Need to Have both ISP to access internet/servers
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
in CCNP
Need to Have both ISP to access internet/servers
I need help to configure a Cisco 2911 router, It has two ISP one as primary 216.140.140.0, and secondary for backup as 216.150.150.0.
[FONT=Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif]I need to be able to access both the ISP's using the same interface Gi0/1 [/FONT]without [FONT=Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif]sub-interfaces.[/FONT]
Since we have servers that have to have specific IP both when accessed and when accessing the internet so I used static Nat for the servers and Dynamic for all others.
I did the following configuration but it does not work as i want it, if i unplug the Primary ISP from the unmanaged switch the secondary cant access the Internet or network.The secondary only works when the primary and secondary are both connected at the same time.
Even though I have been advised to use a sub-interface instead of a secondary Ip address (which worked when I used it) I need to use the same interface using a unmanaged switch to which the outside interface of the router is connected and the two ISP's.
Please Let me know what I can do to make this work. When I did Show IP SLA statistics and Show track it shows that The SLA is not running, I tried to Ping my next hope 216.140.140.1 and could not ping it even though when I ping it from my test server 10.0.0.50 it pings successfully and NAT is up and running successfully as I can access Server resources/internet.
Below is my configuration.
interface GigabitEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source route-map Primary interface GigabitEthernet0/1 overload
ip nat inside source route-map Secondary interface GigabitEthernet0/1 overload
ip nat inside source static 10.0.0.52 216.140.140.4 route-map Primary
ip nat inside source static 10.0.0.53 216.140.140.5 route-map Primary
ip nat inside source static 10.0.0.59 216.140.140.6 route-map Primary
ip nat inside source static 10.0.0.61 216.140.140.7 route-map Primary
ip nat inside source static 10.0.0.228 216.140.140.8 route-map Primary
ip nat inside source static 10.0.0.16 216.140.140.11 route-map Primary
ip nat inside source static 10.0.0.30 216.140.140.12 route-map Primary
ip nat inside source static 10.0.0.251 216.140.140.13 route-map Primary
ip nat inside source static 10.0.0.44 216.140.140.15 route-map Primary
ip nat inside source static 10.0.0.54 216.140.140.16 route-map Primary
ip nat inside source static 10.0.0.23 216.140.140.17 route-map Primary
ip nat inside source static 10.0.0.58 216.140.140.18 route-map Primary
ip nat inside source static 10.0.0.230 216.140.140.19 route-map Primary
ip nat inside source static 10.0.0.216 216.140.140.21 route-map Primary
ip nat inside source static 10.0.0.220 216.140.140.22 route-map Primary
ip nat inside source static 10.0.0.33 216.140.140.25 route-map Primary
ip nat inside source static 10.0.0.21 216.140.140.26 route-map Primary
ip nat inside source static 10.0.0.22 216.140.140.27 route-map Primary
ip nat inside source static 10.0.0.24 216.140.140.28 route-map Primary
ip nat inside source static 10.0.0.25 216.140.140.29 route-map Primary
ip nat inside source static 10.0.0.59 216.150.150.5 route-map secondary
ip nat inside source static 10.0.0.52 216.150.150.6 route-map secondary
ip nat inside source static 10.0.0.53 216.150.150.7 route-map secondary
ip nat inside source static 10.0.0.16 216.150.150.8 route-map secondary
ip nat inside source static 10.0.0.58 216.150.150.9 route-map secondary
ip nat inside source static 10.0.0.59 216.150.150.10 route-map secondary
ip nat inside source static 10.0.0.61 216.150.150.11 route-map secondary
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
route-map secondary permit 10
match ip address 100
set ip next-hop 216.150.150.254
!
route-map primary permit 10
match ip address 100
set ip next-hop 216.140.140.1
ip sla 1
icmp-echo 216.140.140.1 source-ip 216.140.140.2
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.50.254 10
SHOW IP SLA STATISTICS:
IPSLA operation id: 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 18:50:58 UTC Mon Dec 10 2012
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 51
Operation time to live: Forever
Router#show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 01:58:15
Delay up 20 secs, down 10 secs
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
I need help to configure a Cisco 2911 router, It has two ISP one as primary 216.140.140.0, and secondary for backup as 216.150.150.0.
[FONT=Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif]I need to be able to access both the ISP's using the same interface Gi0/1 [/FONT]without [FONT=Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif]sub-interfaces.[/FONT]
Since we have servers that have to have specific IP both when accessed and when accessing the internet so I used static Nat for the servers and Dynamic for all others.
I did the following configuration but it does not work as i want it, if i unplug the Primary ISP from the unmanaged switch the secondary cant access the Internet or network.The secondary only works when the primary and secondary are both connected at the same time.
Even though I have been advised to use a sub-interface instead of a secondary Ip address (which worked when I used it) I need to use the same interface using a unmanaged switch to which the outside interface of the router is connected and the two ISP's.
Please Let me know what I can do to make this work. When I did Show IP SLA statistics and Show track it shows that The SLA is not running, I tried to Ping my next hope 216.140.140.1 and could not ping it even though when I ping it from my test server 10.0.0.50 it pings successfully and NAT is up and running successfully as I can access Server resources/internet.
Below is my configuration.
interface GigabitEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source route-map Primary interface GigabitEthernet0/1 overload
ip nat inside source route-map Secondary interface GigabitEthernet0/1 overload
ip nat inside source static 10.0.0.52 216.140.140.4 route-map Primary
ip nat inside source static 10.0.0.53 216.140.140.5 route-map Primary
ip nat inside source static 10.0.0.59 216.140.140.6 route-map Primary
ip nat inside source static 10.0.0.61 216.140.140.7 route-map Primary
ip nat inside source static 10.0.0.228 216.140.140.8 route-map Primary
ip nat inside source static 10.0.0.16 216.140.140.11 route-map Primary
ip nat inside source static 10.0.0.30 216.140.140.12 route-map Primary
ip nat inside source static 10.0.0.251 216.140.140.13 route-map Primary
ip nat inside source static 10.0.0.44 216.140.140.15 route-map Primary
ip nat inside source static 10.0.0.54 216.140.140.16 route-map Primary
ip nat inside source static 10.0.0.23 216.140.140.17 route-map Primary
ip nat inside source static 10.0.0.58 216.140.140.18 route-map Primary
ip nat inside source static 10.0.0.230 216.140.140.19 route-map Primary
ip nat inside source static 10.0.0.216 216.140.140.21 route-map Primary
ip nat inside source static 10.0.0.220 216.140.140.22 route-map Primary
ip nat inside source static 10.0.0.33 216.140.140.25 route-map Primary
ip nat inside source static 10.0.0.21 216.140.140.26 route-map Primary
ip nat inside source static 10.0.0.22 216.140.140.27 route-map Primary
ip nat inside source static 10.0.0.24 216.140.140.28 route-map Primary
ip nat inside source static 10.0.0.25 216.140.140.29 route-map Primary
ip nat inside source static 10.0.0.59 216.150.150.5 route-map secondary
ip nat inside source static 10.0.0.52 216.150.150.6 route-map secondary
ip nat inside source static 10.0.0.53 216.150.150.7 route-map secondary
ip nat inside source static 10.0.0.16 216.150.150.8 route-map secondary
ip nat inside source static 10.0.0.58 216.150.150.9 route-map secondary
ip nat inside source static 10.0.0.59 216.150.150.10 route-map secondary
ip nat inside source static 10.0.0.61 216.150.150.11 route-map secondary
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
route-map secondary permit 10
match ip address 100
set ip next-hop 216.150.150.254
!
route-map primary permit 10
match ip address 100
set ip next-hop 216.140.140.1
ip sla 1
icmp-echo 216.140.140.1 source-ip 216.140.140.2
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.50.254 10
SHOW IP SLA STATISTICS:
IPSLA operation id: 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 18:50:58 UTC Mon Dec 10 2012
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 51
Operation time to live: Forever
Router#show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 01:58:15
Delay up 20 secs, down 10 secs
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
Comments
-
wave
Member Posts: 342
Hi there,
You have the route-map "Primary" configured in your NAT statements but the route-map in the config is "primary" ...lower case p. You have a similar issue with Secondary/secondary.
You say IP SLA 1 isn't working, can you ping 216.140.140.1 source-ip 216.140.140.2?
Is the output you have provided from when both connections are plugged in or just one? Does the #sh ip route output show you are currently routing through your secondary connection (my guess is yes) because ip sla 1 is down?
Does your ISP have a router at your site that is running BGP for these dual-homed internet connections? i.e. are both 216.150.150/24 and 216.140.140.2/27 being advertised out both links? If you're not advertising both subnets out both connections then your static NAT is not going to work when one of the connections goes down.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
Monkerz
Member Posts: 842
Also need to change this:
ip route 0.0.0.0 0.0.0.0 216.150.50.254 10
to
ip route 0.0.0.0 0.0.0.0 216.150.150.254 10 -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
I cannot ping 216.140.140.1, but I can ping it before enable static Nat, and I can also ping it from my Server attached to Gi0/0.What can I do to be able to ping it because I think this is the reason that my ip sla is not working.
The output i provided is for when both ISP's are connected, as the moment I unplug the primary I lose connectivity totally.and yes your are right show IP route shows that I am routing through secondary(for both cases: both are connected and when only secondary is connected)
I have two ISP providers completely independent of each other the primary is through a Cisco router and the secondary is through a modem.and i have no way of knowing what configurations they have, although my secondary ISP is using a static route.
I have also corrected the route map issue (small p and s) and the static route.
Please can you tell me from my configuration what I might need to do. -
Monkerz
Member Posts: 842
Source your sla echo from gi0/0 and see what happens...
icmp-echo 216.140.140.1 source-ip 10.0.0.254 -
wave
Member Posts: 342
I've had another look at this and none of it is going to work based on your current configuration.
Firstly, If you want to use the same public IPs on both connections it won't work unless you are running BGP and advertise 216.150.150/24 and 216.140.140.2/27.
You have these two NAT statements:
ip nat inside source route-map Primary interface GigabitEthernet0/1 overload
ip nat inside source route-map Secondary interface GigabitEthernet0/1 overload
How do you think the router knows which to use based on which ISP is up? For one, the "overload" keyword is always going to use the primary IP to the best of my knowledge.
Both of your route-maps refernce ACL 100 and only one of them will ever be used regardless of which ISP connection is up. Based on the order of the config file you will always be setting the next hop to 216.150.150.254
You can't do this:
ip nat inside source static 10.0.0.52 216.140.140.4 route-map Primary
AND
this further down: ip nat inside source static 10.0.0.52 216.150.150.6 route-map secondary
Your router will always chose the first NAT statement. How do you think it will know when to NAT to 216.140.140.4 or 16.150.150.6...Route tracking doesn't manage NAT too.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
Monkerz
Member Posts: 842
I just labbed this up on my gear. The below config, though from an older version of IOS than you are running, will work for your dynamic NATing issue. My fiancee just called me for dinner, but I will look into the static NATing issue when I get back (might be in the morning).
I apologize for the complexity, you will need to change my SLA and TRACK commands to your syntax:service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip sla monitor 1 type echo protocol ipIcmpEcho 216.140.140.1 source-ipaddr 216.140.140.2 timeout 1000 threshold 2 frequency 3 ip sla monitor schedule 1 life forever start-time now ip sla monitor 2 type echo protocol ipIcmpEcho 216.150.150.254 source-ipaddr 216.150.150.4 timeout 1000 threshold 2 frequency 3 ip sla monitor schedule 2 life forever start-time now ! ! track 1 rtr 1 reachability ! track 2 rtr 2 reachability ! ! interface FastEthernet0/0 ip address 10.0.0.254 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PRIVATE-INGRESS duplex auto speed auto no keepalive ! interface FastEthernet0/1 ip address 216.150.150.4 255.255.255.0 secondary ip address 216.140.140.2 255.255.255.224 ip nat outside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1 ip route 0.0.0.0 0.0.0.0 216.150.150.254 10 ! ! no ip http server no ip http secure-server ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27 ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24 ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload ! ip access-list standard PRIMARY-NEXT-HOP permit 216.140.140.1 ip access-list standard SECONDARY-NEXT-HOP permit 216.150.150.254 ip access-list standard TO-BE-NATTED deny 10.0.0.24 deny 10.0.0.25 deny 10.0.0.30 deny 10.0.0.16 deny 10.0.0.22 deny 10.0.0.23 deny 10.0.0.21 deny 10.0.0.44 deny 10.0.0.58 deny 10.0.0.59 deny 10.0.0.61 deny 10.0.0.54 deny 10.0.0.52 deny 10.0.0.53 deny 10.0.0.216 deny 10.0.0.220 deny 10.0.0.230 deny 10.0.0.228 deny 10.0.0.251 permit 10.0.0.0 0.255.255.255 ! ! route-map SECONDARY-NAT permit 10 match ip address TO-BE-NATTED match ip next-hop SECONDARY-NEXT-HOP ! route-map SECONDARY-NAT deny 20 ! route-map PRIVATE-INGRESS permit 10 match ip address TO-BE-NATTED set ip next-hop verify-availability 216.140.140.1 10 track 1 set ip next-hop verify-availability 216.150.150.254 20 track 2 ! route-map PRIVATE-INGRESS permit 11 ! route-map PRIMARY-NAT permit 10 match ip address TO-BE-NATTED match ip next-hop PRIMARY-NEXT-HOP ! route-map PRIMARY-NAT deny 20 ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login ! ! end
-
wave
Member Posts: 342
I just labbed this up on my gear. The below config, though from an older version of IOS than you are running, will work for your dynamic NATing issue. My fiancee just called me for dinner, but I will look into the static NATing issue when I get back (might be in the morning).
I apologize for the complexity, you will need to change my SLA and TRACK commands to your syntax:service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip sla monitor 1 type echo protocol ipIcmpEcho 216.140.140.1 source-ipaddr 216.140.140.2 timeout 1000 threshold 2 frequency 3 ip sla monitor schedule 1 life forever start-time now ip sla monitor 2 type echo protocol ipIcmpEcho 216.150.150.254 source-ipaddr 216.150.150.4 timeout 1000 threshold 2 frequency 3 ip sla monitor schedule 2 life forever start-time now ! ! track 1 rtr 1 reachability ! track 2 rtr 2 reachability ! ! interface FastEthernet0/0 ip address 10.0.0.254 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PRIVATE-INGRESS duplex auto speed auto no keepalive ! interface FastEthernet0/1 ip address 216.150.150.4 255.255.255.0 secondary ip address 216.140.140.2 255.255.255.224 ip nat outside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1 ip route 0.0.0.0 0.0.0.0 216.150.150.254 10 ! ! no ip http server no ip http secure-server ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27 ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24 ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload ! ip access-list standard PRIMARY-NEXT-HOP permit 216.140.140.1 ip access-list standard SECONDARY-NEXT-HOP permit 216.150.150.254 ip access-list standard TO-BE-NATTED deny 10.0.0.24 deny 10.0.0.25 deny 10.0.0.30 deny 10.0.0.16 deny 10.0.0.22 deny 10.0.0.23 deny 10.0.0.21 deny 10.0.0.44 deny 10.0.0.58 deny 10.0.0.59 deny 10.0.0.61 deny 10.0.0.54 deny 10.0.0.52 deny 10.0.0.53 deny 10.0.0.216 deny 10.0.0.220 deny 10.0.0.230 deny 10.0.0.228 deny 10.0.0.251 permit 10.0.0.0 0.255.255.255 ! ! route-map SECONDARY-NAT permit 10 match ip address TO-BE-NATTED match ip next-hop SECONDARY-NEXT-HOP ! route-map SECONDARY-NAT deny 20 ! route-map PRIVATE-INGRESS permit 10 match ip address TO-BE-NATTED set ip next-hop verify-availability 216.140.140.1 10 track 1 set ip next-hop verify-availability 216.150.150.254 20 track 2 ! route-map PRIVATE-INGRESS permit 11 ! route-map PRIMARY-NAT permit 10 match ip address TO-BE-NATTED match ip next-hop PRIMARY-NEXT-HOP ! route-map PRIMARY-NAT deny 20 ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login ! ! end
Good work, yes it's possible for dynamic NAT but not for static NAT unless you.
A. Have a different public IP per connection for the servers
Or
B. Are allowed to advertise the subnet through both ISPs...which requires an agreement with them
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
Monkerz
Member Posts: 842
This config should work for both your dynamic and static NATing needs. I have tested it in my lab with success is all aspects I could think to test.
Make sure you change the TRACK, SLA and INTERFACE syntax to work for your needs.
p.s. Wave, are you speaking from experience?service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip sla monitor 1 type echo protocol ipIcmpEcho 216.140.140.1 source-ipaddr 216.140.140.2 timeout 1000 threshold 2 frequency 3 ip sla monitor schedule 1 life forever start-time now ip sla monitor 2 type echo protocol ipIcmpEcho 216.150.150.254 source-ipaddr 216.150.150.4 timeout 1000 threshold 2 frequency 3 ip sla monitor schedule 2 life forever start-time now ! ! track 1 rtr 1 reachability ! track 2 rtr 2 reachability ! ! interface FastEthernet0/0 ip address 10.0.0.53 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PRIVATE-INGRESS duplex auto speed auto no keepalive ! interface FastEthernet0/1 ip address 216.150.150.4 255.255.255.0 secondary ip address 216.140.140.2 255.255.255.224 ip nat outside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1 ip route 0.0.0.0 0.0.0.0 216.150.150.254 10 ! ! no ip http server no ip http secure-server ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27 ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24 ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY ! ip access-list standard PRIMARY-NEXT-HOP permit 216.140.140.1 ip access-list standard SECONDARY-NEXT-HOP permit 216.150.150.254 ip access-list standard TO-BE-NATTED deny 10.0.0.24 deny 10.0.0.25 deny 10.0.0.30 deny 10.0.0.16 deny 10.0.0.22 deny 10.0.0.23 deny 10.0.0.21 deny 10.0.0.44 deny 10.0.0.58 deny 10.0.0.59 deny 10.0.0.61 deny 10.0.0.54 deny 10.0.0.52 deny 10.0.0.53 deny 10.0.0.216 deny 10.0.0.220 deny 10.0.0.230 deny 10.0.0.228 deny 10.0.0.251 permit 10.0.0.0 0.255.255.255 ! ! route-map STATIC-NAT-PRIMARY permit 10 match ip next-hop PRIMARY-NEXT-HOP ! route-map STATIC-NAT-PRIMARY deny 20 ! route-map STATIC-NAT-SECONDARY permit 10 match ip next-hop SECONDARY-NEXT-HOP ! route-map STATIC-NAT-SECONDARY deny 20 ! route-map SECONDARY-NAT permit 10 match ip address TO-BE-NATTED match ip next-hop SECONDARY-NEXT-HOP ! route-map SECONDARY-NAT deny 20 ! route-map PRIVATE-INGRESS permit 10 match ip address TO-BE-NATTED set ip next-hop verify-availability 216.140.140.1 10 track 1 set ip next-hop verify-availability 216.150.150.254 20 track 2 ! route-map PRIVATE-INGRESS permit 11 ! route-map PRIMARY-NAT permit 10 match ip address TO-BE-NATTED match ip next-hop PRIMARY-NEXT-HOP ! route-map PRIMARY-NAT deny 20 ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login ! ! end
-
wave
Member Posts: 342
This config should work for both your dynamic and static NATing needs. I have tested it in my lab with success is all aspects I could think to test.
Make sure you change the TRACK, SLA and INTERFACE syntax to work for your needs.
p.s. Wave, are you speaking from experience?
Monkerz, I like your solution. But, I thought the OP was trying to use the same public IPs on both internet connections (which would require BGP).
This made me think he wanted to use the SAME addressesahmedahmed wrote: »Since we have servers that have to have specific IP both when accessed and when accessing the internet
His initial statement and config conflict here. If he needs to use the same public IPs on both connections he would need to use BGP, and yes I'm speaking from experience. Different public IPs, not an issue, but using the same ones on different connections is another story.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Thanks Monkerz and Wave for your much needed help. on top of this I would want to open only ports 20,21,25,53,80,110,143,443, 3389 on most of my servers from outside ,could you guys give me some idea on how i would have to set up the ACL for that
-
wave
Member Posts: 342
ahmedahmed wrote: »Thanks Monkerz and Wave for your much needed help. on top of this I would want to open only ports 20,21,25,53,80,110,143,443, 3389 on most of my servers from outside ,could you guys give me some idea on how i would have to set up the ACL for that
ahmedahmed, can you confirm if you need to be able to use the SAME IP addresses for your servers on BOTH connections...e.g. do you need 10.0.0.59 to be accessible via 216.140.140.6 when the primary connection goes down? Or are you okay with it being accessed via 216.150.150.5 when the primary goes down?
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
my requirement is that the server 10.0.0.59 uses the 216.140.140.6 as primary ( all the time)
but incase if the primary isp goes down i want it to be accessible with the 216.150.150.5 address.
so yes i am ok to access it with the 216.150.150.5.
Also please can you guide me with the scenario i would require for enabling only certain ports to be open for outside users -
Monkerz
Member Posts: 842
Monkerz, I like your solution. But, I thought the OP was trying to use the same public IPs on both internet connections (which would require BGP).
I didn't even catch that, good work. I was working with idea of active/hot-standby connections using different IP schemes.ahmedahmed wrote: »Thanks Monkerz and Wave for your much needed help. on top of this I would want to open only ports 20,21,25,53,80,110,143,443, 3389 on most of my servers from outside ,could you guys give me some idea on how i would have to set up the ACL for that
After you've created an ACL, post it here and we can check it for you. -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
I applied the configuration as you gave me with the little tweaking to suit my Router.
ip sla 1
Icmp-Echo 216.140.140.1 source-ip 216.140.140.2
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
ip sla monitor 2
Icmp-Echo 216.150.150.254 source-ip 216.150.150.4
timeout 1000
threshold 2
frequency 3
ip sla schedule 2 life forever start-time now
!
!
track 1 sla 1 reachability
!
track 2 sla 2 reachability
!
!
interface gi0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PRIVATE-INGRESS
duplex auto
speed auto
no keepalive
!
interface gi0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
!
!
ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
!
ip access-list standard PRIMARY-NEXT-HOP
permit 216.140.140.1
ip access-list standard SECONDARY-NEXT-HOP
permit 216.150.150.254
ip access-list standard TO-BE-NATTED
deny 10.0.0.24
deny 10.0.0.25
deny 10.0.0.30
deny 10.0.0.16
deny 10.0.0.22
deny 10.0.0.23
deny 10.0.0.21
deny 10.0.0.44
deny 10.0.0.58
deny 10.0.0.59
deny 10.0.0.61
deny 10.0.0.54
deny 10.0.0.52
deny 10.0.0.53
deny 10.0.0.216
deny 10.0.0.220
deny 10.0.0.230
deny 10.0.0.228
deny 10.0.0.251
permit 10.0.0.0 0.255.255.255
!
!
route-map STATIC-NAT-PRIMARY permit 10
match ip next-hop PRIMARY-NEXT-HOP
!
route-map STATIC-NAT-PRIMARY deny 20
!
route-map STATIC-NAT-SECONDARY permit 10
match ip next-hop SECONDARY-NEXT-HOP
!
route-map STATIC-NAT-SECONDARY deny 20
!
route-map SECONDARY-NAT permit 10
match ip address TO-BE-NATTED
match ip next-hop SECONDARY-NEXT-HOP
!
route-map SECONDARY-NAT deny 20
!
route-map PRIVATE-INGRESS permit 10
match ip address TO-BE-NATTED
set ip next-hop verify-availability 216.140.140.1 10 track 1
set ip next-hop verify-availability 216.150.150.254 20 track 2
!
route-map PRIVATE-INGRESS permit 11
!
route-map PRIMARY-NAT permit 10
match ip address TO-BE-NATTED
match ip next-hop PRIMARY-NEXT-HOP
!
route-map PRIMARY-NAT deny 20
Now I want to use CCP to set up an advanced firewall but I also want to give my users access to the server through ports: 20,21,25,53,80,110,143,443, 3389. Hence I need to open Ports 20,21,25,53,80,110,143,443, 3389 for users to be ablle to access resources through the firewall from the server resources. Firstly I am not sure if this is right or if there is a better way to go such that the firewall does not block this ports when I apply it.
Also I am not sure if the destination ip should be my servers private Ip or the Public IP, because if it is the Public IP It means I will have a much bigger acl.
Please let me know wether this is right or there is a better way to do this.
I created an access list 101 as follows:
access-list 101 permit tcp any host 10.0.0.50 eq www
access-list 101 permit tcp any host 10.0.0.50 eq 20:21
access-list 101 permit tcp any host 10.0.0.50 eq 25
access-list 101 permit tcp any host 10.0.0.50 eq 53
access-list 101 permit tcp any host 10.0.0.50 eq 110
access-list 101 permit tcp any host 10.0.0.50 eq 143
access-list 101 permit tcp any host 10.0.0.50 eq 443
access-list 101 permit tcp any host 10.0.0.50 eq 3389
access-list 101 permit tcp any host 10.0.0.50 eq www
access-list 101 permit tcp any host 10.0.0.52 eq www
access-list 101 permit tcp any host 10.0.0.52 eq 20:21
access-list 101 permit tcp any host 10.0.0.52 eq 25
access-list 101 permit tcp any host 10.0.0.52 eq 53
access-list 101 permit udp any host 10.0.0.52 eq 53
access-list 101 permit tcp any host 10.0.0.52 eq 110
access-list 101 permit tcp any host 10.0.0.52 eq 143
access-list 101 permit tcp any host 10.0.0.52 eq 443
access-list 101 permit tcp any host 10.0.0.52 eq 3389
access-list 101 permit tcp any host 10.0.0.52 eq www
access-list 101 permit tcp any host 10.0.0.23 eq www
access-list 101 permit tcp any host 10.0.0.23 eq 20:21
access-list 101 permit tcp any host 10.0.0.23 eq 25
access-list 101 permit tcp any host 10.0.0.23 eq 53
access-list 101 permit udp any host 10.0.0.23 eq 53
access-list 101 permit tcp any host 10.0.0.23 eq 110
access-list 101 permit tcp any host 10.0.0.23 eq 143
access-list 101 permit tcp any host 10.0.0.23 eq 443
access-list 101 permit tcp any host 10.0.0.23 eq 3389
access-list 101 permit tcp any host 10.0.0.23 eq www
access-list 101 permit tcp any host 10.0.0.23 eq 8080
access-list 101 permit tcp any host 10.0.0.59 eq www
access-list 101 permit tcp any host 10.0.0.59 eq 20:21
access-list 101 permit tcp any host 10.0.0.59 eq 25
access-list 101 permit tcp any host 10.0.0.59 eq 53
access-list 101 permit udp any host 10.0.0.59 eq 53
access-list 101 permit tcp any host 10.0.0.59 eq 110
access-list 101 permit tcp any host 10.0.0.59 eq 143
access-list 101 permit tcp any host 10.0.0.59 eq 443
access-list 101 permit tcp any host 10.0.0.59 eq 3389
access-list 101 permit tcp any host 10.0.0.61 eq www
access-list 101 permit tcp any host 10.0.0.61 eq 20:21
access-list 101 permit tcp any host 10.0.0.61 eq 25
access-list 101 permit tcp any host 10.0.0.61 eq 53
access-list 101 permit udp any host 10.0.0.61 eq 53
access-list 101 permit tcp any host 10.0.0.61 eq 110
access-list 101 permit tcp any host 10.0.0.61 eq 143
access-list 101 permit tcp any host 10.0.0.61 eq 443
access-list 101 permit tcp any host 10.0.0.61 eq 3389
access-list 101 permit tcp any host 10.0.0.228 eq www
access-list 101 permit tcp any host 10.0.0.228 eq 20:21
access-list 101 permit tcp any host 10.0.0.228 eq 25
access-list 101 permit tcp any host 10.0.0.228 eq 53
access-list 101 permit udp any host 10.0.0.228 eq 53
access-list 101 permit tcp any host 10.0.0.228 eq 110
access-list 101 permit tcp any host 10.0.0.228 eq 143
access-list 101 permit tcp any host 10.0.0.228 eq 443
access-list 101 permit tcp any host 10.0.0.228 eq 3389
access-list 101 permit tcp any host 10.0.0.58 eq 3389
access-list 101 permit tcp any host 10.0.0.33 eq 3389
access-list 111 permit tcp any host 10.0.0.25 eq 3389
access-list 101 permit tcp any host 10.0.0.44 eq 3389
access-list 101 permit tcp any host 10.0.0.251 eq 3389
access-list 101 permit tcp any host 10.0.0.21 eq 3389
access-list 101 permit tcp any host 10.0.0.22 eq 3389
access-list 101 permit tcp any host 10.0.0.24 eq 3389
access-list 101 permit tcp any host 10.0.0.16 eq 80
access-list 101 permit tcp any host 10.0.0.30 eq www
access-list 101 permit tcp any host 10.0.0.30 eq 3389
access-list 101 permit tcp any host 10.0.0.230 eq 3389
interface gi0/1
ip access-group 101 in -
Monkerz
Member Posts: 842
Since an inbound ACL is referenced before NAT, you would need to use the "Public" addressing in your ACL. You could use private addressing if you place the ACL out on Gi0/0, but I would not want to route traffic that is just going to be dropped.
Also, you need permit all other traffic (not just server traffic)... -
Monkerz
Member Posts: 842
Oh and also, if you want to shorten up the ACL substantially...look into using an object group based ACL.
-
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Can you give me an Idea of what you mean by all other traffic and how to go about it?
Because what I intend to do now is that since my Failover is working I want to use Cisco CCP to configure an advanced firewall, but when I apply the firewall It has an option that says that "do you want to modify the firewall so that It doesn not affect the current Nat configuration" and if I click yes it creats a set of ACL's that completely open the NAT, which I dont want since I want to restrict the outside users to have access to only certain features like FTP, RDP, email etc.
but if I click "do not modify" Nat it completely blocks the whole Nat, so I am a bit confused on what to do.
Below is the configuration that CCP puts when I allow it to modify the firewall to allow NAT.
Configuration commands for the router: 10.0.0.254
saved on 3-Dec-2012 3:37:02 PM
access-list 119 remark CCP_ACL Category=0
access-list 119 permit ip any host 10.0.0.24
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 10.0.0.44
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip any host 10.0.0.22
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 10.0.0.251
access-list 117 remark CCP_ACL Category=0
access-list 117 permit ip any host 10.0.0.21
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 10.0.0.30
access-list 116 remark CCP_ACL Category=0
access-list 116 permit ip any host 10.0.0.33
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 10.0.0.16
access-list 115 remark CCP_ACL Category=0
access-list 115 permit ip any host 10.0.0.220
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.0.0.228
access-list 114 remark CCP_ACL Category=0
access-list 114 permit ip any host 10.0.0.216
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.0.0.61
access-list 113 remark CCP_ACL Category=0
access-list 113 permit ip any host 10.0.0.230
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.0.0.59
access-list 112 remark CCP_ACL Category=0
access-list 112 permit ip any host 10.0.0.58
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.0.0.53
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip any host 10.0.0.23
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.0.52
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip any host 10.0.0.25
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 10.0.0.54
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 216.140.140.0 0.0.0.31 any
ip name-server 10.0.0.1
parameter-map type regex ccp-regex-nonascii
pattern "[^\x00-\x80]"
exit
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
exit
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
exit
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
exit
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
exit
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
exit
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
exit
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
exit
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
exit
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
exit
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
exit
class-map type inspect match-all ccp-protocol-imap
match protocol imap
exit
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
exit
class-map type inspect match-all sdm-nat--20
match access-group 120
exit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
exit
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
exit
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
exit
class-map type inspect match-all sdm-nat--9
match access-group 109
exit
class-map type inspect match-all sdm-nat--8
match access-group 108
exit
class-map type inspect match-all sdm-nat--7
match access-group 107
exit
class-map type inspect match-all sdm-nat--6
match access-group 106
exit
class-map type inspect match-all sdm-nat--5
match access-group 105
exit
class-map type inspect match-all sdm-nat--4
match access-group 104
exit
class-map type inspect match-all sdm-nat--3
match access-group 103
exit
class-map type inspect match-all sdm-nat--2
match access-group 102
exit
class-map type inspect match-all sdm-nat--1
match access-group 101
exit
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
exit
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
exit
class-map type inspect match-all sdm-nat--19
match access-group 119
exit
class-map type inspect match-all sdm-nat--18
match access-group 118
exit
class-map type inspect match-all sdm-nat--17
match access-group 117
exit
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
exit
class-map type inspect match-all sdm-nat--16
match access-group 116
exit
class-map type inspect match-all sdm-nat--15
match access-group 115
exit
class-map type inspect match-all sdm-nat--14
match access-group 114
exit
class-map type inspect match-all sdm-nat--13
match access-group 113
exit
class-map type inspect match-all sdm-nat--12
match access-group 112
exit
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
exit
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
exit
class-map type inspect match-all sdm-nat--11
match access-group 111
exit
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
exit
class-map type inspect match-all sdm-nat--10
match access-group 110
exit
class-map type inspect match-any ccp-sip-inspect
match protocol sip
exit
class-map type inspect match-all ccp-invalid-src
match access-group 100
exit
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
exit
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
exit
class-map type inspect imap match-any ccp-app-imap
match invalid-command
exit
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
exit
class-map type inspect match-all ccp-protocol-http
match protocol http
exit
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
exit
class type inspect http ccp-app-httpmethods
log
reset
exit
class type inspect http ccp-app-nonascii
log
reset
exit
exit
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
exit
exit
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
exit
exit
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
exit
exit
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat--1
no drop
inspect
exit
class type inspect sdm-nat--2
no drop
inspect
exit
class type inspect sdm-nat--3
no drop
inspect
exit
class type inspect sdm-nat--4
no drop
inspect
exit
class type inspect sdm-nat--5
no drop
inspect
exit
class type inspect sdm-nat--6
no drop
inspect
exit
class type inspect sdm-nat--7
no drop
inspect
exit
class type inspect sdm-nat--8
no drop
inspect
exit
class type inspect sdm-nat--9
no drop
inspect
exit
class type inspect sdm-nat--10
no drop
inspect
exit
class type inspect sdm-nat--11
no drop
inspect
exit
class type inspect sdm-nat--12
no drop
inspect
exit
class type inspect sdm-nat--13
no drop
inspect
exit
class type inspect sdm-nat--14
no drop
inspect
exit
class type inspect sdm-nat--15
no drop
inspect
exit
class type inspect sdm-nat--16
no drop
inspect
exit
class type inspect sdm-nat--17
no drop
inspect
exit
class type inspect sdm-nat--18
no drop
inspect
exit
class type inspect sdm-nat--19
no drop
inspect
exit
class type inspect sdm-nat--20
no drop
inspect
exit
exit
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
exit
class type inspect ccp-protocol-http
no drop
inspect
service-policy http ccp-action-app-http
exit
class type inspect ccp-protocol-smtp
no drop
inspect
service-policy smtp ccp-action-smtp
exit
class type inspect ccp-protocol-imap
no drop
inspect
service-policy imap ccp-action-imap
exit
class type inspect ccp-protocol-pop3
no drop
inspect
service-policy pop3 ccp-action-pop3
exit
class type inspect ccp-protocol-p2p
drop log
exit
class type inspect ccp-protocol-im
drop log
exit
class type inspect ccp-insp-traffic
no drop
inspect
exit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
exit
policy-map type inspect ccp-permit
class class-default
exit
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
exit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
exit
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
exit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
exit
interface GigabitEthernet0/1
zone-member security out-zone
exit
interface GigabitEthernet0/0
zone-member security in-zone
exit
Thanks -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Hello Monkerz
Secondly, When I tested the configuration yesterday I had one Isuue which was that when I failed over to the secondary ISP, i could only access the 7 Statically Nated address, but I want It such that when I Failover to the secondary ISP I can statically get the mapped IP's but those not mapped statically should go through the dynamic NAT (216.150.150.4). i did a little modification to the Route Map, Please can you check also if this will satisfy my need or if there are any corrections needed.
What I did is to creat to ACL's :
ip access-list standard TO-BE-NATTED-PRIMARY
and
ip access-list standard TO-BE-NATTED-SECONDARY
configuration::
ip sla 1
Icmp-Echo 216.140.140.1 source-ip 216.140.140.2
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
ip sla monitor 2
Icmp-Echo 216.150.150.254 source-ip 216.150.150.4
timeout 1000
threshold 2
frequency 3
ip sla schedule 2 life forever start-time now
!
!
track 1 sla 1 reachability
!
track 2 sla 2 reachability
!
!
interface gi0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PRIVATE-INGRESS
duplex auto
speed auto
no keepalive
!
interface gi0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
!
!
ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
ip access-list standard PRIMARY-NEXT-HOP
permit 216.140.140.1
ip access-list standard SECONDARY-NEXT-HOP
permit 216.150.150.254
ip access-list standard TO-BE-NATTED-PRIMARY
deny 10.0.0.24
deny 10.0.0.25
deny 10.0.0.30
deny 10.0.0.16
deny 10.0.0.22
deny 10.0.0.23
deny 10.0.0.21
deny 10.0.0.33
deny 10.0.0.44
deny 10.0.0.58
deny 10.0.0.59
deny 10.0.0.61
deny 10.0.0.54
deny 10.0.0.52
deny 10.0.0.53
deny 10.0.0.216
deny 10.0.0.220
deny 10.0.0.230
deny 10.0.0.228
deny 10.0.0.251
permit 10.0.0.0 0.255.255.255
ip access-list standard TO-BE-NATTED-SECONDARY
deny 10.0.0.59
deny 10.0.0.52
deny 10.0.0.53
deny 10.0.0.16
deny 10.0.0.58
deny 10.0.0.61
permit 10.0.0.0 0.255.255.255
!
!
route-map STATIC-NAT-PRIMARY permit 10
match ip next-hop PRIMARY-NEXT-HOP
!
route-map STATIC-NAT-PRIMARY deny 20
!
route-map STATIC-NAT-SECONDARY permit 10
match ip next-hop SECONDARY-NEXT-HOP
!
route-map STATIC-NAT-SECONDARY deny 20
!
route-map SECONDARY-NAT permit 10
match ip address TO-BE-NATTED-SECONDARY
match ip next-hop SECONDARY-NEXT-HOP
!
route-map SECONDARY-NAT deny 20
!
route-map PRIVATE-INGRESS-PRIMARY permit 10
match ip address TO-BE-NATTED-PRIMARY
set ip next-hop verify-availability 216.140.140.1 10 track 1
!
route-map PRIVATE-INGRESS-PRIMARY permit 11
route-map PRIVATE-INGRESS-SECONDARY permit 10
match ip address TO-BE-NATTED-SECONDARY
set ip next-hop verify-availability 216.150.150.254 20 track 2
!
route-map PRIVATE-INGRESS-SECONDARY permit 11
!
route-map PRIMARY-NAT permit 10
match ip address TO-BE-NATTED-PRIMARY
match ip next-hop PRIMARY-NEXT-HOP
!
route-map PRIMARY-NAT deny 20 -
Monkerz
Member Posts: 842
I am not familiar with CCP, someone else will have to chime in on that.
From what I am understanding is that you want your statically NAT'd servers that are currently not getting NAT'd when the primary goes down...to be dynamically NAT'd to your secondary ISP? If that is what you want, try this:ip sla 1 Icmp-Echo 216.140.140.1 source-ip 216.140.140.2 timeout 1000 threshold 2 frequency 3 ip sla schedule 1 life forever start-time now ip sla monitor 2 Icmp-Echo 216.150.150.254 source-ip 216.150.150.4 timeout 1000 threshold 2 frequency 3 ip sla schedule 2 life forever start-time now ! ! track 1 sla 1 reachability ! track 2 sla 2 reachability ! ! interface gi0/0 ip address 10.0.0.254 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PRIVATE-INGRESS duplex auto speed auto no keepalive ! interface gi0/1 ip address 216.150.150.4 255.255.255.0 secondary ip address 216.140.140.2 255.255.255.224 ip nat outside ip virtual-reassembly duplex auto speed auto ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1 ip route 0.0.0.0 0.0.0.0 216.150.150.254 10 ! ! ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27 ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24 ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY ! ip access-list standard PRIMARY-NEXT-HOP permit 216.140.140.1 ip access-list standard SECONDARY-NEXT-HOP permit 216.150.150.254 ip access-list standard DYNAMIC-PRIMARY deny 10.0.0.24 deny 10.0.0.25 deny 10.0.0.30 deny 10.0.0.16 deny 10.0.0.22 deny 10.0.0.23 deny 10.0.0.21 deny 10.0.0.33 deny 10.0.0.44 deny 10.0.0.58 deny 10.0.0.59 deny 10.0.0.61 deny 10.0.0.54 deny 10.0.0.52 deny 10.0.0.53 deny 10.0.0.216 deny 10.0.0.220 deny 10.0.0.230 deny 10.0.0.228 deny 10.0.0.251 permit 10.0.0.0 0.255.255.255 ip access-list standard DYNAMIC-SECONDARY deny 10.0.0.59 deny 10.0.0.52 deny 10.0.0.53 deny 10.0.0.16 deny 10.0.0.58 deny 10.0.0.61 permit 10.0.0.0 0.255.255.255 ! ! route-map STATIC-NAT-PRIMARY permit 10 match ip next-hop PRIMARY-NEXT-HOP ! route-map STATIC-NAT-PRIMARY deny 20 ! route-map STATIC-NAT-SECONDARY permit 10 match ip next-hop SECONDARY-NEXT-HOP ! route-map STATIC-NAT-SECONDARY deny 20 ! route-map SECONDARY-NAT permit 10 match ip address DYNAMIC-SECONDARY match ip next-hop SECONDARY-NEXT-HOP ! route-map SECONDARY-NAT deny 20 ! route-map PRIVATE-INGRESS permit 10 set ip next-hop verify-availability 216.140.140.1 10 track 1 set ip next-hop verify-availability 216.150.150.254 20 track 2 ! route-map PRIVATE-INGRESS permit 11 ! route-map PRIMARY-NAT permit 10 match ip address DYNAMIC-PRIMARY match ip next-hop PRIMARY-NEXT-HOP ! route-map PRIMARY-NAT deny 20
-
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Thanks Mokerz,
I will try this configuration tonignt, but please can you advice me on how to go about the ACL, and I did not understand what you meant by "Also, you need permit all other traffic (not just server traffic)..."
Because I want to have an ACL to block remote users to access my servers on all other ports except 20,21,25,53,80,110,143,443, 3389 as a security measure.
Please need your assistance on this one. -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Hello Monkerz,
I just tested the configuration on my router for the primary and secondary ISP's although the primary worked just fine for the secondary the dynamic Nat was working as required but the static part only worked for the 10.0.0.16 address, I suspect I might need to reboot the router to properly translate my Nat. Or do you have any ideas as to what might be happening. -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Please guys I have modified my ACL: what I intend to achieve is that All outside users should only be able to use the selected ports ie 3389,25,21,21,53,110,80 to access the server resources, but the servers can be used to have full access to the internet.
Please can you check if my ACL will allow that on my current configuration and if it is ok.
access-list 101 permit tcp any host 216.150.150.6 eq www
access-list 101 permit tcp any host 216.150.150.6 eq 20:21
access-list 101 permit tcp any host 216.150.150.6 eq 25
access-list 101 permit tcp any host 216.150.150.6 eq 53
access-list 101 permit udp any host 216.150.150.6 eq 53
access-list 101 permit tcp any host 216.150.150.6 eq 110
access-list 101 permit tcp any host 216.150.150.6 eq 143
access-list 101 permit tcp any host 216.150.150.6 eq 443
access-list 101 permit tcp any host 216.150.150.6 eq 3389
access-list 101 permit tcp any host 216.140.140.4 eq www
access-list 101 permit tcp any host 216.140.140.4 eq 20:21
access-list 101 permit tcp any host 216.140.140.4 eq 25
access-list 101 permit tcp any host 216.140.140.4 eq 53
access-list 101 permit udp any host 216.140.140.4 eq 53
access-list 101 permit tcp any host 216.140.140.4 eq 110
access-list 101 permit tcp any host 216.140.140.4 eq 143
access-list 101 permit tcp any host 216.140.140.4 eq 443
access-list 101 permit tcp any host 216.140.140.4 eq 3389
access-list 101 permit tcp any host 216.140.140.17 eq www
access-list 101 permit tcp any host 216.140.140.17 eq 20:21
access-list 101 permit tcp any host 216.140.140.17 eq 25
access-list 101 permit tcp any host 216.140.140.17 eq 53
access-list 101 permit udp any host 216.140.140.17 eq 53
access-list 101 permit tcp any host 216.140.140.17 eq 110
access-list 101 permit tcp any host 216.140.140.17 eq 143
access-list 101 permit tcp any host 216.140.140.17 eq 443
access-list 101 permit tcp any host 216.140.140.17 eq 3389
access-list 101 permit tcp any host 216.140.140.17 eq 8080
access-list 101 permit tcp any host 216.140.140.6 eq www
access-list 101 permit tcp any host 216.140.140.6 eq 20:21
access-list 101 permit tcp any host 216.140.140.6 eq 25
access-list 101 permit tcp any host 216.140.140.6 eq 53
access-list 101 permit udp any host 216.140.140.6 eq 53
access-list 101 permit tcp any host 216.140.140.6 eq 110
access-list 101 permit tcp any host 216.140.140.6 eq 143
access-list 101 permit tcp any host 216.140.140.6 eq 443
access-list 101 permit tcp any host 216.140.140.6 eq 3389
access-list 101 permit tcp any host 216.150.150.10 eq www
access-list 101 permit tcp any host 216.150.150.10 eq 20:21
access-list 101 permit tcp any host 216.150.150.10 eq 25
access-list 101 permit tcp any host 216.150.150.10 eq 53
access-list 101 permit udp any host 216.150.150.10 eq 53
access-list 101 permit tcp any host 216.150.150.10 eq 110
access-list 101 permit tcp any host 216.150.150.10 eq 143
access-list 101 permit tcp any host 216.150.150.10 eq 443
access-list 101 permit tcp any host 216.150.150.10 eq 3389
access-list 101 permit tcp any host 216.140.140.7 eq www
access-list 101 permit tcp any host 216.140.140.7 eq 20:21
access-list 101 permit tcp any host 216.140.140.7 eq 25
access-list 101 permit tcp any host 216.140.140.7 eq 53
access-list 101 permit udp any host 216.140.140.7 eq 53
access-list 101 permit tcp any host 216.140.140.7 eq 110
access-list 101 permit tcp any host 216.140.140.7 eq 143
access-list 101 permit tcp any host 216.140.140.7 eq 443
access-list 101 permit tcp any host 216.140.140.7 eq 3389
access-list 101 permit tcp any host 216.150.150.11 eq www
access-list 101 permit tcp any host 216.150.150.11 eq 20:21
access-list 101 permit tcp any host 216.150.150.11 eq 25
access-list 101 permit tcp any host 216.150.150.11 eq 53
access-list 101 permit udp any host 216.150.150.11 eq 53
access-list 101 permit tcp any host 216.150.150.11 eq 110
access-list 101 permit tcp any host 216.150.150.11 eq 143
access-list 101 permit tcp any host 216.150.150.11 eq 443
access-list 101 permit tcp any host 216.150.150.11 eq 3389
access-list 101 permit tcp any host 216.140.140.8 eq www
access-list 101 permit tcp any host 216.140.140.8 eq 20:21
access-list 101 permit tcp any host 216.140.140.8 eq 25
access-list 101 permit tcp any host 216.140.140.8 eq 53
access-list 101 permit udp any host 216.140.140.8 eq 53
access-list 101 permit tcp any host 216.140.140.8 eq 110
access-list 101 permit tcp any host 216.140.140.8 eq 143
access-list 101 permit tcp any host 216.140.140.8 eq 443
access-list 101 permit tcp any host 216.140.140.8 eq 3389
access-list 101 permit tcp any host 216.140.140.8 eq 8080
access-list 101 permit tcp any host 216.140.140.18 eq 3389
access-list 101 permit tcp any host 216.140.140.25 eq 3389
access-list 111 permit tcp any host 216.140.140.29 eq 3389
access-list 101 permit tcp any host 216.140.140.15 eq 3389
access-list 101 permit tcp any host 216.140.140.13 eq 3389
access-list 101 permit tcp any host 216.140.140.26 eq 3389
access-list 101 permit tcp any host 216.140.140.27 eq 3389
access-list 101 permit tcp any host 216.140.140.28 eq 3389
access-list 101 permit tcp any host 216.140.140.19 eq 3389
access-list 101 permit tcp any host 216.140.140.11 eq 80
access-list 101 permit tcp any host 216.150.150.8 eq 80
access-list 101 permit tcp any host 216.140.140.12 eq www
access-list 101 permit tcp any host 216.140.140.12 eq 3389
access-list 101 permit ip 216.140.140.0 0.0.0.255 any
access-list 101 permit ip 216.150.150.0 0.0.0.255 any
interface gi0/1
ip access-group 101 in -
Monkerz
Member Posts: 842
Sorry I have not answered for a while, I was refreshing for my Switch exam before I took it.
Anyway, Ahmed I think you need to refresh a little before you deploy what you are trying to do.
This would probably be a good place to start:
Configuring Network Address Translation: Getting Started - Cisco Systems
Configuring IP Access Lists - Cisco Systems
http://www.cisco.com/en/US/prod/collateral/routers/ps9422/data_sheet_c78_462210.pdf
I, personally, would not be comfortable implementing something I did not completely understand. As of now, if your NAT was to break I do not think you would know how to troubleshoot this issue. And if you applied that ACL you would definitely have problems.
Don't get me wrong, I have no problems helping someone through an issue, but I would think at some point one would ask "Why that way?" or "How does that work?" I have yet to hear this from you.
Once you freshen up, please feel free to bounce your thoughts off of us. -
xXErebuS
Member Posts: 230
Maybe this is a stupid question but would it be possible to add another NIC on the server, or add another IP address to the existing NIC? Without BGP your looking at a headache; especially considering most of your traffic will be inbound and I think you will run into issues when there are no xlates in the table.
-
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Hi Mokerz,
Thanks for your help, From the ACL what I dont understand is when you said I should allow all other traffic this will defy my objective for the incomming traffic, from my Knowledge this is an access list that will only apply to incomming traffic so from my current config only incomming traffic on the ACL ports will be allowed and all other traffic will be dropped, why would I need to allow all other traffic?
Even though an easier way would have been to deny all unwanted traffic and permit all others.
Please give me your opinion. -
Monkerz
Member Posts: 842
Well, think about it...
Sure allowing all traffic will defy the point of having an access list in the first place, but having the access list you created would ONLY allow in the traffic you permitted.
An example would be; say you are an end user and your PC has an IP/Port that is not specifically permitted "in" on your WAN interface. You want to surf Google's website. So you open your web browser and type in Google. That domain is translated to one of many addresses owned by Google. Your request for Google's page then leaves your PC destine for the internet. Leaving your PC, your packet looks kind of like this:
S_IP: 10.0.0.250 D_IP: 74.125.140.100 S_PORT: 65123 D_PORT: 80
This packet hits the WAN router and gets NAT'd. So leaving the WAN router headed to Google via Primary ISP, the packet would look like this:
S_IP: 216.140.140.2 D_IP: 74.125.140.100 S_PORT: 65123 D_PORT: 80
Your packet eventually hits Google's vast array of web servers, the server replies to your request and shoots the data back to you. Packet looking like this:
S_IP: 74.125.140.100 D_IP: 216.140.140.2 S_PORT: 80 D_PORT: 65123
The first packet of this flow hits your WAN router, guess what happens? Yup, that ACL is referenced and the info you requested is shredded because a destination of 216.140.140.2:65123 is not permitted in on your WAN interface.
So you need to also allow traffic flows that are originating from inside your network. You can look into reflexive ACLs to accomplish this. I didn't want to just tell you what you needed, I wanted questions to be asked.
Hope this helps. -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Thanks for the hint last time.
You are right, my internal users would not be able to access the internet because of the current acl on gi0/1 would block replies other than what is permitted.
so I created a second access list 100 and permit all traffic from my internal network to the outside, and then apply the statefully inspection so that temporary dynamic entries are created allowing replies/communication to the outgoing traffic to come back into the network.and applied it to the gi0/0 interface.
would appreciate your comments.
Thanks again for being so helpful.
access-list 101 permit tcp any host 216.150.150.6 eq www
access-list 101 permit tcp any host 216.150.150.6 eq 20:21
access-list 101 permit tcp any host 216.150.150.6 eq 25
access-list 101 permit tcp any host 216.150.150.6 eq 53
access-list 101 permit udp any host 216.150.150.6 eq 53
access-list 101 permit tcp any host 216.150.150.6 eq 110
access-list 101 permit tcp any host 216.150.150.6 eq 143
access-list 101 permit tcp any host 216.150.150.6 eq 443
access-list 101 permit tcp any host 216.150.150.6 eq 3389
access-list 101 permit tcp any host 216.140.140.4 eq www
access-list 101 permit tcp any host 216.140.140.4 eq 20:21
access-list 101 permit tcp any host 216.140.140.4 eq 25
access-list 101 permit tcp any host 216.140.140.4 eq 53
access-list 101 permit udp any host 216.140.140.4 eq 53
access-list 101 permit tcp any host 216.140.140.4 eq 110
access-list 101 permit tcp any host 216.140.140.4 eq 143
access-list 101 permit tcp any host 216.140.140.4 eq 443
access-list 101 permit tcp any host 216.140.140.4 eq 3389
access-list 101 permit tcp any host 216.140.140.17 eq www
access-list 101 permit tcp any host 216.140.140.17 eq 20:21
access-list 101 permit tcp any host 216.140.140.17 eq 25
access-list 101 permit tcp any host 216.140.140.17 eq 53
access-list 101 permit udp any host 216.140.140.17 eq 53
access-list 101 permit tcp any host 216.140.140.17 eq 110
access-list 101 permit tcp any host 216.140.140.17 eq 143
access-list 101 permit tcp any host 216.140.140.17 eq 443
access-list 101 permit tcp any host 216.140.140.17 eq 3389
access-list 101 permit tcp any host 216.140.140.17 eq 8080
access-list 101 permit tcp any host 216.140.140.6 eq www
access-list 101 permit tcp any host 216.140.140.6 eq 20:21
access-list 101 permit tcp any host 216.140.140.6 eq 25
access-list 101 permit tcp any host 216.140.140.6 eq 53
access-list 101 permit udp any host 216.140.140.6 eq 53
access-list 101 permit tcp any host 216.140.140.6 eq 110
access-list 101 permit tcp any host 216.140.140.6 eq 143
access-list 101 permit tcp any host 216.140.140.6 eq 443
access-list 101 permit tcp any host 216.140.140.6 eq 3389
access-list 101 permit tcp any host 216.150.150.10 eq www
access-list 101 permit tcp any host 216.150.150.10 eq 20:21
access-list 101 permit tcp any host 216.150.150.10 eq 25
access-list 101 permit tcp any host 216.150.150.10 eq 53
access-list 101 permit udp any host 216.150.150.10 eq 53
access-list 101 permit tcp any host 216.150.150.10 eq 110
access-list 101 permit tcp any host 216.150.150.10 eq 143
access-list 101 permit tcp any host 216.150.150.10 eq 443
access-list 101 permit tcp any host 216.150.150.10 eq 3389
access-list 101 permit tcp any host 216.140.140.7 eq www
access-list 101 permit tcp any host 216.140.140.7 eq 20:21
access-list 101 permit tcp any host 216.140.140.7 eq 25
access-list 101 permit tcp any host 216.140.140.7 eq 53
access-list 101 permit udp any host 216.140.140.7 eq 53
access-list 101 permit tcp any host 216.140.140.7 eq 110
access-list 101 permit tcp any host 216.140.140.7 eq 143
access-list 101 permit tcp any host 216.140.140.7 eq 443
access-list 101 permit tcp any host 216.140.140.7 eq 3389
access-list 101 permit tcp any host 216.150.150.11 eq www
access-list 101 permit tcp any host 216.150.150.11 eq 20:21
access-list 101 permit tcp any host 216.150.150.11 eq 25
access-list 101 permit tcp any host 216.150.150.11 eq 53
access-list 101 permit udp any host 216.150.150.11 eq 53
access-list 101 permit tcp any host 216.150.150.11 eq 110
access-list 101 permit tcp any host 216.150.150.11 eq 143
access-list 101 permit tcp any host 216.150.150.11 eq 443
access-list 101 permit tcp any host 216.150.150.11 eq 3389
access-list 101 permit tcp any host 216.140.140.8 eq www
access-list 101 permit tcp any host 216.140.140.8 eq 20:21
access-list 101 permit tcp any host 216.140.140.8 eq 25
access-list 101 permit tcp any host 216.140.140.8 eq 53
access-list 101 permit udp any host 216.140.140.8 eq 53
access-list 101 permit tcp any host 216.140.140.8 eq 110
access-list 101 permit tcp any host 216.140.140.8 eq 143
access-list 101 permit tcp any host 216.140.140.8 eq 443
access-list 101 permit tcp any host 216.140.140.8 eq 3389
access-list 101 permit tcp any host 216.140.140.8 eq 8080
access-list 101 permit tcp any host 216.140.140.18 eq 3389
access-list 101 permit tcp any host 216.140.140.25 eq 3389
access-list 111 permit tcp any host 216.140.140.29 eq 3389
access-list 101 permit tcp any host 216.140.140.15 eq 3389
access-list 101 permit tcp any host 216.140.140.13 eq 3389
access-list 101 permit tcp any host 216.140.140.26 eq 3389
access-list 101 permit tcp any host 216.140.140.27 eq 3389
access-list 101 permit tcp any host 216.140.140.28 eq 3389
access-list 101 permit tcp any host 216.140.140.19 eq 3389
access-list 101 permit tcp any host 216.140.140.11 eq 80
access-list 101 permit tcp any host 216.150.150.8 eq 80
access-list 101 permit tcp any host 216.140.140.12 eq www
access-list 101 permit tcp any host 216.140.140.12 eq 3389
access-list 100 permit ip any any
Ip inspect name INTERNAL ip
interface gi0/0
ip access-group 100 in
IP inspect INTERNAL in -
Monkerz
Member Posts: 842
Remove ACL 100 all together. Apply inspection outbound on the WAN interface. Keep ACL 101 inbound on WAN interface.
-
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Hi Mokerz,
I have been doing a lot of research on Zone based firewall using CLI and have tried to configure my network with a Zone based firewall. I tried to used zone based Firewall instead of the ACL's.
Even though I think I am pretty much right, Please can you look at my configuration and give me your view on it.
Here is the ZBF configuration i came up with:
Zone security out-zone
zone security in-zone
zone security teleworker
interface gi0/1
Zone-member security out-zone
interface gi0/0
zone-member security in-zone
interface gi0/2
zone-member security teleworker
exit
ip port-map user-RDP port tcp 3389
zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80
class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB
ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20:21
permit tcp any host 10.0.0.23 eq 20:21
permit tcp any host 10.0.0.59 eq 20:21
permit tcp any host 10.0.0.61 eq 20:21
permit tcp any host 10.0.0.228 eq 20:21
class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP
ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25
class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP
ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53
class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS
ip access-list extended OUTSIDE-TO-INSIDE-POP
permit tcp any host 10.0.0.52 eq 110
permit tcp any host 10.0.0.23 eq 110
permit tcp any host 10.0.0.59 eq 110
permit tcp any host 10.0.0.61 eq 110
permit tcp any host 10.0.0.228 eq 110
class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS
match protocol pop
match access-group name OUTSIDE-TO-INSIDE-POP
ip access-list extended OUTSIDE-TO-INSIDE-IMAP
permit tcp any host 10.0.0.52 eq 143
permit tcp any host 10.0.0.23 eq 143
permit tcp any host 10.0.0.59 eq 143
permit tcp any host 10.0.0.61 eq 143
permit tcp any host 10.0.0.228 eq 143
class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS
match protocol imap
match access-group name OUTSIDE-TO-INSIDE-IMAP
ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443
class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS
ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
ermit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389
class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP
ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip host 10.0.3.254 any
class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.0.3.254
class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-POP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect
policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect
policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect
zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY
