Need to Have both ISP to access internet/servers

ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
Need to Have both ISP to access internet/servers
I need help to configure a Cisco 2911 router, It has two ISP one as primary 216.140.140.0, and secondary for backup as 216.150.150.0.
[FONT=Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif]I need to be able to access both the ISP's using the same interface Gi0/1 [/FONT]without [FONT=Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif]sub-interfaces.[/FONT]
Since we have servers that have to have specific IP both when accessed and when accessing the internet so I used static Nat for the servers and Dynamic for all others.
I did the following configuration but it does not work as i want it, if i unplug the Primary ISP from the unmanaged switch the secondary cant access the Internet or network.The secondary only works when the primary and secondary are both connected at the same time.
Even though I have been advised to use a sub-interface instead of a secondary Ip address (which worked when I used it) I need to use the same interface using a unmanaged switch to which the outside interface of the router is connected and the two ISP's.
Please Let me know what I can do to make this work. When I did Show IP SLA statistics and Show track it shows that The SLA is not running, I tried to Ping my next hope 216.140.140.1 and could not ping it even though when I ping it from my test server 10.0.0.50 it pings successfully and NAT is up and running successfully as I can access Server resources/internet.

Below is my configuration.

interface GigabitEthernet0/0

ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1

ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

!
ip nat inside source route-map Primary interface GigabitEthernet0/1 overload
ip nat inside source route-map Secondary interface GigabitEthernet0/1 overload

ip nat inside source static 10.0.0.52 216.140.140.4 route-map Primary
ip nat inside source static 10.0.0.53 216.140.140.5 route-map Primary
ip nat inside source static 10.0.0.59 216.140.140.6 route-map Primary
ip nat inside source static 10.0.0.61 216.140.140.7 route-map Primary
ip nat inside source static 10.0.0.228 216.140.140.8 route-map Primary
ip nat inside source static 10.0.0.16 216.140.140.11 route-map Primary
ip nat inside source static 10.0.0.30 216.140.140.12 route-map Primary
ip nat inside source static 10.0.0.251 216.140.140.13 route-map Primary
ip nat inside source static 10.0.0.44 216.140.140.15 route-map Primary
ip nat inside source static 10.0.0.54 216.140.140.16 route-map Primary
ip nat inside source static 10.0.0.23 216.140.140.17 route-map Primary
ip nat inside source static 10.0.0.58 216.140.140.18 route-map Primary
ip nat inside source static 10.0.0.230 216.140.140.19 route-map Primary
ip nat inside source static 10.0.0.216 216.140.140.21 route-map Primary
ip nat inside source static 10.0.0.220 216.140.140.22 route-map Primary
ip nat inside source static 10.0.0.33 216.140.140.25 route-map Primary
ip nat inside source static 10.0.0.21 216.140.140.26 route-map Primary
ip nat inside source static 10.0.0.22 216.140.140.27 route-map Primary
ip nat inside source static 10.0.0.24 216.140.140.28 route-map Primary
ip nat inside source static 10.0.0.25 216.140.140.29 route-map Primary
ip nat inside source static 10.0.0.59 216.150.150.5 route-map secondary
ip nat inside source static 10.0.0.52 216.150.150.6 route-map secondary
ip nat inside source static 10.0.0.53 216.150.150.7 route-map secondary
ip nat inside source static 10.0.0.16 216.150.150.8 route-map secondary
ip nat inside source static 10.0.0.58 216.150.150.9 route-map secondary
ip nat inside source static 10.0.0.59 216.150.150.10 route-map secondary
ip nat inside source static 10.0.0.61 216.150.150.11 route-map secondary


access-list 100 permit ip 10.0.0.0 0.255.255.255 any

route-map secondary permit 10
match ip address 100
set ip next-hop 216.150.150.254
!
route-map primary permit 10
match ip address 100
set ip next-hop 216.140.140.1

ip sla 1
icmp-echo 216.140.140.1 source-ip 216.140.140.2
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.50.254 10


SHOW IP SLA STATISTICS:
IPSLA operation id: 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 18:50:58 UTC Mon Dec 10 2012
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 51
Operation time to live: Forever


Router#show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 01:58:15
Delay up 20 secs, down 10 secs
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0

Comments

  • wavewave Member Posts: 342
    Hi there,

    You have the route-map "Primary" configured in your NAT statements but the route-map in the config is "primary" ...lower case p. You have a similar issue with Secondary/secondary.

    You say IP SLA 1 isn't working, can you ping 216.140.140.1 source-ip 216.140.140.2?

    Is the output you have provided from when both connections are plugged in or just one? Does the #sh ip route output show you are currently routing through your secondary connection (my guess is yes) because ip sla 1 is down?

    Does your ISP have a router at your site that is running BGP for these dual-homed internet connections? i.e. are both 216.150.150/24 and 216.140.140.2/27 being advertised out both links? If you're not advertising both subnets out both connections then your static NAT is not going to work when one of the connections goes down.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • MonkerzMonkerz Member Posts: 842
    Also need to change this:

    ip route 0.0.0.0 0.0.0.0 216.150.50.254 10

    to

    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    I cannot ping 216.140.140.1, but I can ping it before enable static Nat, and I can also ping it from my Server attached to Gi0/0.What can I do to be able to ping it because I think this is the reason that my ip sla is not working.

    The output i provided is for when both ISP's are connected, as the moment I unplug the primary I lose connectivity totally.and yes your are right show IP route shows that I am routing through secondary(for both cases: both are connected and when only secondary is connected)

    I have two ISP providers completely independent of each other the primary is through a Cisco router and the secondary is through a modem.and i have no way of knowing what configurations they have, although my secondary ISP is using a static route.
    I have also corrected the route map issue (small p and s) and the static route.

    Please can you tell me from my configuration what I might need to do.
  • MonkerzMonkerz Member Posts: 842
    Source your sla echo from gi0/0 and see what happens...

    icmp-echo 216.140.140.1 source-ip 10.0.0.254
  • wavewave Member Posts: 342
    I've had another look at this and none of it is going to work based on your current configuration.

    Firstly, If you want to use the same public IPs on both connections it won't work unless you are running BGP and advertise 216.150.150/24 and 216.140.140.2/27.

    You have these two NAT statements:

    ip nat inside source route-map Primary interface GigabitEthernet0/1 overload
    ip nat inside source route-map Secondary interface GigabitEthernet0/1 overload

    How do you think the router knows which to use based on which ISP is up? For one, the "overload" keyword is always going to use the primary IP to the best of my knowledge.

    Both of your route-maps refernce ACL 100 and only one of them will ever be used regardless of which ISP connection is up. Based on the order of the config file you will always be setting the next hop to 216.150.150.254

    You can't do this:

    ip nat inside source static 10.0.0.52 216.140.140.4 route-map Primary

    AND

    this further down: ip nat inside source static 10.0.0.52 216.150.150.6 route-map secondary

    Your router will always chose the first NAT statement. How do you think it will know when to NAT to 216.140.140.4 or 16.150.150.6...Route tracking doesn't manage NAT too.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • MonkerzMonkerz Member Posts: 842
    I just labbed this up on my gear. The below config, though from an older version of IOS than you are running, will work for your dynamic NATing issue. My fiancee just called me for dinner, but I will look into the static NATing issue when I get back (might be in the morning).

    I apologize for the complexity, you will need to change my SLA and TRACK commands to your syntax:
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    ip cef
    !
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip sla monitor 1
     type echo protocol ipIcmpEcho 216.140.140.1 source-ipaddr 216.140.140.2
     timeout 1000
     threshold 2
     frequency 3
    ip sla monitor schedule 1 life forever start-time now
    ip sla monitor 2
     type echo protocol ipIcmpEcho 216.150.150.254 source-ipaddr 216.150.150.4
     timeout 1000
     threshold 2
     frequency 3
    ip sla monitor schedule 2 life forever start-time now
    !
    !
    track 1 rtr 1 reachability
    !
    track 2 rtr 2 reachability
    !
    !
    interface FastEthernet0/0
     ip address 10.0.0.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     ip policy route-map PRIVATE-INGRESS
     duplex auto
     speed auto
     no keepalive
    !
    interface FastEthernet0/1
     ip address 216.150.150.4 255.255.255.0 secondary
     ip address 216.140.140.2 255.255.255.224
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
    !
    !
    no ip http server
    no ip http secure-server
    ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
    ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
    ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
    ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
    !
    ip access-list standard PRIMARY-NEXT-HOP
     permit 216.140.140.1
    ip access-list standard SECONDARY-NEXT-HOP
     permit 216.150.150.254
    ip access-list standard TO-BE-NATTED
     deny   10.0.0.24
     deny   10.0.0.25
     deny   10.0.0.30
     deny   10.0.0.16
     deny   10.0.0.22
     deny   10.0.0.23
     deny   10.0.0.21
     deny   10.0.0.44
     deny   10.0.0.58
     deny   10.0.0.59
     deny   10.0.0.61
     deny   10.0.0.54
     deny   10.0.0.52
     deny   10.0.0.53
     deny   10.0.0.216
     deny   10.0.0.220
     deny   10.0.0.230
     deny   10.0.0.228
     deny   10.0.0.251
     permit 10.0.0.0 0.255.255.255
    !
    !
    route-map SECONDARY-NAT permit 10
     match ip address TO-BE-NATTED
     match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map SECONDARY-NAT deny 20
    !
    route-map PRIVATE-INGRESS permit 10
     match ip address TO-BE-NATTED
     set ip next-hop verify-availability 216.140.140.1 10 track 1
     set ip next-hop verify-availability 216.150.150.254 20 track 2
    !
    route-map PRIVATE-INGRESS permit 11
    !
    route-map PRIMARY-NAT permit 10
     match ip address TO-BE-NATTED
     match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map PRIMARY-NAT deny 20
    !
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
    line aux 0
    line vty 0 4
     login
    !
    !
    end
    
  • wavewave Member Posts: 342
    Monkerz wrote: »
    I just labbed this up on my gear. The below config, though from an older version of IOS than you are running, will work for your dynamic NATing issue. My fiancee just called me for dinner, but I will look into the static NATing issue when I get back (might be in the morning).

    I apologize for the complexity, you will need to change my SLA and TRACK commands to your syntax:
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    ip cef
    !
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip sla monitor 1
     type echo protocol ipIcmpEcho 216.140.140.1 source-ipaddr 216.140.140.2
     timeout 1000
     threshold 2
     frequency 3
    ip sla monitor schedule 1 life forever start-time now
    ip sla monitor 2
     type echo protocol ipIcmpEcho 216.150.150.254 source-ipaddr 216.150.150.4
     timeout 1000
     threshold 2
     frequency 3
    ip sla monitor schedule 2 life forever start-time now
    !
    !
    track 1 rtr 1 reachability
    !
    track 2 rtr 2 reachability
    !
    !
    interface FastEthernet0/0
     ip address 10.0.0.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     ip policy route-map PRIVATE-INGRESS
     duplex auto
     speed auto
     no keepalive
    !
    interface FastEthernet0/1
     ip address 216.150.150.4 255.255.255.0 secondary
     ip address 216.140.140.2 255.255.255.224
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
    !
    !
    no ip http server
    no ip http secure-server
    ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
    ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
    ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
    ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
    !
    ip access-list standard PRIMARY-NEXT-HOP
     permit 216.140.140.1
    ip access-list standard SECONDARY-NEXT-HOP
     permit 216.150.150.254
    ip access-list standard TO-BE-NATTED
     deny   10.0.0.24
     deny   10.0.0.25
     deny   10.0.0.30
     deny   10.0.0.16
     deny   10.0.0.22
     deny   10.0.0.23
     deny   10.0.0.21
     deny   10.0.0.44
     deny   10.0.0.58
     deny   10.0.0.59
     deny   10.0.0.61
     deny   10.0.0.54
     deny   10.0.0.52
     deny   10.0.0.53
     deny   10.0.0.216
     deny   10.0.0.220
     deny   10.0.0.230
     deny   10.0.0.228
     deny   10.0.0.251
     permit 10.0.0.0 0.255.255.255
    !
    !
    route-map SECONDARY-NAT permit 10
     match ip address TO-BE-NATTED
     match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map SECONDARY-NAT deny 20
    !
    route-map PRIVATE-INGRESS permit 10
     match ip address TO-BE-NATTED
     set ip next-hop verify-availability 216.140.140.1 10 track 1
     set ip next-hop verify-availability 216.150.150.254 20 track 2
    !
    route-map PRIVATE-INGRESS permit 11
    !
    route-map PRIMARY-NAT permit 10
     match ip address TO-BE-NATTED
     match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map PRIMARY-NAT deny 20
    !
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
    line aux 0
    line vty 0 4
     login
    !
    !
    end
    

    Good work, yes it's possible for dynamic NAT but not for static NAT unless you.

    A. Have a different public IP per connection for the servers

    Or

    B. Are allowed to advertise the subnet through both ISPs...which requires an agreement with them

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • MonkerzMonkerz Member Posts: 842
    This config should work for both your dynamic and static NATing needs. I have tested it in my lab with success is all aspects I could think to test.

    Make sure you change the TRACK, SLA and INTERFACE syntax to work for your needs.

    p.s. Wave, are you speaking from experience?

    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    ip cef
    !
    !
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip sla monitor 1
     type echo protocol ipIcmpEcho 216.140.140.1 source-ipaddr 216.140.140.2
     timeout 1000
     threshold 2
     frequency 3
    ip sla monitor schedule 1 life forever start-time now
    ip sla monitor 2
     type echo protocol ipIcmpEcho 216.150.150.254 source-ipaddr 216.150.150.4
     timeout 1000
     threshold 2
     frequency 3
    ip sla monitor schedule 2 life forever start-time now
    !
    !
    track 1 rtr 1 reachability
    !
    track 2 rtr 2 reachability
    !
    !
    interface FastEthernet0/0
     ip address 10.0.0.53 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     ip policy route-map PRIVATE-INGRESS
     duplex auto
     speed auto
     no keepalive
    !
    interface FastEthernet0/1
     ip address 216.150.150.4 255.255.255.0 secondary
     ip address 216.140.140.2 255.255.255.224
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
    !
    !
    no ip http server
    no ip http secure-server
    ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
    ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
    ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
    ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
    ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
    !
    ip access-list standard PRIMARY-NEXT-HOP
     permit 216.140.140.1
    ip access-list standard SECONDARY-NEXT-HOP
     permit 216.150.150.254
    ip access-list standard TO-BE-NATTED
     deny   10.0.0.24
     deny   10.0.0.25
     deny   10.0.0.30
     deny   10.0.0.16
     deny   10.0.0.22
     deny   10.0.0.23
     deny   10.0.0.21
     deny   10.0.0.44
     deny   10.0.0.58
     deny   10.0.0.59
     deny   10.0.0.61
     deny   10.0.0.54
     deny   10.0.0.52
     deny   10.0.0.53
     deny   10.0.0.216
     deny   10.0.0.220
     deny   10.0.0.230
     deny   10.0.0.228
     deny   10.0.0.251
     permit 10.0.0.0 0.255.255.255
    !
    !
    route-map STATIC-NAT-PRIMARY permit 10
     match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map STATIC-NAT-PRIMARY deny 20
    !
    route-map STATIC-NAT-SECONDARY permit 10
     match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map STATIC-NAT-SECONDARY deny 20
    !
    route-map SECONDARY-NAT permit 10
     match ip address TO-BE-NATTED
     match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map SECONDARY-NAT deny 20
    !
    route-map PRIVATE-INGRESS permit 10
     match ip address TO-BE-NATTED
     set ip next-hop verify-availability 216.140.140.1 10 track 1
     set ip next-hop verify-availability 216.150.150.254 20 track 2
    !
    route-map PRIVATE-INGRESS permit 11
    !
    route-map PRIMARY-NAT permit 10
     match ip address TO-BE-NATTED
     match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map PRIMARY-NAT deny 20
    !
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
    line aux 0
    line vty 0 4
     login
    !
    !
    end
    
    
    
    
    
    
  • wavewave Member Posts: 342
    Monkerz wrote: »
    This config should work for both your dynamic and static NATing needs. I have tested it in my lab with success is all aspects I could think to test.

    Make sure you change the TRACK, SLA and INTERFACE syntax to work for your needs.

    p.s. Wave, are you speaking from experience?

    Monkerz, I like your solution. But, I thought the OP was trying to use the same public IPs on both internet connections (which would require BGP).

    This made me think he wanted to use the SAME addresses
    ahmedahmed wrote: »
    Since we have servers that have to have specific IP both when accessed and when accessing the internet

    His initial statement and config conflict here. If he needs to use the same public IPs on both connections he would need to use BGP, and yes I'm speaking from experience. Different public IPs, not an issue, but using the same ones on different connections is another story.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Thanks Monkerz and Wave for your much needed help. on top of this I would want to open only ports 20,21,25,53,80,110,143,443, 3389 on most of my servers from outside ,could you guys give me some idea on how i would have to set up the ACL for that
  • wavewave Member Posts: 342
    ahmedahmed wrote: »
    Thanks Monkerz and Wave for your much needed help. on top of this I would want to open only ports 20,21,25,53,80,110,143,443, 3389 on most of my servers from outside ,could you guys give me some idea on how i would have to set up the ACL for that

    ahmedahmed, can you confirm if you need to be able to use the SAME IP addresses for your servers on BOTH connections...e.g. do you need 10.0.0.59 to be accessible via 216.140.140.6 when the primary connection goes down? Or are you okay with it being accessed via 216.150.150.5 when the primary goes down?

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    my requirement is that the server 10.0.0.59 uses the 216.140.140.6 as primary ( all the time)
    but incase if the primary isp goes down i want it to be accessible with the 216.150.150.5 address.
    so yes i am ok to access it with the 216.150.150.5.
    Also please can you guide me with the scenario i would require for enabling only certain ports to be open for outside users
  • MonkerzMonkerz Member Posts: 842
    wave wrote: »
    Monkerz, I like your solution. But, I thought the OP was trying to use the same public IPs on both internet connections (which would require BGP).

    I didn't even catch that, good work. I was working with idea of active/hot-standby connections using different IP schemes.
    ahmedahmed wrote: »
    Thanks Monkerz and Wave for your much needed help. on top of this I would want to open only ports 20,21,25,53,80,110,143,443, 3389 on most of my servers from outside ,could you guys give me some idea on how i would have to set up the ACL for that

    After you've created an ACL, post it here and we can check it for you.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    I applied the configuration as you gave me with the little tweaking to suit my Router.

    ip sla 1
    Icmp-Echo 216.140.140.1 source-ip 216.140.140.2
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 1 life forever start-time now
    ip sla monitor 2
    Icmp-Echo 216.150.150.254 source-ip 216.150.150.4
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 2 life forever start-time now
    !
    !
    track 1 sla 1 reachability
    !
    track 2 sla 2 reachability
    !
    !
    interface gi0/0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map PRIVATE-INGRESS
    duplex auto
    speed auto
    no keepalive
    !
    interface gi0/1
    ip address 216.150.150.4 255.255.255.0 secondary
    ip address 216.140.140.2 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto

    ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
    !
    !

    ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
    ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
    ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
    ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
    ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
    !
    ip access-list standard PRIMARY-NEXT-HOP
    permit 216.140.140.1
    ip access-list standard SECONDARY-NEXT-HOP
    permit 216.150.150.254
    ip access-list standard TO-BE-NATTED
    deny 10.0.0.24
    deny 10.0.0.25
    deny 10.0.0.30
    deny 10.0.0.16
    deny 10.0.0.22
    deny 10.0.0.23
    deny 10.0.0.21
    deny 10.0.0.44
    deny 10.0.0.58
    deny 10.0.0.59
    deny 10.0.0.61
    deny 10.0.0.54
    deny 10.0.0.52
    deny 10.0.0.53
    deny 10.0.0.216
    deny 10.0.0.220
    deny 10.0.0.230
    deny 10.0.0.228
    deny 10.0.0.251
    permit 10.0.0.0 0.255.255.255
    !
    !
    route-map STATIC-NAT-PRIMARY permit 10
    match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map STATIC-NAT-PRIMARY deny 20
    !
    route-map STATIC-NAT-SECONDARY permit 10
    match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map STATIC-NAT-SECONDARY deny 20
    !
    route-map SECONDARY-NAT permit 10
    match ip address TO-BE-NATTED
    match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map SECONDARY-NAT deny 20
    !
    route-map PRIVATE-INGRESS permit 10
    match ip address TO-BE-NATTED
    set ip next-hop verify-availability 216.140.140.1 10 track 1
    set ip next-hop verify-availability 216.150.150.254 20 track 2
    !
    route-map PRIVATE-INGRESS permit 11
    !
    route-map PRIMARY-NAT permit 10
    match ip address TO-BE-NATTED
    match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map PRIMARY-NAT deny 20


    Now I want to use CCP to set up an advanced firewall but I also want to give my users access to the server through ports: 20,21,25,53,80,110,143,443, 3389. Hence I need to open Ports 20,21,25,53,80,110,143,443, 3389 for users to be ablle to access resources through the firewall from the server resources. Firstly I am not sure if this is right or if there is a better way to go such that the firewall does not block this ports when I apply it.
    Also I am not sure if the destination ip should be my servers private Ip or the Public IP, because if it is the Public IP It means I will have a much bigger acl.
    Please let me know wether this is right or there is a better way to do this.
    I created an access list 101 as follows:
    access-list 101 permit tcp any host 10.0.0.50 eq www
    access-list 101 permit tcp any host 10.0.0.50 eq 20:21
    access-list 101 permit tcp any host 10.0.0.50 eq 25
    access-list 101 permit tcp any host 10.0.0.50 eq 53
    access-list 101 permit tcp any host 10.0.0.50 eq 110
    access-list 101 permit tcp any host 10.0.0.50 eq 143
    access-list 101 permit tcp any host 10.0.0.50 eq 443
    access-list 101 permit tcp any host 10.0.0.50 eq 3389
    access-list 101 permit tcp any host 10.0.0.50 eq www




    access-list 101 permit tcp any host 10.0.0.52 eq www
    access-list 101 permit tcp any host 10.0.0.52 eq 20:21
    access-list 101 permit tcp any host 10.0.0.52 eq 25
    access-list 101 permit tcp any host 10.0.0.52 eq 53
    access-list 101 permit udp any host 10.0.0.52 eq 53
    access-list 101 permit tcp any host 10.0.0.52 eq 110

    access-list 101 permit tcp any host 10.0.0.52 eq 143
    access-list 101 permit tcp any host 10.0.0.52 eq 443
    access-list 101 permit tcp any host 10.0.0.52 eq 3389
    access-list 101 permit tcp any host 10.0.0.52 eq www


    access-list 101 permit tcp any host 10.0.0.23 eq www
    access-list 101 permit tcp any host 10.0.0.23 eq 20:21
    access-list 101 permit tcp any host 10.0.0.23 eq 25
    access-list 101 permit tcp any host 10.0.0.23 eq 53
    access-list 101 permit udp any host 10.0.0.23 eq 53
    access-list 101 permit tcp any host 10.0.0.23 eq 110
    access-list 101 permit tcp any host 10.0.0.23 eq 143
    access-list 101 permit tcp any host 10.0.0.23 eq 443
    access-list 101 permit tcp any host 10.0.0.23 eq 3389
    access-list 101 permit tcp any host 10.0.0.23 eq www
    access-list 101 permit tcp any host 10.0.0.23 eq 8080




    access-list 101 permit tcp any host 10.0.0.59 eq www
    access-list 101 permit tcp any host 10.0.0.59 eq 20:21
    access-list 101 permit tcp any host 10.0.0.59 eq 25
    access-list 101 permit tcp any host 10.0.0.59 eq 53
    access-list 101 permit udp any host 10.0.0.59 eq 53
    access-list 101 permit tcp any host 10.0.0.59 eq 110
    access-list 101 permit tcp any host 10.0.0.59 eq 143
    access-list 101 permit tcp any host 10.0.0.59 eq 443
    access-list 101 permit tcp any host 10.0.0.59 eq 3389


    access-list 101 permit tcp any host 10.0.0.61 eq www
    access-list 101 permit tcp any host 10.0.0.61 eq 20:21
    access-list 101 permit tcp any host 10.0.0.61 eq 25
    access-list 101 permit tcp any host 10.0.0.61 eq 53
    access-list 101 permit udp any host 10.0.0.61 eq 53
    access-list 101 permit tcp any host 10.0.0.61 eq 110
    access-list 101 permit tcp any host 10.0.0.61 eq 143
    access-list 101 permit tcp any host 10.0.0.61 eq 443
    access-list 101 permit tcp any host 10.0.0.61 eq 3389




    access-list 101 permit tcp any host 10.0.0.228 eq www
    access-list 101 permit tcp any host 10.0.0.228 eq 20:21
    access-list 101 permit tcp any host 10.0.0.228 eq 25
    access-list 101 permit tcp any host 10.0.0.228 eq 53
    access-list 101 permit udp any host 10.0.0.228 eq 53
    access-list 101 permit tcp any host 10.0.0.228 eq 110
    access-list 101 permit tcp any host 10.0.0.228 eq 143
    access-list 101 permit tcp any host 10.0.0.228 eq 443
    access-list 101 permit tcp any host 10.0.0.228 eq 3389


    access-list 101 permit tcp any host 10.0.0.58 eq 3389
    access-list 101 permit tcp any host 10.0.0.33 eq 3389
    access-list 111 permit tcp any host 10.0.0.25 eq 3389
    access-list 101 permit tcp any host 10.0.0.44 eq 3389
    access-list 101 permit tcp any host 10.0.0.251 eq 3389
    access-list 101 permit tcp any host 10.0.0.21 eq 3389
    access-list 101 permit tcp any host 10.0.0.22 eq 3389
    access-list 101 permit tcp any host 10.0.0.24 eq 3389
    access-list 101 permit tcp any host 10.0.0.16 eq 80
    access-list 101 permit tcp any host 10.0.0.30 eq www
    access-list 101 permit tcp any host 10.0.0.30 eq 3389
    access-list 101 permit tcp any host 10.0.0.230 eq 3389


    interface gi0/1
    ip access-group 101 in
  • MonkerzMonkerz Member Posts: 842
    Since an inbound ACL is referenced before NAT, you would need to use the "Public" addressing in your ACL. You could use private addressing if you place the ACL out on Gi0/0, but I would not want to route traffic that is just going to be dropped.

    Also, you need permit all other traffic (not just server traffic)...
  • MonkerzMonkerz Member Posts: 842
    Oh and also, if you want to shorten up the ACL substantially...look into using an object group based ACL.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Can you give me an Idea of what you mean by all other traffic and how to go about it?
    Because what I intend to do now is that since my Failover is working I want to use Cisco CCP to configure an advanced firewall, but when I apply the firewall It has an option that says that "do you want to modify the firewall so that It doesn not affect the current Nat configuration" and if I click yes it creats a set of ACL's that completely open the NAT, which I dont want since I want to restrict the outside users to have access to only certain features like FTP, RDP, email etc.
    but if I click "do not modify" Nat it completely blocks the whole Nat, so I am a bit confused on what to do.


    Below is the configuration that CCP puts when I allow it to modify the firewall to allow NAT.


    Configuration commands for the router: 10.0.0.254
    saved on 3-Dec-2012 3:37:02 PM
    access-list 119 remark CCP_ACL Category=0
    access-list 119 permit ip any host 10.0.0.24
    access-list 109 remark CCP_ACL Category=0
    access-list 109 permit ip any host 10.0.0.44
    access-list 118 remark CCP_ACL Category=0
    access-list 118 permit ip any host 10.0.0.22
    access-list 108 remark CCP_ACL Category=0
    access-list 108 permit ip any host 10.0.0.251
    access-list 117 remark CCP_ACL Category=0
    access-list 117 permit ip any host 10.0.0.21
    access-list 107 remark CCP_ACL Category=0
    access-list 107 permit ip any host 10.0.0.30
    access-list 116 remark CCP_ACL Category=0
    access-list 116 permit ip any host 10.0.0.33
    access-list 106 remark CCP_ACL Category=0
    access-list 106 permit ip any host 10.0.0.16
    access-list 115 remark CCP_ACL Category=0
    access-list 115 permit ip any host 10.0.0.220
    access-list 105 remark CCP_ACL Category=0
    access-list 105 permit ip any host 10.0.0.228
    access-list 114 remark CCP_ACL Category=0
    access-list 114 permit ip any host 10.0.0.216
    access-list 104 remark CCP_ACL Category=0
    access-list 104 permit ip any host 10.0.0.61
    access-list 113 remark CCP_ACL Category=0
    access-list 113 permit ip any host 10.0.0.230
    access-list 103 remark CCP_ACL Category=0
    access-list 103 permit ip any host 10.0.0.59
    access-list 112 remark CCP_ACL Category=0
    access-list 112 permit ip any host 10.0.0.58
    access-list 102 remark CCP_ACL Category=0
    access-list 102 permit ip any host 10.0.0.53
    access-list 111 remark CCP_ACL Category=0
    access-list 111 permit ip any host 10.0.0.23
    access-list 101 remark CCP_ACL Category=0
    access-list 101 permit ip any host 10.0.0.52
    access-list 120 remark CCP_ACL Category=0
    access-list 120 permit ip any host 10.0.0.25
    access-list 110 remark CCP_ACL Category=0
    access-list 110 permit ip any host 10.0.0.54
    access-list 100 remark CCP_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip 216.140.140.0 0.0.0.31 any
    ip name-server 10.0.0.1
    parameter-map type regex ccp-regex-nonascii
    pattern "[^\x00-\x80]"
    exit
    parameter-map type protocol-info yahoo-servers
    server name scs.msg.yahoo.com
    server name scsa.msg.yahoo.com
    server name scsb.msg.yahoo.com
    server name scsc.msg.yahoo.com
    server name scsd.msg.yahoo.com
    server name cs16.msg.dcn.yahoo.com
    server name cs19.msg.dcn.yahoo.com
    server name cs42.msg.dcn.yahoo.com
    server name cs53.msg.dcn.yahoo.com
    server name cs54.msg.dcn.yahoo.com
    server name ads1.vip.scd.yahoo.com
    server name radio1.launch.vip.dal.yahoo.com
    server name in1.msg.vip.re2.yahoo.com
    server name data1.my.vip.sc5.yahoo.com
    server name address1.pim.vip.mud.yahoo.com
    server name edit.messenger.yahoo.com
    server name messenger.yahoo.com
    server name http.pager.yahoo.com
    server name privacy.yahoo.com
    server name csa.yahoo.com
    server name csb.yahoo.com
    server name csc.yahoo.com
    exit
    parameter-map type protocol-info aol-servers
    server name login.oscar.aol.com
    server name toc.oscar.aol.com
    server name oam-d09a.blue.aol.com
    exit
    parameter-map type protocol-info msn-servers
    server name messenger.hotmail.com
    server name gateway.messenger.hotmail.com
    server name webmessenger.msn.com
    exit
    class-map type inspect match-any ccp-cls-protocol-im
    match protocol ymsgr yahoo-servers
    match protocol msnmsgr msn-servers
    match protocol aol aol-servers
    exit
    class-map type inspect match-any ccp-h323annexe-inspect
    match protocol h323-annexe
    exit
    class-map type inspect http match-any ccp-http-blockparam
    match request port-misuse im
    match request port-misuse p2p
    match request port-misuse tunneling
    match req-resp protocol-violation
    exit
    class-map type inspect match-all ccp-protocol-smtp
    match protocol smtp
    exit
    class-map type inspect match-all ccp-protocol-pop3
    match protocol pop3
    exit
    class-map type inspect match-any ccp-cls-icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
    exit
    class-map type inspect match-all ccp-icmp-access
    match class-map ccp-cls-icmp-access
    exit
    class-map type inspect match-all ccp-protocol-imap
    match protocol imap
    exit
    class-map type inspect match-any ccp-cls-insp-traffic
    match protocol dns
    match protocol https
    match protocol icmp
    match protocol imap
    match protocol pop3
    match protocol tcp
    match protocol udp
    exit
    class-map type inspect match-all sdm-nat--20
    match access-group 120
    exit
    class-map type inspect match-any ccp-h323-inspect
    match protocol h323
    exit
    class-map type inspect match-any ccp-h323nxg-inspect
    match protocol h323-nxg
    exit
    class-map type inspect match-all ccp-insp-traffic
    match class-map ccp-cls-insp-traffic
    exit
    class-map type inspect match-all sdm-nat--9
    match access-group 109
    exit
    class-map type inspect match-all sdm-nat--8
    match access-group 108
    exit
    class-map type inspect match-all sdm-nat--7
    match access-group 107
    exit
    class-map type inspect match-all sdm-nat--6
    match access-group 106
    exit
    class-map type inspect match-all sdm-nat--5
    match access-group 105
    exit
    class-map type inspect match-all sdm-nat--4
    match access-group 104
    exit
    class-map type inspect match-all sdm-nat--3
    match access-group 103
    exit
    class-map type inspect match-all sdm-nat--2
    match access-group 102
    exit
    class-map type inspect match-all sdm-nat--1
    match access-group 101
    exit
    class-map type inspect match-any ccp-h225ras-inspect
    match protocol h225ras
    exit
    class-map type inspect http match-any ccp-app-nonascii
    match req-resp header regex ccp-regex-nonascii
    exit
    class-map type inspect match-all sdm-nat--19
    match access-group 119
    exit
    class-map type inspect match-all sdm-nat--18
    match access-group 118
    exit
    class-map type inspect match-all sdm-nat--17
    match access-group 117
    exit
    class-map type inspect http match-any ccp-app-httpmethods
    match request method bcopy
    match request method bdelete
    match request method bmove
    match request method bpropfind
    match request method bproppatch
    match request method connect
    match request method copy
    match request method delete
    match request method edit
    match request method getattribute
    match request method getattributenames
    match request method getproperties
    match request method index
    match request method lock
    match request method mkcol
    match request method mkdir
    match request method move
    match request method notify
    match request method options
    match request method poll
    match request method post
    match request method propfind
    match request method proppatch
    match request method put
    match request method revadd
    match request method revlabel
    match request method revlog
    match request method revnum
    match request method save
    match request method search
    match request method setattribute
    match request method startrev
    match request method stoprev
    match request method subscribe
    match request method trace
    match request method unedit
    match request method unlock
    match request method unsubscribe
    exit
    class-map type inspect match-all sdm-nat--16
    match access-group 116
    exit
    class-map type inspect match-all sdm-nat--15
    match access-group 115
    exit
    class-map type inspect match-all sdm-nat--14
    match access-group 114
    exit
    class-map type inspect match-all sdm-nat--13
    match access-group 113
    exit
    class-map type inspect match-all sdm-nat--12
    match access-group 112
    exit
    class-map type inspect match-any ccp-skinny-inspect
    match protocol skinny
    exit
    class-map type inspect match-all ccp-protocol-im
    match class-map ccp-cls-protocol-im
    exit
    class-map type inspect match-all sdm-nat--11
    match access-group 111
    exit
    class-map type inspect match-any ccp-cls-protocol-p2p
    match protocol edonkey signature
    match protocol gnutella signature
    match protocol kazaa2 signature
    match protocol fasttrack signature
    match protocol bittorrent signature
    exit
    class-map type inspect match-all sdm-nat--10
    match access-group 110
    exit
    class-map type inspect match-any ccp-sip-inspect
    match protocol sip
    exit
    class-map type inspect match-all ccp-invalid-src
    match access-group 100
    exit
    class-map type inspect smtp match-any ccp-app-smtp
    match data-length gt 5000000
    exit
    class-map type inspect pop3 match-any ccp-app-pop3
    match invalid-command
    exit
    class-map type inspect imap match-any ccp-app-imap
    match invalid-command
    exit
    class-map type inspect match-all ccp-protocol-p2p
    match class-map ccp-cls-protocol-p2p
    exit
    class-map type inspect match-all ccp-protocol-http
    match protocol http
    exit
    policy-map type inspect http ccp-action-app-http
    class type inspect http ccp-http-blockparam
    log
    reset
    exit
    class type inspect http ccp-app-httpmethods
    log
    reset
    exit
    class type inspect http ccp-app-nonascii
    log
    reset
    exit
    exit
    policy-map type inspect imap ccp-action-imap
    class type inspect imap ccp-app-imap
    log
    reset
    exit
    exit
    policy-map type inspect smtp ccp-action-smtp
    class type inspect smtp ccp-app-smtp
    reset
    exit
    exit
    policy-map type inspect pop3 ccp-action-pop3
    class type inspect pop3 ccp-app-pop3
    log
    reset
    exit
    exit
    policy-map type inspect sdm-pol-NATOutsideToInside-1
    class type inspect sdm-nat--1
    no drop
    inspect
    exit
    class type inspect sdm-nat--2
    no drop
    inspect
    exit
    class type inspect sdm-nat--3
    no drop
    inspect
    exit
    class type inspect sdm-nat--4
    no drop
    inspect
    exit
    class type inspect sdm-nat--5
    no drop
    inspect
    exit
    class type inspect sdm-nat--6
    no drop
    inspect
    exit
    class type inspect sdm-nat--7
    no drop
    inspect
    exit
    class type inspect sdm-nat--8
    no drop
    inspect
    exit
    class type inspect sdm-nat--9
    no drop
    inspect
    exit
    class type inspect sdm-nat--10
    no drop
    inspect
    exit
    class type inspect sdm-nat--11
    no drop
    inspect
    exit
    class type inspect sdm-nat--12
    no drop
    inspect
    exit
    class type inspect sdm-nat--13
    no drop
    inspect
    exit
    class type inspect sdm-nat--14
    no drop
    inspect
    exit
    class type inspect sdm-nat--15
    no drop
    inspect
    exit
    class type inspect sdm-nat--16
    no drop
    inspect
    exit
    class type inspect sdm-nat--17
    no drop
    inspect
    exit
    class type inspect sdm-nat--18
    no drop
    inspect
    exit
    class type inspect sdm-nat--19
    no drop
    inspect
    exit
    class type inspect sdm-nat--20
    no drop
    inspect
    exit
    exit
    policy-map type inspect ccp-inspect
    class type inspect ccp-invalid-src
    drop log
    exit
    class type inspect ccp-protocol-http
    no drop
    inspect
    service-policy http ccp-action-app-http
    exit
    class type inspect ccp-protocol-smtp
    no drop
    inspect
    service-policy smtp ccp-action-smtp
    exit
    class type inspect ccp-protocol-imap
    no drop
    inspect
    service-policy imap ccp-action-imap
    exit
    class type inspect ccp-protocol-pop3
    no drop
    inspect
    service-policy pop3 ccp-action-pop3
    exit
    class type inspect ccp-protocol-p2p
    drop log
    exit
    class type inspect ccp-protocol-im
    drop log
    exit
    class type inspect ccp-insp-traffic
    no drop
    inspect
    exit
    class type inspect ccp-sip-inspect
    no drop
    inspect
    exit
    class type inspect ccp-h323-inspect
    no drop
    inspect
    exit
    class type inspect ccp-h323annexe-inspect
    no drop
    inspect
    exit
    class type inspect ccp-h225ras-inspect
    no drop
    inspect
    exit
    class type inspect ccp-h323nxg-inspect
    no drop
    inspect
    exit
    class type inspect ccp-skinny-inspect
    no drop
    inspect
    exit
    exit
    policy-map type inspect ccp-permit
    class class-default
    exit
    policy-map type inspect ccp-permit-icmpreply
    class type inspect ccp-icmp-access
    no drop
    inspect
    exit
    class class-default
    no drop
    pass
    exit
    exit
    zone security in-zone
    zone security out-zone
    zone-pair security ccp-zp-out-self source out-zone destination self
    service-policy type inspect ccp-permit
    exit
    zone-pair security ccp-zp-in-out source in-zone destination out-zone
    service-policy type inspect ccp-inspect
    exit
    zone-pair security ccp-zp-self-out source self destination out-zone
    service-policy type inspect ccp-permit-icmpreply
    exit
    zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
    service-policy type inspect sdm-pol-NATOutsideToInside-1
    exit
    interface GigabitEthernet0/1
    zone-member security out-zone
    exit
    interface GigabitEthernet0/0
    zone-member security in-zone
    exit


    Thanks
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Hello Monkerz
    Secondly, When I tested the configuration yesterday I had one Isuue which was that when I failed over to the secondary ISP, i could only access the 7 Statically Nated address, but I want It such that when I Failover to the secondary ISP I can statically get the mapped IP's but those not mapped statically should go through the dynamic NAT (216.150.150.4). i did a little modification to the Route Map, Please can you check also if this will satisfy my need or if there are any corrections needed.
    What I did is to creat to ACL's :
    ip access-list standard TO-BE-NATTED-PRIMARY
    and
    ip access-list standard TO-BE-NATTED-SECONDARY


    configuration::
    ip sla 1
    Icmp-Echo 216.140.140.1 source-ip 216.140.140.2
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 1 life forever start-time now
    ip sla monitor 2
    Icmp-Echo 216.150.150.254 source-ip 216.150.150.4
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 2 life forever start-time now
    !
    !
    track 1 sla 1 reachability
    !
    track 2 sla 2 reachability
    !
    !
    interface gi0/0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map PRIVATE-INGRESS
    duplex auto
    speed auto
    no keepalive
    !
    interface gi0/1
    ip address 216.150.150.4 255.255.255.0 secondary
    ip address 216.140.140.2 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto

    ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
    !
    !

    ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
    ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
    ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
    ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
    ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY

    ip access-list standard PRIMARY-NEXT-HOP
    permit 216.140.140.1
    ip access-list standard SECONDARY-NEXT-HOP
    permit 216.150.150.254
    ip access-list standard TO-BE-NATTED-PRIMARY
    deny 10.0.0.24
    deny 10.0.0.25
    deny 10.0.0.30
    deny 10.0.0.16
    deny 10.0.0.22
    deny 10.0.0.23
    deny 10.0.0.21
    deny 10.0.0.33
    deny 10.0.0.44
    deny 10.0.0.58
    deny 10.0.0.59
    deny 10.0.0.61
    deny 10.0.0.54
    deny 10.0.0.52
    deny 10.0.0.53
    deny 10.0.0.216
    deny 10.0.0.220
    deny 10.0.0.230
    deny 10.0.0.228
    deny 10.0.0.251
    permit 10.0.0.0 0.255.255.255
    ip access-list standard TO-BE-NATTED-SECONDARY
    deny 10.0.0.59
    deny 10.0.0.52
    deny 10.0.0.53
    deny 10.0.0.16
    deny 10.0.0.58
    deny 10.0.0.61
    permit 10.0.0.0 0.255.255.255
    !
    !
    route-map STATIC-NAT-PRIMARY permit 10
    match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map STATIC-NAT-PRIMARY deny 20
    !
    route-map STATIC-NAT-SECONDARY permit 10
    match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map STATIC-NAT-SECONDARY deny 20
    !
    route-map SECONDARY-NAT permit 10
    match ip address TO-BE-NATTED-SECONDARY
    match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map SECONDARY-NAT deny 20
    !
    route-map PRIVATE-INGRESS-PRIMARY permit 10
    match ip address TO-BE-NATTED-PRIMARY
    set ip next-hop verify-availability 216.140.140.1 10 track 1
    !
    route-map PRIVATE-INGRESS-PRIMARY permit 11

    route-map PRIVATE-INGRESS-SECONDARY permit 10
    match ip address TO-BE-NATTED-SECONDARY
    set ip next-hop verify-availability 216.150.150.254 20 track 2
    !
    route-map PRIVATE-INGRESS-SECONDARY permit 11
    !
    route-map PRIMARY-NAT permit 10
    match ip address TO-BE-NATTED-PRIMARY
    match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map PRIMARY-NAT deny 20
  • MonkerzMonkerz Member Posts: 842
    I am not familiar with CCP, someone else will have to chime in on that.

    From what I am understanding is that you want your statically NAT'd servers that are currently not getting NAT'd when the primary goes down...to be dynamically NAT'd to your secondary ISP? If that is what you want, try this:
    ip sla 1
    Icmp-Echo 216.140.140.1 source-ip 216.140.140.2
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 1 life forever start-time now
    ip sla monitor 2
    Icmp-Echo 216.150.150.254 source-ip 216.150.150.4
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 2 life forever start-time now
    !
    !
    track 1 sla 1 reachability
    !
    track 2 sla 2 reachability
    !
    !
    interface gi0/0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map PRIVATE-INGRESS
    duplex auto
    speed auto
    no keepalive
    !
    interface gi0/1
    ip address 216.150.150.4 255.255.255.0 secondary
    ip address 216.140.140.2 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    
    ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
    !
    !
    ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
    ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
    ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
    ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
    ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
    !
    ip access-list standard PRIMARY-NEXT-HOP
     permit 216.140.140.1
    ip access-list standard SECONDARY-NEXT-HOP
     permit 216.150.150.254
    ip access-list standard DYNAMIC-PRIMARY
    deny 10.0.0.24
    deny 10.0.0.25
    deny 10.0.0.30
    deny 10.0.0.16
    deny 10.0.0.22
    deny 10.0.0.23
    deny 10.0.0.21
    deny 10.0.0.33
    deny 10.0.0.44
    deny 10.0.0.58
    deny 10.0.0.59
    deny 10.0.0.61
    deny 10.0.0.54
    deny 10.0.0.52
    deny 10.0.0.53
    deny 10.0.0.216
    deny 10.0.0.220
    deny 10.0.0.230
    deny 10.0.0.228
    deny 10.0.0.251
    permit 10.0.0.0 0.255.255.255
    ip access-list standard DYNAMIC-SECONDARY
    deny 10.0.0.59
    deny 10.0.0.52
    deny 10.0.0.53
    deny 10.0.0.16
    deny 10.0.0.58
    deny 10.0.0.61
    permit 10.0.0.0 0.255.255.255
    !
    !
    route-map STATIC-NAT-PRIMARY permit 10
     match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map STATIC-NAT-PRIMARY deny 20
    !
    route-map STATIC-NAT-SECONDARY permit 10
     match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map STATIC-NAT-SECONDARY deny 20
    !
    route-map SECONDARY-NAT permit 10
     match ip address DYNAMIC-SECONDARY
     match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map SECONDARY-NAT deny 20
    !
    route-map PRIVATE-INGRESS permit 10
     set ip next-hop verify-availability 216.140.140.1 10 track 1
     set ip next-hop verify-availability 216.150.150.254 20 track 2
    !
    route-map PRIVATE-INGRESS permit 11
    !
    route-map PRIMARY-NAT permit 10
     match ip address DYNAMIC-PRIMARY
     match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map PRIMARY-NAT deny 20
    
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Thanks Mokerz,
    I will try this configuration tonignt, but please can you advice me on how to go about the ACL, and I did not understand what you meant by "Also, you need permit all other traffic (not just server traffic)..."
    Because I want to have an ACL to block remote users to access my servers on all other ports except 20,21,25,53,80,110,143,443, 3389 as a security measure.
    Please need your assistance on this one.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Hello Monkerz,
    I just tested the configuration on my router for the primary and secondary ISP's although the primary worked just fine for the secondary the dynamic Nat was working as required but the static part only worked for the 10.0.0.16 address, I suspect I might need to reboot the router to properly translate my Nat. Or do you have any ideas as to what might be happening.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Please guys I have modified my ACL: what I intend to achieve is that All outside users should only be able to use the selected ports ie 3389,25,21,21,53,110,80 to access the server resources, but the servers can be used to have full access to the internet.
    Please can you check if my ACL will allow that on my current configuration and if it is ok.

    access-list 101 permit tcp any host 216.150.150.6 eq www
    access-list 101 permit tcp any host 216.150.150.6 eq 20:21
    access-list 101 permit tcp any host 216.150.150.6 eq 25
    access-list 101 permit tcp any host 216.150.150.6 eq 53
    access-list 101 permit udp any host 216.150.150.6 eq 53
    access-list 101 permit tcp any host 216.150.150.6 eq 110
    access-list 101 permit tcp any host 216.150.150.6 eq 143
    access-list 101 permit tcp any host 216.150.150.6 eq 443
    access-list 101 permit tcp any host 216.150.150.6 eq 3389


    access-list 101 permit tcp any host 216.140.140.4 eq www
    access-list 101 permit tcp any host 216.140.140.4 eq 20:21
    access-list 101 permit tcp any host 216.140.140.4 eq 25
    access-list 101 permit tcp any host 216.140.140.4 eq 53
    access-list 101 permit udp any host 216.140.140.4 eq 53
    access-list 101 permit tcp any host 216.140.140.4 eq 110
    access-list 101 permit tcp any host 216.140.140.4 eq 143
    access-list 101 permit tcp any host 216.140.140.4 eq 443
    access-list 101 permit tcp any host 216.140.140.4 eq 3389


    access-list 101 permit tcp any host 216.140.140.17 eq www
    access-list 101 permit tcp any host 216.140.140.17 eq 20:21
    access-list 101 permit tcp any host 216.140.140.17 eq 25
    access-list 101 permit tcp any host 216.140.140.17 eq 53
    access-list 101 permit udp any host 216.140.140.17 eq 53
    access-list 101 permit tcp any host 216.140.140.17 eq 110
    access-list 101 permit tcp any host 216.140.140.17 eq 143
    access-list 101 permit tcp any host 216.140.140.17 eq 443
    access-list 101 permit tcp any host 216.140.140.17 eq 3389
    access-list 101 permit tcp any host 216.140.140.17 eq 8080


    access-list 101 permit tcp any host 216.140.140.6 eq www
    access-list 101 permit tcp any host 216.140.140.6 eq 20:21
    access-list 101 permit tcp any host 216.140.140.6 eq 25
    access-list 101 permit tcp any host 216.140.140.6 eq 53
    access-list 101 permit udp any host 216.140.140.6 eq 53
    access-list 101 permit tcp any host 216.140.140.6 eq 110
    access-list 101 permit tcp any host 216.140.140.6 eq 143
    access-list 101 permit tcp any host 216.140.140.6 eq 443
    access-list 101 permit tcp any host 216.140.140.6 eq 3389


    access-list 101 permit tcp any host 216.150.150.10 eq www
    access-list 101 permit tcp any host 216.150.150.10 eq 20:21
    access-list 101 permit tcp any host 216.150.150.10 eq 25
    access-list 101 permit tcp any host 216.150.150.10 eq 53
    access-list 101 permit udp any host 216.150.150.10 eq 53
    access-list 101 permit tcp any host 216.150.150.10 eq 110
    access-list 101 permit tcp any host 216.150.150.10 eq 143
    access-list 101 permit tcp any host 216.150.150.10 eq 443
    access-list 101 permit tcp any host 216.150.150.10 eq 3389


    access-list 101 permit tcp any host 216.140.140.7 eq www
    access-list 101 permit tcp any host 216.140.140.7 eq 20:21
    access-list 101 permit tcp any host 216.140.140.7 eq 25
    access-list 101 permit tcp any host 216.140.140.7 eq 53
    access-list 101 permit udp any host 216.140.140.7 eq 53
    access-list 101 permit tcp any host 216.140.140.7 eq 110
    access-list 101 permit tcp any host 216.140.140.7 eq 143
    access-list 101 permit tcp any host 216.140.140.7 eq 443
    access-list 101 permit tcp any host 216.140.140.7 eq 3389


    access-list 101 permit tcp any host 216.150.150.11 eq www
    access-list 101 permit tcp any host 216.150.150.11 eq 20:21
    access-list 101 permit tcp any host 216.150.150.11 eq 25
    access-list 101 permit tcp any host 216.150.150.11 eq 53
    access-list 101 permit udp any host 216.150.150.11 eq 53
    access-list 101 permit tcp any host 216.150.150.11 eq 110
    access-list 101 permit tcp any host 216.150.150.11 eq 143
    access-list 101 permit tcp any host 216.150.150.11 eq 443
    access-list 101 permit tcp any host 216.150.150.11 eq 3389


    access-list 101 permit tcp any host 216.140.140.8 eq www
    access-list 101 permit tcp any host 216.140.140.8 eq 20:21
    access-list 101 permit tcp any host 216.140.140.8 eq 25
    access-list 101 permit tcp any host 216.140.140.8 eq 53
    access-list 101 permit udp any host 216.140.140.8 eq 53
    access-list 101 permit tcp any host 216.140.140.8 eq 110
    access-list 101 permit tcp any host 216.140.140.8 eq 143
    access-list 101 permit tcp any host 216.140.140.8 eq 443
    access-list 101 permit tcp any host 216.140.140.8 eq 3389
    access-list 101 permit tcp any host 216.140.140.8 eq 8080


    access-list 101 permit tcp any host 216.140.140.18 eq 3389
    access-list 101 permit tcp any host 216.140.140.25 eq 3389
    access-list 111 permit tcp any host 216.140.140.29 eq 3389
    access-list 101 permit tcp any host 216.140.140.15 eq 3389
    access-list 101 permit tcp any host 216.140.140.13 eq 3389
    access-list 101 permit tcp any host 216.140.140.26 eq 3389
    access-list 101 permit tcp any host 216.140.140.27 eq 3389
    access-list 101 permit tcp any host 216.140.140.28 eq 3389
    access-list 101 permit tcp any host 216.140.140.19 eq 3389
    access-list 101 permit tcp any host 216.140.140.11 eq 80
    access-list 101 permit tcp any host 216.150.150.8 eq 80
    access-list 101 permit tcp any host 216.140.140.12 eq www
    access-list 101 permit tcp any host 216.140.140.12 eq 3389
    access-list 101 permit ip 216.140.140.0 0.0.0.255 any
    access-list 101 permit ip 216.150.150.0 0.0.0.255 any


    interface gi0/1
    ip access-group 101 in
  • MonkerzMonkerz Member Posts: 842
    Sorry I have not answered for a while, I was refreshing for my Switch exam before I took it.

    Anyway, Ahmed I think you need to refresh a little before you deploy what you are trying to do.

    This would probably be a good place to start:

    Configuring Network Address Translation: Getting Started - Cisco Systems

    Configuring IP Access Lists - Cisco Systems

    http://www.cisco.com/en/US/prod/collateral/routers/ps9422/data_sheet_c78_462210.pdf

    I, personally, would not be comfortable implementing something I did not completely understand. As of now, if your NAT was to break I do not think you would know how to troubleshoot this issue. And if you applied that ACL you would definitely have problems.

    Don't get me wrong, I have no problems helping someone through an issue, but I would think at some point one would ask "Why that way?" or "How does that work?" I have yet to hear this from you.

    Once you freshen up, please feel free to bounce your thoughts off of us.
  • xXErebuSxXErebuS Member Posts: 230
    Maybe this is a stupid question but would it be possible to add another NIC on the server, or add another IP address to the existing NIC? Without BGP your looking at a headache; especially considering most of your traffic will be inbound and I think you will run into issues when there are no xlates in the table.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Hi Mokerz,
    Thanks for your help, From the ACL what I dont understand is when you said I should allow all other traffic this will defy my objective for the incomming traffic, from my Knowledge this is an access list that will only apply to incomming traffic so from my current config only incomming traffic on the ACL ports will be allowed and all other traffic will be dropped, why would I need to allow all other traffic?
    Even though an easier way would have been to deny all unwanted traffic and permit all others.
    Please give me your opinion.
  • MonkerzMonkerz Member Posts: 842
    Well, think about it...

    Sure allowing all traffic will defy the point of having an access list in the first place, but having the access list you created would ONLY allow in the traffic you permitted.

    An example would be; say you are an end user and your PC has an IP/Port that is not specifically permitted "in" on your WAN interface. You want to surf Google's website. So you open your web browser and type in Google. That domain is translated to one of many addresses owned by Google. Your request for Google's page then leaves your PC destine for the internet. Leaving your PC, your packet looks kind of like this:

    S_IP: 10.0.0.250 D_IP: 74.125.140.100 S_PORT: 65123 D_PORT: 80

    This packet hits the WAN router and gets NAT'd. So leaving the WAN router headed to Google via Primary ISP, the packet would look like this:

    S_IP: 216.140.140.2 D_IP: 74.125.140.100 S_PORT: 65123 D_PORT: 80

    Your packet eventually hits Google's vast array of web servers, the server replies to your request and shoots the data back to you. Packet looking like this:

    S_IP: 74.125.140.100 D_IP: 216.140.140.2 S_PORT: 80 D_PORT: 65123

    The first packet of this flow hits your WAN router, guess what happens? Yup, that ACL is referenced and the info you requested is shredded because a destination of 216.140.140.2:65123 is not permitted in on your WAN interface.

    So you need to also allow traffic flows that are originating from inside your network. You can look into reflexive ACLs to accomplish this. I didn't want to just tell you what you needed, I wanted questions to be asked.

    Hope this helps.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Thanks for the hint last time.
    You are right, my internal users would not be able to access the internet because of the current acl on gi0/1 would block replies other than what is permitted.
    so I created a second access list 100 and permit all traffic from my internal network to the outside, and then apply the statefully inspection so that temporary dynamic entries are created allowing replies/communication to the outgoing traffic to come back into the network.and applied it to the gi0/0 interface.
    would appreciate your comments.
    Thanks again for being so helpful.



    access-list 101 permit tcp any host 216.150.150.6 eq www
    access-list 101 permit tcp any host 216.150.150.6 eq 20:21
    access-list 101 permit tcp any host 216.150.150.6 eq 25
    access-list 101 permit tcp any host 216.150.150.6 eq 53
    access-list 101 permit udp any host 216.150.150.6 eq 53
    access-list 101 permit tcp any host 216.150.150.6 eq 110
    access-list 101 permit tcp any host 216.150.150.6 eq 143
    access-list 101 permit tcp any host 216.150.150.6 eq 443
    access-list 101 permit tcp any host 216.150.150.6 eq 3389


    access-list 101 permit tcp any host 216.140.140.4 eq www
    access-list 101 permit tcp any host 216.140.140.4 eq 20:21
    access-list 101 permit tcp any host 216.140.140.4 eq 25
    access-list 101 permit tcp any host 216.140.140.4 eq 53
    access-list 101 permit udp any host 216.140.140.4 eq 53
    access-list 101 permit tcp any host 216.140.140.4 eq 110
    access-list 101 permit tcp any host 216.140.140.4 eq 143
    access-list 101 permit tcp any host 216.140.140.4 eq 443
    access-list 101 permit tcp any host 216.140.140.4 eq 3389


    access-list 101 permit tcp any host 216.140.140.17 eq www
    access-list 101 permit tcp any host 216.140.140.17 eq 20:21
    access-list 101 permit tcp any host 216.140.140.17 eq 25
    access-list 101 permit tcp any host 216.140.140.17 eq 53
    access-list 101 permit udp any host 216.140.140.17 eq 53
    access-list 101 permit tcp any host 216.140.140.17 eq 110
    access-list 101 permit tcp any host 216.140.140.17 eq 143
    access-list 101 permit tcp any host 216.140.140.17 eq 443
    access-list 101 permit tcp any host 216.140.140.17 eq 3389
    access-list 101 permit tcp any host 216.140.140.17 eq 8080


    access-list 101 permit tcp any host 216.140.140.6 eq www
    access-list 101 permit tcp any host 216.140.140.6 eq 20:21
    access-list 101 permit tcp any host 216.140.140.6 eq 25
    access-list 101 permit tcp any host 216.140.140.6 eq 53
    access-list 101 permit udp any host 216.140.140.6 eq 53
    access-list 101 permit tcp any host 216.140.140.6 eq 110
    access-list 101 permit tcp any host 216.140.140.6 eq 143
    access-list 101 permit tcp any host 216.140.140.6 eq 443
    access-list 101 permit tcp any host 216.140.140.6 eq 3389


    access-list 101 permit tcp any host 216.150.150.10 eq www
    access-list 101 permit tcp any host 216.150.150.10 eq 20:21
    access-list 101 permit tcp any host 216.150.150.10 eq 25
    access-list 101 permit tcp any host 216.150.150.10 eq 53
    access-list 101 permit udp any host 216.150.150.10 eq 53
    access-list 101 permit tcp any host 216.150.150.10 eq 110
    access-list 101 permit tcp any host 216.150.150.10 eq 143
    access-list 101 permit tcp any host 216.150.150.10 eq 443
    access-list 101 permit tcp any host 216.150.150.10 eq 3389


    access-list 101 permit tcp any host 216.140.140.7 eq www
    access-list 101 permit tcp any host 216.140.140.7 eq 20:21
    access-list 101 permit tcp any host 216.140.140.7 eq 25
    access-list 101 permit tcp any host 216.140.140.7 eq 53
    access-list 101 permit udp any host 216.140.140.7 eq 53
    access-list 101 permit tcp any host 216.140.140.7 eq 110
    access-list 101 permit tcp any host 216.140.140.7 eq 143
    access-list 101 permit tcp any host 216.140.140.7 eq 443
    access-list 101 permit tcp any host 216.140.140.7 eq 3389


    access-list 101 permit tcp any host 216.150.150.11 eq www
    access-list 101 permit tcp any host 216.150.150.11 eq 20:21
    access-list 101 permit tcp any host 216.150.150.11 eq 25
    access-list 101 permit tcp any host 216.150.150.11 eq 53
    access-list 101 permit udp any host 216.150.150.11 eq 53
    access-list 101 permit tcp any host 216.150.150.11 eq 110
    access-list 101 permit tcp any host 216.150.150.11 eq 143
    access-list 101 permit tcp any host 216.150.150.11 eq 443
    access-list 101 permit tcp any host 216.150.150.11 eq 3389


    access-list 101 permit tcp any host 216.140.140.8 eq www
    access-list 101 permit tcp any host 216.140.140.8 eq 20:21
    access-list 101 permit tcp any host 216.140.140.8 eq 25
    access-list 101 permit tcp any host 216.140.140.8 eq 53
    access-list 101 permit udp any host 216.140.140.8 eq 53
    access-list 101 permit tcp any host 216.140.140.8 eq 110
    access-list 101 permit tcp any host 216.140.140.8 eq 143
    access-list 101 permit tcp any host 216.140.140.8 eq 443
    access-list 101 permit tcp any host 216.140.140.8 eq 3389
    access-list 101 permit tcp any host 216.140.140.8 eq 8080


    access-list 101 permit tcp any host 216.140.140.18 eq 3389
    access-list 101 permit tcp any host 216.140.140.25 eq 3389
    access-list 111 permit tcp any host 216.140.140.29 eq 3389
    access-list 101 permit tcp any host 216.140.140.15 eq 3389
    access-list 101 permit tcp any host 216.140.140.13 eq 3389
    access-list 101 permit tcp any host 216.140.140.26 eq 3389
    access-list 101 permit tcp any host 216.140.140.27 eq 3389
    access-list 101 permit tcp any host 216.140.140.28 eq 3389
    access-list 101 permit tcp any host 216.140.140.19 eq 3389
    access-list 101 permit tcp any host 216.140.140.11 eq 80
    access-list 101 permit tcp any host 216.150.150.8 eq 80
    access-list 101 permit tcp any host 216.140.140.12 eq www
    access-list 101 permit tcp any host 216.140.140.12 eq 3389

    access-list 100 permit ip any any

    Ip inspect name INTERNAL ip
    interface gi0/0
    ip access-group 100 in
    IP inspect INTERNAL in
  • MonkerzMonkerz Member Posts: 842
    Remove ACL 100 all together. Apply inspection outbound on the WAN interface. Keep ACL 101 inbound on WAN interface.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    ok makes sence.
    Thanks
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Hi Mokerz,
    I have been doing a lot of research on Zone based firewall using CLI and have tried to configure my network with a Zone based firewall. I tried to used zone based Firewall instead of the ACL's.
    Even though I think I am pretty much right, Please can you look at my configuration and give me your view on it.
    Here is the ZBF configuration i came up with:
    Zone security out-zone
    zone security in-zone
    zone security teleworker


    interface gi0/1
    Zone-member security out-zone


    interface gi0/0
    zone-member security in-zone


    interface gi0/2
    zone-member security teleworker
    exit


    ip port-map user-RDP port tcp 3389


    zone-pair security OUT-IN source out-zone destination in-zone
    zone-pair security OUT-TELEWORKER source out-zone destination teleworker
    zone-pair security TELEWORKER-OUT source teleworker destination out-zone


    ip access-list extended OUTSIDE-TO-INSIDE-WEB
    permit tcp any host 10.0.0.23 eq 80
    permit tcp any host 10.0.0.59 eq 80
    permit tcp any host 10.0.0.61 eq 80
    permit tcp any host 10.0.0.228 eq 80
    permit tcp any host 10.0.0.16 eq 80
    permit tcp any host 10.0.0.30 eq 80


    class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
    match protocol http
    match access-group name OUTSIDE-TO-INSIDE-WEB


    ip access-list extended OUTSIDE-TO-INSIDE-FTP
    permit tcp any host 10.0.0.52 eq 20:21
    permit tcp any host 10.0.0.23 eq 20:21
    permit tcp any host 10.0.0.59 eq 20:21
    permit tcp any host 10.0.0.61 eq 20:21
    permit tcp any host 10.0.0.228 eq 20:21


    class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
    match protocol ftp
    match access-group name OUTSIDE-TO-INSIDE-FTP


    ip access-list extended OUTSIDE-TO-INSIDE-SMTP
    permit tcp any host 10.0.0.52 eq 25
    permit tcp any host 10.0.0.23 eq 25
    permit tcp any host 10.0.0.59 eq 25
    permit tcp any host 10.0.0.61 eq 25
    permit tcp any host 10.0.0.228 eq 25


    class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
    match protocol smtp
    match access-group name OUTSIDE-TO-INSIDE-SMTP


    ip access-list extended OUTSIDE-TO-INSIDE-DNS
    permit tcp any host 10.0.0.23 eq 53
    permit udp any host 10.0.0.23 eq 53
    permit tcp any host 10.0.0.59 eq 53
    permit udp any host 10.0.0.59 eq 53
    permit tcp any host 10.0.0.61 eq 53
    permit udp any host 10.0.0.61 eq 53
    permit tcp any host 10.0.0.228 eq 53
    permit udp any host 10.0.0.228 eq 53


    class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
    match protocol dns
    match access-group name OUTSIDE-TO-INSIDE-DNS


    ip access-list extended OUTSIDE-TO-INSIDE-POP
    permit tcp any host 10.0.0.52 eq 110
    permit tcp any host 10.0.0.23 eq 110
    permit tcp any host 10.0.0.59 eq 110
    permit tcp any host 10.0.0.61 eq 110
    permit tcp any host 10.0.0.228 eq 110


    class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS
    match protocol pop
    match access-group name OUTSIDE-TO-INSIDE-POP


    ip access-list extended OUTSIDE-TO-INSIDE-IMAP
    permit tcp any host 10.0.0.52 eq 143
    permit tcp any host 10.0.0.23 eq 143
    permit tcp any host 10.0.0.59 eq 143
    permit tcp any host 10.0.0.61 eq 143
    permit tcp any host 10.0.0.228 eq 143


    class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS
    match protocol imap
    match access-group name OUTSIDE-TO-INSIDE-IMAP


    ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
    permit tcp any host 10.0.0.52 eq 443
    permit tcp any host 10.0.0.23 eq 443
    permit tcp any host 10.0.0.59 eq 443
    permit tcp any host 10.0.0.61 eq 443
    permit tcp any host 10.0.0.228 eq 443


    class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
    match protocol https
    match access-group name OUTSIDE-TO-INSIDE-HTTPS


    ip access-list extended OUTSIDE-TO-INSIDE-RDP
    permit tcp any host 10.0.0.52 eq 3389
    permit tcp any host 10.0.0.23 eq 3389
    permit tcp any host 10.0.0.59 eq 3389
    permit tcp any host 10.0.0.61 eq 3389
    permit tcp any host 10.0.0.228 eq 3389
    permit tcp any host 10.0.0.58 eq 3389
    permit tcp any host 10.0.0.33 eq 3389
    permit tcp any host 10.0.0.25 eq 3389
    permit tcp any host 10.0.0.44 eq 3389
    permit tcp any host 10.0.0.251 eq 3389
    permit tcp any host 10.0.0.21 eq 3389
    permit tcp any host 10.0.0.22 eq 3389
    ermit tcp any host 10.0.0.24 eq 3389
    permit tcp any host 10.0.0.30 eq 3389
    permit tcp any host 10.0.0.230 eq 3389


    class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
    match protocol user-RDP
    match access-group name OUTSIDE-TO-INSIDE-RDP


    ip access-list extended TELEWORKER-TO-OUTSIDE
    permit ip host 10.0.3.254 any


    class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
    match access-group name TELEWORKER-TO-OUTSIDE


    ip access-list extended OUTSIDE-TO-TELEWORKER
    permit ip any host 10.0.3.254


    class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
    match access-group name OUTSIDE-TO-TELEWORKER




    policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
    class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
    inspect




    class type inspect OUTSIDE-TO-INSIDE-POP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
    inspect


    class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
    inspect




    policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
    class type inspect TELEWORKER-TO-OUTSIDE-CLASS
    inspect


    policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
    class type inspect OUTSIDE-TO-TELEWORKER-CLASS
    inspect


    zone-pair security OUT-IN source out-zone destination in-zone
    service-policy type inspect OUTSIDE-TO-INSIDE-POLICY


    zone-pair security OUT-TELEWORKER source out-zone destination teleworker
    service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY


    zone-pair security TELEWORKER-OUT source teleworker destination out-zone
    service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY
Sign In or Register to comment.