Routing problem with multihomed router.

Hi everyone, I am having a little bit of a problem trying to configure a router with two isp conneted to it. The problem is this: I have ISP1 and ISP2, each one with their particular gateway. After I configured everything (dyn nat, static nat, vpn, etc) everything works fine, except for the routing. I want to use ISP1 for vpn routing (which I do with static routes) and ISP2 for every other traffic (so i just create a last resort gw 0.0.0.0 0.0.0.0 ISP2) but I will also would like to access the other interface from the open internet which I can't do it now because the router doesn't know how to route packet and instead it tries to send it trought the Last resort gw (LSG) . I've try to put two LSG but it seems to be picking the ISP1 probably because in the routing table I have 4 routes with ISP1 and only 1 with the other one so probably it believes that it can "save" more routes using this one. The problem is that, this way all the dynamic nat map is build upon the inteface that I don't want to use. Is there a way to tell the router that if it receives a packet in interface 2 it replys trought that one? Should I use route maps? and if I do, how? Altought the best thing to accomplish is forcing the router to pick as LSG the interface that I want, cause now this is the case ip route 0.0.0.0 0.0.0.0 ISP 1 ip route 0.0.0.0 0.0.0.0 ISP 2 ip route X.X.X.X 255.255.255.255 ISP 1 ip route 172.16.0.0 255.255.240.0 ISP 1 ip route 192.168.0.0 255.255.128.0 ISP 1 ip route X.X.X.X 255.255.255.224 ISP 1

Having those routes in my config it picks the LSP with the ISP 1 as the default one, but I want it to be the other way around. How should I do? Thank everyone in advance.

Reply to
Agustin
Loading thread data ...

if you are routing only vpn traffic through ISP1 , why do you have a default route?

Reply to
christian koch

posd I use route maps? and if I do, how?

also please post your config, please dont include password information

Reply to
christian koch

This is the config with out the the things that can be omitted and the ones that has to. I want to have default route also to VLAN7 to enable it to be contacted for roaming vpn from anywhere. Thanks.

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

boot-start-marker

boot-end-marker

! !

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

! !

aaa authentication login userauthen local

aaa authentication login radiusauth group radius local

aaa authorization exec default local

aaa authorization exec radiusexec local group radius

aaa authorization network groupauthor local

aaa authorization network radiusgroup local group radius

aaa session-id common

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip cef

! !

ip inspect max-incomplete high 3000

ip inspect max-incomplete low 2900

ip inspect one-minute high 3000

ip inspect one-minute low 2900

ip inspect udp idle-time 300

ip inspect dns-timeout 15

ip inspect tcp synwait-time 20

ip inspect tcp max-incomplete host 50 block-time 1

ip inspect name firewall cuseeme

ip inspect name firewall ftp

ip inspect name firewall http

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall smtp

ip inspect name firewall sqlnet

ip inspect name firewall streamworks

ip inspect name firewall tcp

ip inspect name firewall tftp

ip inspect name firewall udp

ip inspect name firewall vdolive

no ip dhcp conflict logging

!

ip dhcp class C

!

ip ips po max-events 100

no ip bootp server

no ip domain lookup

no ftp-server write-enable

! !

class-map match-any SDMScave-FastEthernet0/1

match protocol napster

match protocol fasttrack

match protocol gnutella

class-map match-any SDMTrans-FastEthernet0/1

match protocol citrix

match protocol finger

match protocol notes

match protocol novadigm

match protocol pcanywhere

match protocol secure-telnet

match protocol sqlnet

match protocol sqlserver

match protocol ssh

match protocol telnet

match protocol xwindows

class-map match-any SDMVoice-FastEthernet0/1

match protocol rtp audio

class-map match-any SDMSVideo-FastEthernet0/1

match protocol cuseeme

match protocol netshow

match protocol rtsp

match protocol streamwork

match protocol vdolive

class-map match-any SDMIVideo-FastEthernet0/1

match protocol rtp video

class-map match-any SDMManage-FastEthernet0/1

match protocol dhcp

match protocol dns

match protocol imap

match protocol kerberos

match protocol ldap

match protocol secure-imap

match protocol secure-ldap

match protocol snmp

match protocol socks

match protocol syslog

class-map match-any SDMRout-FastEthernet0/1

match protocol bgp

match protocol egp

match protocol eigrp

match protocol ospf

match protocol rip

match protocol rsvp

class-map match-any SDMSignal-FastEthernet0/1

match protocol h323

match protocol rtcp

class-map match-any SDMBulk-FastEthernet0/1

match protocol exchange

match protocol ftp

match protocol irc

match protocol nntp

match protocol pop3

match protocol printer

match protocol secure-ftp

match protocol secure-irc

match protocol secure-nntp

match protocol secure-pop3

match protocol smtp

match protocol tftp

! !

policy-map SDM-Pol-FastEthernet0/1

class SDMManage-FastEthernet0/1

bandwidth remaining percent 5

set dscp cs2

class SDMVoice-FastEthernet0/1

priority percent 68

set dscp ef

class SDMRout-FastEthernet0/1

bandwidth remaining percent 5

set dscp cs6

class SDMTrans-FastEthernet0/1

bandwidth remaining percent 48

set dscp af21

class SDMSignal-FastEthernet0/1

bandwidth remaining percent 28

set dscp cs3

! !

interface Null0

no ip unreachables

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect firewall in

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/0.1

encapsulation dot1Q 2

ip address 192.168.132.1 255.255.255.0

ip access-group 107 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip inspect firewall in

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/0.2

encapsulation dot1Q 3

ip dhcp client lease 10 0 0

ip address 10.0.0.1 255.255.255.0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect firewall in

ip nat inside

ip virtual-reassembly

no ip route-cache same-interface

no cdp enable

!

interface FastEthernet0/0.4

encapsulation dot1Q 4

ip address 192.168.133.1 255.255.255.0

ip access-group 108 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect firewall in

ip nat inside

ip virtual-reassembly

no ip route-cache same-interface

no cdp enable

!

interface FastEthernet0/1/0

switchport access vlan 7

no ip address

duplex half

speed 10

no cdp enable

!

interface FastEthernet0/1/1

switchport access vlan 8

no ip address

duplex half

speed 10

no cdp enable

!

interface FastEthernet0/1/2

no ip address

shutdown

no cdp enable

!

interface FastEthernet0/1/3

switchport trunk native vlan 7

switchport mode trunk

no ip address

no cdp enable

!

interface Vlan1

no ip address

!

interface Vlan7

bandwidth 2048

ip address X.X.X.X X.X.X.X

ip access-group 102 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip rip send version 2

ip virtual-reassembly

service-policy output SDM-Pol-FastEthernet0/1

ip route-cache flow

no mop enabled

crypto map VPN

!

interface Vlan8

bandwidth 2048

ip address X.X.X.X X.X.X.X

ip access-group 114 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

service-policy output SDM-Pol-FastEthernet0/1

ip route-cache flow

no mop enabled

crypto map VPN

!

ip local pool VPN_Pool 192.168.135.100 192.168.135.250

ip classless

ip route 0.0.0.0 0.0.0.0 vlan8

ip route vpnendpoint vlan7

ip route 172.16.0.0 255.255.240.0 vlan7

ip route 192.168.0.0 255.255.128.0 2vlan7

ip route vlan7 network vlan7

ip nat inside source route-map nonat interface Vlan8 overload

ip nat inside source static 192.168.132.19 VLAN8 route-map StaticNat

ip nat inside source static 192.168.132.6 VLAN8 route-map StaticNat

! !

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 192.168.5.10

access-list 1 permit 192.168.132.9

access-list 1 permit 192.168.132.27

access-list 1 permit 192.168.133.20

access-list 100 remark Nat rule for inside nat rules.

access-list 100 deny ip 192.168.128.0 0.0.127.255 172.16.0.0

0.0.255.255

access-list 100 deny ip 192.168.128.0 0.0.127.255 192.168.0.0

0.0.255.255

access-list 100 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 100 deny ip 172.16.0.0 0.0.255.255 192.168.0.0

0.0.255.255

access-list 100 permit ip 192.168.128.0 0.0.127.255 any

access-list 100 permit ip 172.16.0.0 0.0.248.255 any

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 100 deny ip any any

access-list 101 remark ACL for allow flow traffic trought the vpn

access-list 101 permit ip 192.168.128.0 0.0.127.255 172.16.0.0

0.0.15.255

access-list 101 permit ip 192.168.128.0 0.0.127.255 192.168.0.0

0.0.127.255

access-list 101 permit ip 172.16.0.0 0.0.248.255 172.16.0.0 0.0.15.255

access-list 101 permit ip 172.16.0.0 0.0.248.255 192.168.0.0

0.0.127.255

access-list 101 deny ip any any

access-list 102 permit esp any host vlan7

access-list 102 permit icmp any any

access-list 102 permit udp host 216.244.192.3 eq ntp host vlan7

access-list 102 permit udp any host vlan7 eq isakmp

access-list 102 permit udp any host vlan7 eq non500-isakmp

access-list 102 permit ahp any host vlan7

access-list 102 deny ip any any

access-list 103 remark ACL for the Lawyers VLAN

access-list 103 remark Permit the DHCP traffic from

access-list 103 remark the vlan to the router.

access-list 103 permit udp any any eq bootps

access-list 103 remark Deny access to our Lans

access-list 103 deny ip any 192.168.0.0 0.0.255.255

access-list 103 remark Deny access to the DMZ

access-list 103 deny ip any 172.16.0.0 0.0.255.255

access-list 103 remark Permit access to anything else

access-list 103 permit ip 10.0.0.0 0.0.0.255 any

access-list 103 deny ip any any

access-list 103 remark ACL for the Lawyers VLAN

access-list 103 remark Permit the DHCP traffic from

access-list 103 remark the vlan to the router.

access-list 103 remark Deny access to our Lans

access-list 103 remark Deny access to the DMZ

access-list 103 remark Permit access to anything else

access-list 104 remark ACL for allow flow traffic trought the roaming vpn

access-list 104 permit ip 172.16.0.0 0.0.63.255 192.168.135.0 0.0.0.255

access-list 104 permit ip 192.168.128.0 0.0.127.255 192.168.135.0

0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.127.255 192.168.135.0

0.0.0.255

access-list 105 remark Allow management from this ips

access-list 105 permit ip 192.168.22.0 0.0.0.255 any

access-list 105 permit ip 192.168.133.0 0.0.0.255 any

access-list 105 permit ip 192.168.132.0 0.0.0.31 any

access-list 105 deny ip any any

access-list 107 remark Recruiters VLAN ACLs

access-list 107 remark Allow any kind of traffic to all the computers between th

access-list 107 permit ip 192.168.132.0 0.0.0.63 any

access-list 107 remark Traffic to NY DMZ

access-list 107 permit ip 192.168.132.0 0.0.0.255 172.16.0.0 0.0.15.255

access-list 107 permit ip 192.168.132.0 0.0.0.255 192.168.0.0

0.0.255.255

access-list 107 deny ip any any

access-list 108 remark Development VLAN ACLs

access-list 108 permit ip any any

access-list 108 deny ip any any

access-list 109 remark DMZ VLAN ACLs

access-list 109 permit ip any any

access-list 109 deny ip any any

access-list 111 remark Static NAT ACL

access-list 111 deny ip host 192.168.132.6 172.16.0.0 0.0.255.255

access-list 111 deny ip host 192.168.132.6 192.168.0.0 0.0.255.255

access-list 111 deny ip host 192.168.132.19 172.16.0.0 0.0.255.255

access-list 111 deny ip host 192.168.132.19 192.168.0.0 0.0.255.255

access-list 111 permit ip host 192.168.132.19 any

access-list 111 permit ip host 192.168.132.6 any

access-list 114 remark ACL for the external Telecom dwarf int

access-list 114 permit esp any host vlan8

access-list 114 permit icmp any any

access-list 114 permit udp host 216.244.192.3 eq ntp host vlan8

access-list 114 permit udp any host vlan8 eq isakmp

access-list 114 permit udp any host vlan8 eq non500-isakmp

access-list 114 permit ahp any host vlan8

access-list 114 permit tcp any host vlan8 eq www

access-list 114 permit ip host 62.141.42.77 host vlan8

access-list 114 deny ip any any

no cdp run

route-map StaticNat permit 10

match ip address 111

!

route-map nonat permit 10

match ip address 100

! !
Reply to
Agustin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.