Three ISP, NAT an PBR problem...

Discussion in 'Cisco' started by Froggy_Zorgy, Dec 21, 2006.

  1. Froggy_Zorgy

    Froggy_Zorgy Guest

    Hello,

    Here is the issue.

    I've got 3 ISP, The first ISP (ISP1) is used for SMTP (inbound &
    outbound) and webmail (https Inbound).

    On the second ISP (ISP2) => Web (http, https, dns, msn, etc.) and
    Inbound VPN.

    On the third ISP (ISP3), => Inbound FTP an dHTTP.

    This configuration seems to works perfetly, but what i want to do is:

    - Use the third ISP (ISP3) for inbound VPN.

    OR

    - if it's not possible, use the third ISP for Web outbound protocol
    (http, https, etc.)

    I configure Policy Based Routing.

    My first attempt for inbound VPN on the third ISP was not a success. In
    fact, traffic go through the first SA (client => router) but is not
    re-encapsulate (router => client) in the second SA. So, i think that
    the default route is the problem ??

    When i use "sh ip access-list" command, i never see change on my
    access-list for ESP traffic, ESP seems to not match this ACL
    (access-list 106).

    For the second solution, (Outbound web access through the third ISP),
    PBR seems to works but i've the feeling that router doesn't do any NAT
    on Interface (FA 0/1)? It's really strange and i'm stuck in this !!

    Thanks a lot !

    Here is my configuration:

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot system flash:/c1841-advsecurityk9-mz.124-6.T.bin
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone Paris 1
    clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
    no ip cef
    !
    !
    !
    !
    ip inspect name CBAC tcp audit-trail on
    ip inspect name CBAC udp audit-trail on
    ip inspect name CBAC dns audit-trail on
    ip inspect name CBAC smtp audit-trail on
    ip inspect name CBAC pop3 audit-trail on
    ip inspect name CBAC telnet audit-trail on
    ip inspect name CBAC http audit-trail on
    ip inspect name CBAC https audit-trail on
    ip ips sdf location flash:/128MB.sdf
    ip ips fail closed
    ip ips notify SDEE
    ip ips signature 3701 0 disable
    ip domain name mydomain.com
    ip name-server 10.1.1.7
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group VPN
    key xxxxxxxxxx
    dns 10.1.1.7
    domain mydomaine.com
    pool SDM_POOL_1
    acl 100
    max-users 5
    netmask 255.255.0.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set ESP-3DES-SHA
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    !
    interface FastEthernet0/0
    description ISP2
    ip address 82.xxx.xxx.xxx 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    speed 100
    full-duplex
    crypto map SDM_CMAP_1
    !
    interface FastEthernet0/1
    description ISP3
    ip address 84.xxx.xxx.xxx 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    !
    interface FastEthernet0/1/0
    description DMZ
    switchport access vlan 2
    speed 100
    !
    interface FastEthernet0/1/1
    description Nordnet
    switchport access vlan 3
    !
    interface FastEthernet0/1/2
    switchport access vlan 4
    !
    interface FastEthernet0/1/3
    !
    interface Vlan1
    no ip address
    !
    interface Vlan2
    description DMZ
    ip address 10.11.1.202 255.255.0.0
    ip inspect CBAC in
    ip nat inside
    ip virtual-reassembly
    ip policy route-map PBR
    !
    interface Vlan3
    description ISP1
    ip address 10.13.1.1 255.255.0.0
    ip nat outside
    ip virtual-reassembly
    !
    interface Vlan4
    description LAN
    ip address 10.1.1.202 255.255.0.0
    ip inspect CBAC in
    ip nat inside
    ip virtual-reassembly
    ip route-cache policy
    ip policy route-map PBR
    !
    ip local policy route-map PBR
    ip local pool SDM_POOL_1 10.254.0.1 10.254.0.5
    ip route 0.0.0.0 0.0.0.0 82.233.201.254 permanent
    ip route 0.0.0.0 0.0.0.0 82.229.252.254 100
    !
    !
    ip http server
    ip http access-class 1
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source static tcp 10.1.2.99 3389 interface
    FastEthernet0/1 3389
    ip nat inside source static tcp 10.11.1.2 80 interface
    FastEthernet0/1 80
    ip nat inside source static tcp 10.11.1.2 21 interface
    FastEthernet0/1 21
    ip nat inside source static tcp 10.11.1.2 20 interface
    FastEthernet0/1 20
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1
    overload
    ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/0
    overload
    ip nat inside source route-map SDM_RMAP_3 interface Vlan3 overload
    ip nat inside source static tcp 10.1.1.7 25 interface Vlan3 25
    ip nat inside source static tcp 10.1.1.7 443 interface Vlan3 443
    !
    !
    ip access-list extended ISP3
    remark SDM_ACL Category=2
    deny ip 10.11.0.0 0.0.255.255 host 10.254.0.1
    deny ip 10.11.0.0 0.0.255.255 host 10.254.0.2
    deny ip 10.11.0.0 0.0.255.255 host 10.254.0.3
    deny ip 10.11.0.0 0.0.255.255 host 10.254.0.4
    deny ip 10.11.0.0 0.0.255.255 host 10.254.0.5
    deny ip 10.1.0.0 0.0.255.255 host 10.254.0.1
    deny ip 10.1.0.0 0.0.255.255 host 10.254.0.2
    deny ip 10.1.0.0 0.0.255.255 host 10.254.0.3
    deny ip 10.1.0.0 0.0.255.255 host 10.254.0.4
    deny ip 10.1.0.0 0.0.255.255 host 10.254.0.5
    permit ip 10.1.0.0 0.0.255.255 any
    permit ip 10.11.0.0 0.0.255.255 any
    !
    access-list 2 permit XXXXXXXXXXXXXXXXXXX
    access-list 2 permit 10.1.0.0 0.0.255.255
    access-list 2 permit 10.254.0.0 0.0.255.255
    access-list 102 remark SDM_ACL Category=2
    access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.1
    access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.2
    access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.3
    access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.4
    access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.5
    access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.1
    access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.2
    access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.3
    access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.4
    access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.5
    access-list 102 permit ip 10.11.0.0 0.0.255.255 any
    access-list 102 permit ip 10.1.0.0 0.0.255.255 any
    access-list 104 remark SDM_ACL Category=2
    access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.1
    access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.2
    access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.3
    access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.4
    access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.5
    access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.1
    access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.2
    access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.3
    access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.4
    access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.5
    access-list 104 permit ip 10.11.0.0 0.0.255.255 any
    access-list 104 permit ip 10.1.0.0 0.0.255.255 any
    access-list 105 permit tcp any any eq smtp
    access-list 105 permit tcp any eq 443 any
    access-list 105 permit tcp any eq smtp any
    access-list 106 permit esp any any
    access-list 106 permit udp any any eq non500-isakmp
    access-list 106 permit udp any any eq isakmp
    access-list 106 permit tcp any any eq 1723
    access-list 106 permit tcp any eq 1723 any
    access-list 106 permit gre any any
    access-list 106 permit udp any eq non500-isakmp any
    access-list 106 permit udp any eq isakmp any
    no cdp run
    !
    !
    route-map PBR permit 10
    match ip address 105
    set ip next-hop 10.13.1.3
    !
    route-map PBR permit 20
    match ip address 106
    set ip next-hop <IP-router-ISP2>
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 102
    !
    route-map SDM_RMAP_2 permit 1
    match ip address ISP3
    !
    route-map SDM_RMAP_3 permit 1
    match ip address 104
    !
    !
    !
    control-plane
    !
    banner login ^CCunauthorized access are forbidden !!^C
    !
    line con 0
    line aux 0
    line vty 0 4
    access-class 2 in
    transport input telnet ssh
    transport output none
    !
    scheduler allocate 20000 1000
    !
    end
     
    Froggy_Zorgy, Dec 21, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nikos 'paranic' Parastatidis

    multi-homed DSL with NAT and PBR

    Nikos 'paranic' Parastatidis, Jun 17, 2004, in forum: Cisco
    Replies:
    3
    Views:
    4,109
    Martin Gallagher
    Jun 17, 2004
  2. Harry Stottle
    Replies:
    0
    Views:
    1,185
    Harry Stottle
    Jan 5, 2010
  3. bod43
    Replies:
    0
    Views:
    582
    bod43
    Dec 5, 2010
  4. Rob
    Replies:
    0
    Views:
    547
  5. bod43
    Replies:
    0
    Views:
    891
    bod43
    Dec 7, 2010
Loading...

Share This Page