Cisco 2621XM Qos/Tos settings part due 1

[imagefree]

The ADSL modem is configured as such:

VPI/VCI Con. ID Category Service Name Interface Name Protocol IGMP QoS State Status IP Address
8/35 1 UBR pppoa_8_35_1 ppp_8_35_1 PPPoA Disabled Disabled Enabled Up 70.20.100.184(not actual ip address)
8/36 1 UBR br_8_36 nas_8_36 Bridge N/A Disabled Enabled Up

 

[Minue]

Hello
Can you confirm that the conf before was working with both SSH and PHP server.In any case please post the conf that was working with SSH.Also it would be helpful to post the traffic hits on the Access-list and route-maps.

Regards

 

[imagefree]

This config was working.

I could ssh and php remotely. The ip nat inside source list 1 interface FastEthernet0/1 overload was the active dynamic mapping.


Current configuration : 2353 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
class-map match-any RTP
match protocol rtp audio
!
policy-map VOICE
class RTP
priority percent 75
!
interface FastEthernet0/0
description LAN to Sonicwall
ip address 200.100.49.57 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map ROUTE_VOIP
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1544
ip address 200.110.32.174 255.255.255.252
ip nbar protocol-discovery
service-policy output VOICE
load-interval 60
service-module t1 timeslots 1-24
!
interface FastEthernet0/1
description outside WAN
bandwidth 6000
ip address dhcp (192.168.6.2)
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
service-policy output VOICE
load-interval 60
duplex auto
speed auto
pppoe enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 200.110.32.173 5
ip route 192.168.6.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source route-map NO_NAT interface FastEthernet0/0 overload
!
access-list 1 permit 200.100.49.0 0.0.0.255
access-list 110 permit udp any any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq

http://www any

access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 443 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq

http://www any

access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 443 any
access-list 120 permit ip 200.100.49.56 0.0.0.7 any
!
route-map NO_NAT permit 10
match ip address 120
set interface FastEthernet0/0
!
route-map ROUTE_VOIP permit 10
match ip address 110
set interface Serial0/0 FastEthernet0/1
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end

 

[imagefree]

Hits
sho access-lists=>
Extended IP access list 110
10 permit udp any any (57285731 matches)
20 permit tcp 200.100.49.56 0.0.0.7 eq

http://www any

(12803 matches)
30 permit tcp 200.100.49.56 0.0.0.7 eq 22 any (97437 matches)
40 permit tcp 200.100.49.56 0.0.0.7 eq 443 any
Extended IP access list 120
10 deny tcp 200.100.49.56 0.0.0.7 eq 22 any (6 matches)
20 deny tcp 200.100.49.56 0.0.0.7 eq

http://www any

30 deny tcp 200.100.49.56 0.0.0.7 eq 443 any
40 permit ip 200.100.49.56 0.0.0.7 any (41035 matches)
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq

http://www log

30 deny tcp any any eq 22 log
40 permit ip any any log

sho route-map=>
route-map NO_NAT, permit, sequence 10
Match clauses:
ip address (access-lists): 120
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map ROUTE_VOIP, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
interface Serial0/0 FastEthernet0/1
Policy routing matches: 57395962 packets, 1594055969 bytes


I'm yet to see hits to NO_NAT...

 

[Minue]

Hello
I think the NO_NAT route-map isn't doing it's job.Go back to this line:
"ip nat inside source list 1 interface FastEthernet0/1 overload"

In troubleshooting you alway keep the working conf.Here's the deal revert back to the old conf.Being we're PRo's and don't want to keep dirty confs.We will kill the "route-map NO_NAT permit 10" and "access-list 120".If for any reason it don't work we will leave the conf dirty with all the former lines,and I will have to lab your setup and get back to you.
For what it's worth it's the 2 lines that are allowing SSH and HTTP traffic through our "route-map ROUTE_VOIP", that is making things work,so we don't need "route-map NO_NAT" .

Regards

 

[imagefree]

Ok, I will go back to the working config.

If the 'dirty config' is ok with you guys, I would also like to look into some redunancy for if eitther WAN interface or service goes offline.

 

[Minue]

Hello
It would be best to clean the conf it will make your life easier in the future,when you may have to troubleshoot again.Please try the above recommendations and let us know.
We can start working on the redundancy in any case.If I remembered correctly we did made your setup redundant already as far a voice and outside web goes.Please state what other services you need to be redundant.

Regards

 

[t00r]

Hi Imagefree,

I would change ACL 1 to
access-list 1 permit 200.100.49.56 0.0.0.7
since the original one includes more that your addresses. Technically it doesn't matter in this case, just misleading.

As for redundancy right now your outgoing connections that normally through T1 should be redundant but I don't think you can make your incoming connections redundant without the help of your service provider.
For DSL outgoing traffic you'd need to use object tracking (like what I've posted earlier in the thread) to get redundancy since your f0/1 interface would continue to be up even in the case of the DSL line itself is down.

Regards,

t00r

 

[Minue]

Hi T00r
We did a redundancy test on the ADSL link as well.In the test I had him unplug the phone line and he said that the T1 was kicking in.It did seem strange to me,but I don't want to doubt him.So in this case object tracking isn't needed.
To get inbound redundancy,I was thinking of having him bridge the ADSL connection to the FastEthernet0/1,so that this interface would have the public IP of the modem.But I don't know if this model will allow bridging.The second solution would be to use a WIC-1ADSL,you can find them on Ebay for around 50USD.
Regards

 

[t00r]

Hi Minue,

Hmm... Maybe the modem was deactivating it's Ethernet interfaces when DSL connectivity was lost? If that is the case you I agree there is no need in object tracking.

The problem with inbound redundancy is that ISP has configured static routing for 200.100.49.56/29 to go to 200.110.32.174 (T1 IP-address). If T1 is down the packets to 200.100.49.56/29 would be dropped at the ISP. ISP needs to know that it can use DSL line to connect to 200.100.49.56/29. That is why I've suggested Imagefree to talk to his ISP if he wants inbound redundancy. Also there is a need to configure interface preferences at ISP so incoming VoIP traffic would prefer T1 line.

According to the modem's documentation it allows bridging so either solution would bring public IP to the router.

Regards,

t00r

 

[imagefree]

Sorry to keep you guys out of loop. I wrote a post and forgot to hit submit post.

The config that I said was working isnt working. I can only hit my phps, not the ssh, and ftp isnt working.
It was when I first applied the changes to the acls...

Cant figure out why it has stopped working.

 

[imagefree]

Update:
Adding 'access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 443 any' opened up the ftp port. I entered 'access-list deny tcp 200.100.49.56 0.0.0.7 eq 21 any' first and it made no difference. Therefore confirming which acl is working. Which now leaves me to wonder if something is blocking my ssh attempts internally? php's ftp's both work. I'm using putty so its clear that I am using port 22 in all my attempts.

 

[imagefree]

The ftp access refuses to work with the ip nat inside. i am able to hit the address enter my credentials but I cant access the actual folder location and files.

 

[t00r]

Hi Imagefree,

ftp actually uses 2 ports:
21 - control port
20 - data port
you need to have them both for ftp to work

just for the record:
tcp/20 - ftp data
tcp/21 - ftp control
tcp/22 - ssh
tcp/80 - http
tcp/443 - https

Could you post your current config, do clear access-list counters 110, try ssh into your server and then post acl 110 hits - show access-list 110?

Regards,

t00r

 

[t00r]

One more thing - you need to add

access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 20 any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 21 any

to enable ftp through T1 (and make sure you've removed your deny tcp 21 line).

t00r

 

[imagefree]

Hey t00r,

Current config:

!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$TKbU$DbvbBGZb4cvjle5S1vYZ4/
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
class-map match-any RTP
match protocol rtp audio
!
policy-map VOICE
class RTP
priority percent 75
!
interface FastEthernet0/0
description LAN to Sonicwall
ip address 200.100.49.57 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map ROUTE_VOIP
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1544
ip address 200.110.30.174 255.255.255.252
ip nbar protocol-discovery
service-policy output VOICE
encapsulation ppp
load-interval 60
service-module t1 timeslots 1-24
!
interface FastEthernet0/1
description outside WAN
bandwidth 6000
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
service-policy output VOICE
load-interval 60
duplex auto
speed auto
pppoe enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 200.110.30.173 5
ip route 192.168.6.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source route-map NO_NAT interface FastEthernet0/0 overload
ip nat outside source list 1 interface FastEthernet0/1
!
access-list 1 permit 200.100.49.56 0.0.0.7
access-list 1 permit 200.100.49.0 0.0.0.255
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq

http://www any

access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq ftp any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 443 any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 444 any
access-list 110 permit udp any any
!
route-map NO_NAT permit 10
match ip address 120
!
route-map ROUTE_VOIP permit 10
match ip address 110
set interface Serial0/0 FastEthernet0/1
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end

 

[imagefree]

t00r

The http is working, but the ftp and the ssh still isnt working. You can see by my current config that everything is in place. Here are my access-lists after the clear counters.

Standard IP access list 1
10 permit 200.100.49.56, wildcard bits 0.0.0.7 (75 matches)
Extended IP access list 110
10 permit tcp 200.100.49.56 0.0.0.7 eq

http://www any

(55 matches)
20 permit tcp 200.100.49.56 0.0.0.7 eq 22 any
30 permit tcp 200.100.49.56 0.0.0.7 eq ftp any (25 matches)
40 permit tcp 200.100.49.56 0.0.0.7 eq 443 any
50 permit tcp 200.100.49.56 0.0.0.7 eq 444 any
60 permit udp any any (48229 matches)
70 permit tcp host 200.100.49.61 eq 22 any
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq

http://www log

30 deny tcp any any eq 22 log
40 permit ip any any log

No hits to the ssh, however there are hits to the ftp. But I am not given the ability tp peruse files only log in. I think the problem is getting out after getting in.

 

[imagefree]

t00r,
ignore these lines, they have been removed just some attempts to get to it working.

ip nat inside source route-map NO_NAT interface FastEthernet0/0 overload
ip nat outside source list 1 interface FastEthernet0/1

 

[t00r]

For ftp you need to add tcp port 20 rule into your acl 110 like in my earlier post.

Let's try to use some debugs to find out what happens with ssh.

Could you make the following acl
access-list 160 permit tcp any eq 22 any
access-list 160 permit tcp any any eq 22

then temporary turn off cef
no ip cef

do debug ip packet 160 detail from exec prompt

and try to ssh into your server. You should see a bunch of messages about how your ssh packets are being processed.

Could you post at least several of them?

After that do u all and turn cef back on from config mode - ip cef

BTW, what is access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 444 any for?

t00r

 

[imagefree]

t00r,
I must be blind, I read your post and thought 20 was 21. That did the trick. The ftp is working. I will try the ssh troubleshooting later.

The 444 is for https, I saw it somewhere in the configs for an application. I dont remember what, just decided to add it.

And Thanks again.

 

[t00r]

Imagefree,

OK. So the only thing left is ssh.

By default https uses port 443. I would check check which port your application uses and remove redundant one.

Regards,

t00r