Cisco 2621XM Qos/Tos settings part due 1

[imagefree]

The ADSL modem is configured as such:

VPI/VCI Con. ID Category Service Name Interface Name Protocol IGMP QoS State Status IP Address
8/35 1 UBR pppoa_8_35_1 ppp_8_35_1 PPPoA Disabled Disabled Enabled Up 70.20.100.184(not actual ip address)
8/36 1 UBR br_8_36 nas_8_36 Bridge N/A Disabled Enabled Up

 

[imagefree]

Here is an sh version output:

Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.3(8)T4,
RELEASE SOFTWARE (fc2)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Thu 02-Sep-04 22:00 by eaarmas

ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)

router uptime is 3 weeks, 5 days, 21 hours, 50 minutes
System returned to ROM by reload
System image file is "flash:c2600-advipservicesk9-mz.123-8.T4.bin

 

[t00r]

You have 2 VCIs configured on your modem. Which one do you use - PPPoA or bridging?

Here is how you can do your tracking config:

1. Define your SLAs:
rtr 1
type echo protocol ipIcmpEcho <Remote-ip-address> source-ipaddr <Your-local-IP>
timeout <How-many-milliseconds-you'll-wait-for-your-ping>
frequency <How-many-seconds-between-pings>

You'll need two rtrs - one for your T1 (rtr 1) and one for DSL (rtr 2).
2. Start SLAs:
rtr schedule 1 start-time now life forever
rtr schedule 2 start-time now life forever
3. Create tracking objects
track 1 rtr 1 state
track 2 rtr 2 state
4. Create your default static routes:
ip route 0.0.0.0 0.0.0.0 s0/0 track 1
ip route 0.0.0.0 0.0.0.0 <DSL-Default-Gateway-IP> track 2
5. Modify your PBR policy-map:
policy-map PBR permit 10
match ip address TRAFFIC_TO_NAT
set ip next-hop verify-availability <DSL-Default-Gateway-IP> 10 track 2
set ip next-hop verify-availability <T1-Gareway-IP> 20 track 1
policy-map PBR permit 20
match ip address VOICE_TRAFFIC
set ip next-hop verify-availability <T1-Gateway-IP> 10 track 1
set ip next-hop verify-availability <DSL-Default-Gateway-IP> 20 track 2
policy-map PBR permit 30
set ip next-hop verify-availability <DSL-Default-Gateway-IP> 10 track 2
set ip next-hop verify-availability <T1-Gareway-IP> 20 track 1

What that verify-availability does is first tries to use next-hop with lower priority (10). If for some reason that tracking object marked as down (you can manually check your tracking object status with show track <Tracking-Object-Number>) that try to use next-hop with higher priority (20)

The above config will work if you have real bridging on your DSL modem - otherwise you would be checking availability of your DSL modem LAN interface.

Regards,

t00r

 

[Minue]

Hello Imagefree
Sorry for bailing out on you as I did.But it was holiday time,that meant the wife or you ;-)

I see that you haven't fully resolve your issue as yet.First of all how's the voice quality?So have the solution that "RTR" has given to you help?I have review your conf and I think your problem can be solve in a few different ways.I did offer you the NO_NAT solution but you applied it incorrectly.In any case it might not have work because I think that the return SSH and PHP traffic was being sent to the ADSL interface,because of the route-map that only allows outbound UDP traffic.The solution is to widen the route-maps as to allow the SSH and PHP traffic on the T1 link.Please let me no your intentions so we can finally solve this problem.

Regards

 

[imagefree]

Hey Minue,

I understand the situation with the vacation thing, I am patiently waiting on my day...

t00r has been helping me out and giving me new ideas (very gratefull). The audio quality is much better, no complaints, I have the ip nat inside turned on, so the voip traffic is being routed to through the T1. But with that on I have no remote access.

I havent been able to attempt the cmds t00r listed yet, I have been preoccupied at work.

I plan on changing the ADSL to static ip.

 

[t00r]

Hi Imagefree,

Those tracking commands would be helpful if you have static IPs since you'd need to know your local and gateway IPs. In later versions of IOS you can do that with dynamic IPs referencing to interfaces instead of IPs.

Regards,

t00r

 

[Minue]

Hello
It's good to hear that the voice quality is good.As far as going static on the ADSL goes,I don't no if that will solve the problem because of how your network is design.I would try solving the problem by allowing ssh and php traffic try the T1.In any case keep us updated.

Regards

 

[imagefree]

Minue,

Can you point out where I went wrong with the previous attempt to allow php and ssh traffic?

 

[t00r]

Hi Imagefree,

If you want your web and ssh traffic to use your T1 line you shouldn't include that traffic in your acl called from route-map NO_NAT - acl 120. Your acl should look like:

access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 80 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 443 any
access-list 120 permit ip 200.100.49.56 0.0.0.7 any

And you should remove ip nat inside line with acl:
no ip nat inside source list 1 interface FastEthernet0/1 overload

You've wanted to send incoming web and ssh traffic to your DSL, that is why I'd suggested to get a static IP-address.

Regards,

t00r

 

[Minue]

Hello

"Can you point out where I went wrong with the previous attempt to allow php and ssh traffic?"

In the conf you should have kill the former NAT statement "ip nat inside source list 1 interface FastEthernet0/1 overload" and only used the below:

"ip nat inside source route-map NO_NAT interface FastEthernet0/1 overload"

I made a mistake as well,it should have been FastEthernet0/1 instead of FastEthernet0/0

Anyway as I said before I don't think this will solve the problem because it could be the policy-based routing.When you have a maintenance window,first try disabling the PBR routing with this command:

interface FastEthernet0/0
no ip policy route-map ROUTE_VOIP

Then test the SSH and PHP.This test will let us know where's the problem.After that we can alter the conf with one of the already proposed solutions.
Don't fear we're closer than you think ;-)

Regards

 

[imagefree]

Ah no fear, and thanks alot guys.

I dont have much time for testing at the moment, but I will as soon as possible.

The last tesing I did was with the Sonicwall's vpn client to vpn into the site instead of ssh...

Thats the direction I need to take. Using a vpn would be more secure it would solve some security issues that I am battling with.

When I get the chance I will test and see if the PBR was the issue, if it is not I will remove the nat overload cmd and test the acl (22, 80, 443 & the vpn).

 

[t00r]

Hi Imagefree,

I think Minue is right - there is a PBR issue. You'll need to send your ssh and http(s) traffic to s0/0 too, not just udp.

acl 110 should look like:

access-list 110 permit udp any any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 80 any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 443 any

This way you can avoid asymmetric routing.

Regards,

t00r

 

[imagefree]

Minue, t00r

I got an hour to look at the cmds (wasnt enough time).

First thing I did was remove the ROUTE_VOIP PBR as per minue.
No change.

Next thing I did with the PBR still removed was remove the incorrect overload statement. I got "%dynamic mapping in use cannot change" so I ran these cmds:

clear ip nat translation *
ip nat inside source route-map NO_NAT interface FastEthernet0/1 overload


With the new overload cmd I didnt get any more ip nat translations and my asymetric problem resurfaced. http traffic was coming in through the T1 exiting throught the ADSL.

I then changed the NO_NAT acl 120 to
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 80 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 443 any
access-list 120 permit ip 200.100.49.56 0.0.0.7 any

Which doesnt make any sense to me seeing as though I dont have a .56 ip address. I tried using .57 after .56 didnt work, but that didnt work either.

Didnt get a chance to try the other cmds, time expired.

Any feedback would be highly appreciated, the need for external access has just been put on the table.

Thanks in advance.

 

[t00r]

Hi imagefree,

Could you check check that you've actually got rif of your nat acl 1? You can do that by show ip nat statistics and look into dynamic mappings section of the output.

200.100.49.56 0.0.0.7 in acl includes all addresses from 200.100.49.56 to 200.100.49.63. It covers the whole servers subnet.

Also you'll need to use PBR to send your HTTP and SSH traffic to T1 instead of DSL line if you want to avoid asymmetric routing.

Regards,
t00r

P.S.: If you want you can send me your current running-config to andrey at maecfd d0t cornell d0t edu and I'll try to modify the config and send that back to you.

 

[imagefree]

Hey t00r,

This is the output of the current working config, not when the changes were made.

gateway.gss#sho ip nat statistics
Total active translations: 169 (0 static, 169 dynamic; 169 extended)
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 7515672 Misses: 129653
CEF Translated packets: 7332179, CEF Punted packets: 316283
Expired translations: 130551
Dynamic mappings:
-- Inside Source
[Id: 4] access-list 1 interface FastEthernet0/1 refcount 169
[Id: 3] route-map NO_NAT interface FastEthernet0/0 refcount 0
Queued Packets: 0


Now I understand the .7
Thanks and much respect.

Sending config...

 

[imagefree]

t00r,

After looking over the configs you sent they started to make sense and I gave them a swing.

Voila!

I can hit my phps and ssh, with my running config. Thanks a mil.

 

[t00r]

You still have acl 1 in your nat config (Id: 4 line)

You need to
clear ip nat translation *
no ip nat inside source list 1 interface FastEthernet0/1 overload

to get rid of that.

I'll work on your config when I receive one.

t00r

 

[t00r]

I think we've cross-posted.

Are you talking about my earlier posts? Because I didn't receive anything through email yet.

Anyway it's good to know that your problem is solved

P.S.: I've received your config when I was just about to post

So far I've found 3 places that I would change:
1. Get rid of
ip nat inside source list 1 interface FastEthernet0/1 overload
2. Remove set interface FastEthernet0/0 from route-map NO_NAT permit 10
3. You have match ip address 110 twice in route-map ROUTE_VOIP permit 10.

I'll send you cleaned version of the config. Let me know if you need anything else.

Regards,

t00r

 

[Minue]

Hi Imagefree
If I understood correctly you have solve the problem thanks to T00r.Please confirm.
It's not clear to me,the last post of T00r.Can you please post the working so I can review it,and also for future help to others who may have a similar setup.

Regards

 

[imagefree]

Here is my current running config.

I got the chance to clean it up. There seems to be one problem however. With the previous configs I could ssh unto the servers remotely. Now I can hit the phps remotely, but not the ssh.



Building configuration...

Current configuration : 2140 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxx
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
class-map match-any RTP
match protocol rtp audio
!
policy-map VOICE
class RTP
priority percent 75
!
interface FastEthernet0/0
description LAN to Sonicwall
ip address 200.100.49.57 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map ROUTE_VOIP
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1544
ip address 200.110.30.174 255.255.255.252
ip nbar protocol-discovery
service-policy output VOICE
encapsulation ppp
load-interval 60
service-module t1 timeslots 1-24
!
interface FastEthernet0/1
description outside WAN
bandwidth 6000
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
service-policy output VOICE
load-interval 60
duplex auto
speed auto
pppoe enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 200.110.30.173 5
ip route 192.168.6.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
ip nat inside source route-map NO_NAT interface FastEthernet0/1 overload
!
access-list 110 permit udp any any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq

http://www any

access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 443 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 22 any
access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq

http://www any

access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 443 any
access-list 120 permit ip 200.100.49.56 0.0.0.7 any
!
route-map NO_NAT permit 10
match ip address 120
!
route-map ROUTE_VOIP permit 10
match ip address 110
set interface Serial0/0 FastEthernet0/1
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end