vlan 7

    switchport mode trunk

    no ip address

    no cdp enable

    !

    interface Vlan1

    no ip address

    !

    interface Vlan7

    bandwidth 2048

    ip address X.X.X.X X.X.X.X

    ip access-group 102 in

    ip verify unicast reverse-path

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip nbar protocol-discovery

    ip nat outside

    ip rip send version 2

    ip virtual-reassembly

    service-policy output SDM-Pol-FastEthernet0/1

    ip route-cache flow

    no mop enabled

    crypto map VPN

    !

    interface Vlan8

    bandwidth 2048

    ip address X.X.X.X X.X.X.X

    ip access-group 114 in

    ip verify unicast reverse-path

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip nbar protocol-discovery

    ip nat outside

    ip virtual-reassembly

    service-policy output SDM-Pol-FastEthernet0/1

    ip route-cache flow

    no mop enabled

    crypto map VPN

    !

    ip local pool VPN_Pool 192.168.135.100 192.168.135.250

    ip classless

    ip route 0.0.0.0 0.0.0.0 vlan8

    ip route vpnendpoint vlan7

    ip route 172.16.0.0 255.255.240.0 vlan7

    ip route 192.168.0.0 255.255.128.0 2vlan7

    ip route vlan7 network vlan7

    ip nat inside source route-map nonat interface Vlan8 overload

    ip nat inside source static 192.168.132.19 VLAN8 route-map StaticNat

    ip nat inside source static 192.168.132.6 VLAN8 route-map StaticNat

    !

    !



    access-list 1 remark SDM_ACL Category=1

    access-list 1 permit 192.168.5.10

    access-list 1 permit 192.168.132.9

    access-list 1 permit 192.168.132.27

    access-list 1 permit 192.168.133.20



    access-list 100 remark Nat rule for inside nat rules.

    access-list 100 deny ip 192.168.128.0 0.0.127.255 172.16.0.0
    0.0.255.255

    access-list 100 deny ip 192.168.128.0 0.0.127.255 192.168.0.0
    0.0.255.255

    access-list 100 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

    access-list 100 deny ip 172.16.0.0 0.0.255.255 192.168.0.0
    0.0.255.255

    access-list 100 permit ip 192.168.128.0 0.0.127.255 any

    access-list 100 permit ip 172.16.0.0 0.0.248.255 any

    access-list 100 permit ip 10.0.0.0 0.0.0.255 any

    access-list 100 deny ip any any



    access-list 101 remark ACL for allow flow traffic trought the vpn

    access-list 101 permit ip 192.168.128.0 0.0.127.255 172.16.0.0
    0.0.15.255

    access-list 101 permit ip 192.168.128.0 0.0.127.255 192.168.0.0
    0.0.127.255

    access-list 101 permit ip 172.16.0.0 0.0.248.255 172.16.0.0 0.0.15.255

    access-list 101 permit ip 172.16.0.0 0.0.248.255 192.168.0.0
    0.0.127.255

    access-list 101 deny ip any any



    access-list 102 permit esp any host vlan7

    access-list 102 permit icmp any any

    access-list 102 permit udp host 216.244.192.3 eq ntp host vlan7

    access-list 102 permit udp any host vlan7 eq isakmp

    access-list 102 permit udp any host vlan7 eq non500-isakmp

    access-list 102 permit ahp any host vlan7

    access-list 102 deny ip any any

    access-list 103 remark ACL for the Lawyers VLAN

    access-list 103 remark Permit the DHCP traffic from

    access-list 103 remark the vlan to the router.

    access-list 103 permit udp any any eq bootps

    access-list 103 remark Deny access to our Lans

    access-list 103 deny ip any 192.168.0.0 0.0.255.255

    access-list 103 remark Deny access to the DMZ

    access-list 103 deny ip any 172.16.0.0 0.0.255.255

    access-list 103 remark Permit access to anything else

    access-list 103 permit ip 10.0.0.0 0.0.0.255 any

    access-list 103 deny ip any any

    access-list 103 remark ACL for the Lawyers VLAN

    access-list 103 remark Permit the DHCP traffic from

    access-list 103 remark the vlan to the router.

    access-list 103 remark Deny access to our Lans

    access-list 103 remark Deny access to the DMZ

    access-list 103 remark Permit access to anything else

    access-list 104 remark ACL for allow flow traffic trought the roaming
    vpn

    access-list 104 permit ip 172.16.0.0 0.0.63.255 192.168.135.0 0.0.0.255

    access-list 104 permit ip 192.168.128.0 0.0.127.255 192.168.135.0
    0.0.0.255

    access-list 104 permit ip 192.168.0.0 0.0.127.255 192.168.135.0
    0.0.0.255

    access-list 105 remark Allow management from this ips

    access-list 105 permit ip 192.168.22.0 0.0.0.255 any

    access-list 105 permit ip 192.168.133.0 0.0.0.255 any

    access-list 105 permit ip 192.168.132.0 0.0.0.31 any

    access-list 105 deny ip any any

    access-list 107 remark Recruiters VLAN ACLs

    access-list 107 remark Allow any kind of traffic to all the computers
    between th

    access-list 107 permit ip 192.168.132.0 0.0.0.63 any

    access-list 107 remark Traffic to NY DMZ

    access-list 107 permit ip 192.168.132.0 0.0.0.255 172.16.0.0 0.0.15.255

    access-list 107 permit ip 192.168.132.0 0.0.0.255 192.168.0.0
    0.0.255.255

    access-list 107 deny ip any any

    access-list 108 remark Development VLAN ACLs

    access-list 108 permit ip any any

    access-list 108 deny ip any any

    access-list 109 remark DMZ VLAN ACLs

    access-list 109 permit ip any any

    access-list 109 deny ip any any

    access-list 111 remark Static NAT ACL

    access-list 111 deny ip host 192.168.132.6 172.16.0.0 0.0.255.255

    access-list 111 deny ip host 192.168.132.6 192.168.0.0 0.0.255.255

    access-list 111 deny ip host 192.168.132.19 172.16.0.0 0.0.255.255

    access-list 111 deny ip host 192.168.132.19 192.168.0.0 0.0.255.255

    access-list 111 permit ip host 192.168.132.19 any

    access-list 111 permit ip host 192.168.132.6 any

    access-list 114 remark ACL for the external Telecom dwarf int

    access-list 114 permit esp any host vlan8

    access-list 114 permit icmp any any

    access-list 114 permit udp host 216.244.192.3 eq ntp host vlan8

    access-list 114 permit udp any host vlan8 eq isakmp

    access-list 114 permit udp any host vlan8 eq non500-isakmp

    access-list 114 permit ahp any host vlan8

    access-list 114 permit tcp any host vlan8 eq www

    access-list 114 permit ip host 62.141.42.77 host vlan8

    access-list 114 deny ip any any

    no cdp run

    route-map StaticNat permit 10

    match ip address 111

    !

    route-map nonat permit 10

    match ip address 100

    !

    !
    Agustin, Sep 5, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BINZA@

    multihomed pc

    BINZA@, Jun 8, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    1,120
    Sooner Al [MVP]
    Jun 8, 2005
  2. james
    Replies:
    2
    Views:
    2,485
    james
    Oct 23, 2003
  3. Dan Berlin
    Replies:
    3
    Views:
    696
    Vincent C Jones
    Jun 18, 2004
  4. Alex
    Replies:
    3
    Views:
    1,098
  5. JmanSC
    Replies:
    5
    Views:
    3,254
    JmanSC
    Mar 18, 2009
Loading...

Share This Page