Options
1841 Dual WAN Question
CmptrFrk
Member Posts: 30 ■■□□□□□□□□
in CCNA & CCENT
Hey guys, first post.
I have a Cisco 1841 with an HWIC-4ESW. We have a T1 going into a 1700 and from there I would like it to go to Fe0/0 on the 1841. We will be getting a business cable connection which will be going into Fe0/1 on the 1841. I would like all of the web browsing to go out on Fe0/1 and everything else out on Fe0/0. Is this possible?
Thanks!!!
I have a Cisco 1841 with an HWIC-4ESW. We have a T1 going into a 1700 and from there I would like it to go to Fe0/0 on the 1841. We will be getting a business cable connection which will be going into Fe0/1 on the 1841. I would like all of the web browsing to go out on Fe0/1 and everything else out on Fe0/0. Is this possible?
Thanks!!!
Comments
-
Options
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
You could use policy routing. You would create an extended access-list to permit all web traffic than match it to a route-map and set the next hop or interface to go out fe0/1.
You would apply the route-map to the fe0/0 so it can match the incoming traffic to the access-list then any packets heading for the web will be redirected to fe0/1. See the link below for more details
http://www.cisco.com/warp/public/105/36.pdf -
Options
mikearama
Member Posts: 749
Good to have you with us, FRK... welcome aboard.
Jericho probably describes the "best practice" method of using access lists to do the job.
Based on the simplicity of your network, though, I'd go with a default route...
Assuming that you're either using static routes or a routing protocol on the network, and to the networks on the other end of the T1, all known traffic is accounted for. By using a default route, any unknown destinations (ie, internet sites) would get pushed out the internet link.
ip route 0.0.0.0 0.0.0.0 fastethernet0/1
Of course, this assumes you don't currently have a default gateway pointing elsewhere.
Just an option,
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
OptionsCmptrFrk
Member Posts: 30 ■■□□□□□□□□
Thanks for the info and link gojericho0!
mikearama right now our setup is T1-1700-DMZ-WatchGuard Firebox-LAN
We have about 120 users, a few VPN's, and a offsite replication server. Needless to say, internet browsing is pretty sloooooow. Hopefully the cable modem handling web only will fix the issue. -
OptionsCmptrFrk
Member Posts: 30 ■■□□□□□□□□
R1#sh run
Building configuration...
Current configuration : 1203 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
!
interface FastEthernet0/0
ip address Cable IP and Mask
ip route-cache policy
ip policy route-map Web%Browsing
duplex auto
speed auto
!
interface FastEthernet0/1
ip address T1 IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
interface Vlan2
ip address LAN IP and Mask
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
!
ip http server
no ip http secure-server
!
ip access-list extended test
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
route-map Web%Browsing permit 10
match ip address 101
set ip next-hop Cable Modem IP
!
!
control-plane
end -
OptionsCmptrFrk
Member Posts: 30 ■■□□□□□□□□
Changed to
interface FastEthernet0/0
ip address Cable IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/1
ip address T1 IP and Mask
ip route-cache policy
ip policy route-map Web%Browsing
duplex auto
speed auto
and still nothing, any ideas? -
Options
rossonieri#1
Member Posts: 799 ■■■□□□□□□□
CmptrFrk wrote:ip route 0.0.0.0 0.0.0.0 T1 Router IP
!
ip http server
end
where is ip route 0/0 via cable modem?
and - that ip http server :: turn it off if you dont need it badly.
HTH.
cheers.the More I know, that is more and More I dont know. -
OptionsCmptrFrk
Member Posts: 30 ■■□□□□□□□□
Added cable modem route. Turned off HTTP Server.
interface FastEthernet0/0
ip address Cable IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/1
ip address T1 IP and Mask
ip route-cache policy
ip policy route-map Web%Browsing
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address LAN IP and Mask
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
ip route 0.0.0.0 0.0.0.0 Cable Modem IP
!
no ip http server
no ip http secure-server
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
route-map Web%Browsing permit 10
match ip address 101
set interface FastEthernet0/0
When connected to the router I can ping out from each Int, but cant ping out from the LAN. -
Optionsrossonieri#1
Member Posts: 799 ■■■□□□□□□□
mmm..
any firewall in front on or inside 1800?
your route-map is still heading your T1 ip.
try ping via each interface by shut down your t1 first - look for reply,
then next one.
NAT?? PAT?? set?? on both interface??
HTH.
cheers.the More I know, that is more and More I dont know. -
Options
georgemc
Member Posts: 429
CmptrFrk,
I'm guessing your layout looks something like this. Let me know if this isn't correct
Let's try this for the router config on the 1841.
interface FastEthernet0/0
!***Your original post said the Cable Modem would go to FA0/1
ip address Cable IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/1
!***Your original post said the T1 Connection would go to FA0/0
ip address T1 IP and Mask
! (move next command to the LAN interface)
ip route-cache policy
! (move next command to the LAN Interface)
ip policy route-map Web%Browsing
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address LAN IP and Mask
ip route-cache policy
!this will apply the policy routing to all of your LAN traffic destined for the outside world
ip policy route-map Web%Browsing
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
! (Remove this,it's not needed)ip route 0.0.0.0 0.0.0.0 Cable Modem IP
!
no ip http server
no ip http secure-server
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
route-map Web%Browsing permit 10
match ip address 101
set interface FastEthernet0/0
I think this is what you're attempting to do. I'm assuming that you 120 LAN users are off of VLAN 2
Can you ping the gateway from the LAN? How about the IP address on FA0/0 and FA0/1?
Because of your default route you wont be able to ping(ICMP) anything beyond the other side of FA0/0. Pings should work through FA0/1 to the outside world just fine.
GeorgeWGU BS: Business - Information Technology Management
Start Date: 01 October 2012
QFT1,PFIT in progress.
TRANSFERRED/COMPLETED: AGC1,BBC1,LAE1,QBT1,LUT1,QLC1,QMC1,QLT1,IWC1,INC1,INT1,BVC1,CLC1,MGC1, CWV1 BNC1, LIT1,LWC1,QAT1,WFV1,EST1,EGC1,EGT1,IWT1,MKC1,MKT1,RWT1,FNT1,FNC1, BDC1,TPV1 REQUIRED: -
OptionsCmptrFrk
Member Posts: 30 ■■□□□□□□□□
rossonieri#1, no firewall yet, but I have a watchguard firebox that I will be placing between the router and LAN. I could ping out each interface until I removed the route to the cable modem. No NAT yet.
georgemc, plus a watchguard firebox between the 1841 and LAN.
Moved policy route to Vlan 2. Removed route to cable modem, but now cant ping out of that interface.
I can ping the default gateway (Vlan 2) and both interfaces from the LAN. -
OptionsCmptrFrk
Member Posts: 30 ■■□□□□□□□□
Would I put IP NAT OUTSIDE on both of the WAN interfaces, and IP NAT INSIDE on the LAN interface?
Thanks,
Josh -
Optionsrossonieri#1
Member Posts: 799 ■■■□□□□□□□
well - that is what i've asked you right?
actually for the T1 link it does not necessary do NAT as long as you have a functioning network routing.
(the most important one is your cable that has to have NAT/PAT :: sorry for my bad english
).
but that - you have to make sure your firewall will pass the requested traffic for the T1 link.
for the simplicity just do PAT on both link that goes to T1 and cable.
HTH.the More I know, that is more and More I dont know. -
OptionsCmptrFrk
Member Posts: 30 ■■□□□□□□□□
Thanks guys, everything is finally working.
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
interface FastEthernet0/0
description Cable$Connection
ip address Cable IP and Mask
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description T1$Connection
ip address T1 IP and Mask
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
switchport access vlan 2
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.0.250 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map Web%Browsing
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
ip route 0.0.0.0 0.0.0.0 Cable Modem IP
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
route-map Web%Browsing permit 10
match ip address 101
set ip next-hop Cable Modem IP
!
route-map ISP2 permit 10
match ip address 120
match interface FastEthernet0/1
!
route-map ISP1 permit 10
match ip address 120
match interface FastEthernet0/0
!
end
