IP SLA, Tunnels, and static routes
Here's the scenario: 1 router will have a primary and secondary ISP connection. I set up an SLA to track connectivity on the primary connection. Here are the static routes:
ip route 0.0.0.0 0.0.0.0 Tunnel55 track 10
ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/0 track 10
ip route 12.54.X.Y 255.255.255.255 X.15.115.X track 10
ip route 192.168.32.0 255.255.240.0 Tunnel55 track 10
ip route 192.168.48.0 255.255.252.0 Tunnel55 track 10
ip route 192.168.56.0 255.255.255.0 Tunnel55 track 10
ip route 0.0.0.0 0.0.0.0 Tunnel56 254
ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/1 254
ip route 12.54.X.Y 255.255.255.255 X.15.81.X 254
ip route 192.168.32.0 255.255.240.0 Tunnel56 254
ip route 192.168.48.0 255.255.252.0 Tunnel56 254
ip route 192.168.56.0 255.255.255.0 Tunnel56 254
So I shut down the port (gi0/0) belonging to the primary port. At this point, it seemed like it worked fine. The routes shifted over to the backup routes. However, when I re-enabled the port, only two of the routes switched back. The routes pointing to Tunnels stayed on the secondary tunnel. When I browsed my static routes, I saw this:
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Tunnel56
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 12.x.x.16/28 is directly connected, GigabitEthernet0/0
S 12.x.y.20/32 [1/0] via x.15.115.x
S 192.168.32.0/20 is directly connected, Tunnel56
S 192.168.48.0/22 is directly connected, Tunnel56
S 192.168.56.0/24 is directly connected, Tunnel56
Is there something special I need to do for Tunnels to allow the Tunnel routes to switch back automatically?
Hello Ken,
I can see you are sending the probe packets to the same object ( using the track ID 10 )
After you bring the interface tunnel up, can you confirm if you can send traffic to that object?
Regards,
Julio
Similar Messages
-
Hi to all,
I would like to know if it is possible to create a static Port Address Translation (PAT) that would translate a routable IP address to a private address where a GRE tunnel would end.
In other words, I am trying to see if we can use a static PAT for a GRE tunnel like the one that we can used to reach a HTTP server using a private IP address via static PAT to a routable IP address.
Just trying to see if it is possible to initiate a GRE tunnel from 192.168.1.1 (R1) and used 1.1.1.1 (R2), IP address reachable via internet, as destination address, in the case where we would do a PAT translation on R2 in order to actually terminate the tunnel on R3 router. The static PAT on R2 would translate 1.1.1.1 to 172.16.1.2.
I am basically looking for an equivalent to the following static PAT but for GRE tunnel
ip nat inside source static tcp 10.10.10.5 80 192.168.2.1 80
Thanks for your help
StephaneHello Stephane,
GRE is neither TCP nor UDP, GRE has its own protocol number 47. You can allow the traffic by either by calling GRE instead of TCP or UDP or by just putting a normal IP static NAT entry.
Extended IP access list GRE
10 permit tcp any any eq 47 log <--- No Hits
15 permit tcp any any log <--- No Hits
20 permit udp any any eq 47 log <--- No Hits
25 permit udp any any log <--- No Hits
30 permit gre any any log (20 matches)
40 permit ip any any (43 matches)
*Mar 1 00:27:48.435: IP: tableid=0, s=10.10.10.2 (local), d=10.10.10.1 (Tunnel1), routed via FIB
*Mar 1 00:27:48.435: IP: s=10.10.10.2 (local), d=10.10.10.1 (Tunnel1), len 100, sending
*Mar 1 00:27:48.435: ICMP type=0, code=0
*Mar 1 00:27:48.435: IP: s=192.168.9.5 (Tunnel1), d=192.168.8.2 (FastEthernet0/0), len 124, sending, proto=47
I hope it helps great for you. Please rate if you fell this is helpfull.
Thanks,
Kasi -
ISE version 1.3 and static route not working
This command works without any issues with ISE version 1.1 and 1.2:
ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
However, it does NOT work in ISE version 1.3. See below:
ciscoisedev/admin(config)# ip route 192.168.1.1 255.255.255.255 gateway 127.0.0.1
% Warning: Could not find outgoing interface for gateway 127.0.0.1 while trying to add the route.
% Error: Error adding static route.
ciscoisedev/admin(config)#
Any ideas anyone?So it appears that there is no option to lock down access to the shell now that the command that you used to use is no longer valid. What is worse is that there isn't an option to create an ACL in the shell that you could attach to the interface. So I would recommend that you create a defect with Cisco TAC and get this re-added or request that ACL functionality is added.
For the GUI (in case you were not already aware of this), you can restrict access from Administration > Admin Access > Settings > Access > IP Access -
Hi,
I have got two internet link from different ISP. One ISP have got the bandwidth of 1 mbps and another of 10 mbps. I want to run ospf for the first ISP as they have provided two different networks and for the second ISP I want the static route.
I only need to route certain destination networks through first ISP so the OSPF should contain only few networks only and 0.0.0.0 through 2nd ISP. How can I perform this ?
DESTINATION NETWORK EXAMPLE (from 1st ISP)
200.200.200.200/24
100.100.100.100/24
150.150.150.150/24
Thanks in advance,
Regards
MeroHi,
Thanks for your reply.
I have got the configuration as follows:
Interface 0/0
Desc ***** connected to lan ******
ip address 101.2.2.1 255.255.255.240
interface 0/1
Desc ***** Connected to ISP 1 (Primary)
ip address 101.2.3.1 255.255.255.252
interface 0/2
Desc ***** Connected ISP 2 (Secondary)
ip address 101.2.4.1 255.255.255.252
ISP1 Networks:
200.200.200.200/24
100.100.100.100/24
150.150.150.150/24
How to distribute the above networks only through ospf ?
ISP1 is advertising area 30 for my network (101.2.2.1/28, 102.2.3.1/30, 101.2.4.1/30)
Now how do I perform my above mentioned task ?
Regards,
Mero -
2911/k9 lose static routing table entry
Hi,
my cisco router 2911/k9 with release 15.2(4)m6a lose default and static routing table entry every day, and after a reload the entry came back to my routing table.
this is an extract of my config:
interface Serial0/0/0:0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type cisco
interface Serial0/0/0:0.1 point-to-point
ip address xxxxx.1
ip access-group 100 in
ip load-sharing per-packet
ip inspect cccc in
no cdp enable
frame-relay interface-dlci 100
interface Serial0/1/0:0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type cisco
interface Serial0/1/0:0.1 point-to-point
ip address yyyyy.1
ip access-group 100 in
ip load-sharing per-packet
ip inspect cccc in
no cdp enable
frame-relay interface-dlci 100
ip route 0.0.0.0 0.0.0.0 xxxxx.2
ip route 0.0.0.0 0.0.0.0 yyyyyy.2
and more ip route static specific
Please, Who can help me? Can be a bug ?Hi,
It could be a bug but at this point, I am not that bold to assume that. We need more information.
May it be that your Frame Relay connection flaps? Is it possible that your subinterfaces go down? Please check the logs to see if the interfaces or subinterfaces change their status (up/down).
Can you verify the logs if there are any notes of recursive routing?
When you say the router loses the static routes, do they both completely disappear from the routing table? Do they at least stay configured in your running-config?
As a last-resort measure, turn on logging of debugging messages by logging buffered 1000000 debugging and then start the debug ip routing command. This command will cause a debugging message to be recorded every time there is a change to the routing table. At least we will see what event caused the default routes to disappear. You will probably need to run this debug running overnight till the default routes disappear.
Best regards,
Peter -
Hi All
Is it possible in IOS to have for a particular subnet:
a) Two static routes?
b) Make one static route a higher priority than the other?
c) If one static router "goes down", failover to the lower priority static route?
We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
Again, many thanks in advance for all responses!
Thanks
JohnHi John,
Hope the below explaination will help you...
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
R1(config)# ip sla 1
R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 1 life forever start-time now
The above configuration defines and starts an IP SLA probe.
The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
R1(config)# track 1 ip sla 1 reachability
The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
To verify the track status use the use the “show track” command as shown below:
R1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:03:19
Latest operation return code: Unknown
The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
Tracking
Return Code
Track State
Reachability
OK or over threshold
(all other return codes)
Up
Down
The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
Please rate the helpfull posts.
Regards,
Naidu. -
IPSEC tunnel and Routing protocols Support
Hi Everyone,
I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
Does it mean that If Site A has to reach Site B over WAN link we should use Static IP on Site A and Site B Router?
In my home Lab i config Site to Site IPSES VPN and they are working fine using OSPF does this mean that IPSEC supports Routing Protocol?
IF someone can explain me this please?
OSPF config A side
router ospf 1
router-id 3.4.4.4
log-adjacency-changes
area 10 virtual-link 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
network 3.4.4.4 0.0.0.0 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
3550SMIA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O 192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
C 192.168.20.0/24 is directly connected, Vlan20
192.168.5.0/31 is subnetted, 1 subnets
C 192.168.5.2 is directly connected, FastEthernet0/11
C 10.0.0.0/8 is directly connected, Tunnel0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
B Side Config
Side A
router ospf 1
log-adjacency-changes
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
1811w# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.99.2 to network 0.0.0.0
O 192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
3.0.0.0/32 is subnetted, 2 subnets
O 3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
C 192.168.98.0/24 is directly connected, BVI98
C 192.168.99.0/24 is directly connected, FastEthernet0
O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.5.0/31 is subnetted, 1 subnets
O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
Thanks
MaheshHello,
I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
U can configure in 2 ways [ and multicast WILL work over it]
1- GRE over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunne protection ipsec profile tp
We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
Pros:
We can as well transport IPV6 or CDP
Cons:
4 bytes of overhead due to GRE
2- IP over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunnel mode ipsec ipv4
tunne protection ipsec profile tp
This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
Pro:
4 bytes overhead less than GRE over IPSEC
Cons:
Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
Cheers
Olivier -
Default static route and Null 0
Hi Everyone,
Need to clear some doubts for below setup
Switch 3550A is connected to Internet Router and has OSPF nei relationship with it.
3550A# sh run int fa0/11
Building configuration...
Current configuration : 272 bytes
interface FastEthernet0/11
description OSPF LAN Connection to 2691 Router Interface Fas 0/1
no switchport
ip address 192.168.5.2 255.255.255.254
sh ip route shows
3550A#sh ip route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 20:39:56, FastEthernet0/11
3550A#
All is working fine.
For testing purposes i config below static route on 3550A
ip default-network 192.168.1.0
ip route 192.168.1.0 255.255.255.0 Null0
After above change
3550A# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
S* 192.168.1.0/24 is directly connected, Null0
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 20:38:38, FastEthernet0/11
Now i can not ping to internet as below
3550A#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
When we ping from Switch then source IP is always the Outside interface IP right?
So in this case Switch is using which IP as source?
Ping to internet is not working as default network is set to 192.168.1.0 and all request goes to this IP and then it goes to
Null interface right?
Extended ping works fine as below
3550A#ping
Protocol [ip]:
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.5.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.2
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/79/80 ms
Second thing to confirm is this ping works because 192.168.5.2 is directly connected to Internet Router interface?
Regards
MAheshHi Mahesh,
When we ping from Switch then source IP is always the Outside interface IP right?
That is correct. By default it is always the outgoing interface on the device unless you specify it differently.
Ping to internet is not working as default network is set to 192.168.1.0 and all request goes to this IP and then it goes to
Null interface right?
That is correct. Null0 can't be used as next-hop.
Second thing to confirm is this ping works because 192.168.5.2 is directly connected to Internet Router interface?
No, that is because 192.168.5.0/30 is NATed. Remember 192.168.x.x address is a private segment and cannot access the Internet unless NAT is used.
HTH
Reza -
How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?
Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
56128's where my static routes are:
ip route 192.168.101.0/24 192.168.30.77 name firewall 250
router eigrp 65100
redistribute static route-map Static-To-Eigrp
route-map Static-To-Eigrp permit 10
match ip address prefix-list Static2Eigrp
ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
Edge device:
router eigrp 65100
network 172.18.0.5 0.0.0.0
network 172.18.0.32 0.0.0.3
network 172.18.0.36 0.0.0.3
redistribute ospf 65100 metric 2000000 0 255 1 1500
redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
passive-interface default
no passive-interface Port-channel11
no passive-interface Port-channel12
eigrp router-id 172.18.0.5
router ospf 65100
router-id 172.18.0.5
log-adjacency-changes
redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
passive-interface default
no passive-interface GigabitEthernet1/0/1
no passive-interface GigabitEthernet1/0/2
no passive-interface GigabitEthernet2/0/1
no passive-interface GigabitEthernet2/0/2
network 172.18.0.0 0.0.255.255 area 0
ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
route-map EIGRP_INTO_OSPF permit 10
match ip address prefix-list EIGRP_INTO_OSPFSo in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have. -
How to do nating in isa570 and is routing to be enabled for that . I have static ip configured and pining at my office and i want to acess rdp from my home
HHow did you export? Did you use H.264? Hour and a half is going to be a big file. For your customers sake you might consider breaking it down into segments.
-
Can anyone check this for me, nat overload, static and default routes, dhcp
VA has DHCP on fa0/0 and will have last good address for the gateway and will reserve 20 IP's for admin devices.
VA fa0/1 will be using static IP addressing and will be using the last good address as the default gateway address.
Serial links will use the 50.75.120.0/30 network on all serials.
Default route set to main via VAs next hop.
VA will be using NAT overload to Main via local interface.
VA
Fa0/0= 172.16.81.254
Fa0/1=172.16.82.126
S0/0/0=50.75.120.130
Main s0/0/1= 50.75.120.129 with a clock rate of 128kbps
Building configuration...
Current configuration : 1376 bytes
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname VA
enable secret 5 $1$mERr$3nisV1NYMTmTN5PhTMBC2/
enable password insurance
ip dhcp excluded-address 172.16.81.235 172.16.81.254
ip dhcp pool VA-dhcp
network 172.16.80.0 255.255.254.0
default-router 172.16.81.254
spanning-tree mode pvst
interface FastEthernet0/0
ip address 172.16.81.254 255.255.254.0
ip nat inside
duplex auto
speed auto
interface FastEthernet0/1
ip address 172.16.82.126 255.255.255.128
ip nat inside
duplex auto
speed auto
interface Serial0/0/0
ip address 50.75.100.130 255.255.255.252
ip nat outside
interface Serial0/0/1
no ip address
shutdown
interface Vlan1
no ip address
shutdown
ip nat inside source list 1 interface Serial0/0/0 overload
ip nat inside source list 2 interface Serial0/0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
ip route 50.74.100.128 255.255.255.252 50.74.100.130
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 2 permit 172.16.0.0 0.0.255.255
banner motd ^C
Restricted access to all unauthorized users, proceed at your will. Unauthorized users will be prosecuted to the extend of the law. ^C
line con 0
password shots
login
line aux 0
line vty 0 4
password xrays
login
end
VA(config)#
A network beginner, thank you in advance :))
Sent from Cisco Technical Support iPhone AppReyna,
I can see a couple of issues
Your static routes:-
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
ip route 50.74.100.128 255.255.255.252 50.74.100.130
Ser 0/0/1 is shut and has no ip addressing.
The route to 50.74.100.128 has no way to reach the next hop 50.74.100.130
Your NAT translations are both the same therfore only one is effective.
Just tidy up a little:-
The only static route you need is a default route:-
ip route 0.0.0.0 0.0.0.0 50.75.100.129
The NAT only requires one list and trans pointing out the outside interface
ip nat inside source list 1 interface Serial0/0/1 overload
access-list 1 permit 172.16.0.0 0.0.255.255
Regards,
Alex.
Please rate useful posts. -
DMVPN will not bring up dynamic tunnel unless using static routes
I have a hub and two spokes and each spoke is bringing up a tunnel to the hub and is routing normally. My problem is that if I try to route from spoke1 (10.30.1.1) to spoke2 (10.30.3.1) it will not bring up a new tunnel but instead will route through the hub.
If I put 'ip route 10.30.3.0 255.255.255.0 tunnel 0' on spoke1, it will then bring up the tunnel to spoke2. I know this is an EIGRP issue (my misconfiguration somewhere), can someone look at the configs and point me in the right direction?
Thanks!!!Use the Debug commands that run on the hub router confirm that the correct parameters are matched for the spoke and VPN Client connections. Run these debug commands.
debug crypto isakmp-Displays messages about IKE events.
debug crypto ipsec-Displays information about IPsec events.
Here is the configuration guide with the Hub & Spoke example. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml -
I´m doing a design for presale, where I will need a router what support PAT for 500 or a little more of users, it not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?
What is your WAN speed currently and projected WAN speed in the next 3 years?
-
AnyConnect Configuration - Tunnel subnets that are on "Static Routes"
Hi!
I've been trying to setup my Cisco ASA to handle VPN connections to a couple of subnets.
So we have a LAN which we have XenServers on (Lab environment)
On these machines we have a pfSense each to get a public IP so that we can NAT services to our virtual machines.
We are currently running AnyConnect to reach the managemen network "172.20.20.0/24"
But the pfSense's have their own IP's on this management vlan. So I thought that I could setup a static route to them.
So I did setup the route, I can now ping all the subnets.
The next thing to do is to get the AnyConnect to be able to reach all of these subnets.
I'll post a image that describes our network topology:
And I think i've got everything right. But it seems that something is missing. I've run out of ideas, and im still learning.
So it could just be soemthing easy. I will attach the network sketch and the config.
Thanks!
Best Regars:
Jonathan HerlinI tried the commands you wrote.
When I do the packet-trace I get the following.
ASA5505(config)# packet-tracer input inside tcp 192.168.60.100 80 172.20.23.68$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb52a1f0, priority=1, domain=permit, deny=false
hits=65188, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.23.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb51d4b0, priority=13, domain=permit, deny=false
hits=453, user_data=0xc9635ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true
hits=51642, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false
hits=51667, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true
hits=51644, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false
hits=51668, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 52463, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
ASA5505(config)#
So it seems to work, but I can't access "172.20.20.11" which is one of the static route pfSense's. May be that the Cisco is proppertly configured, but can't work with the pfSense's.
And I can't figure out where the packet is going, cause it seems like the package reaches the pfSense without any problems?
And the pfSense is working just fine.
/ Jonathan -
ACE and host static routes?
Hi,
Does an ACE context work with host static routes?
I've been trying to set up a context to load balance LDAP where the servers have IP addresses across multiple VLANs and I'm not allowed to change the IP addresses. I've tried bridging and routing configurations. The only case that works is where the server is a member of the server-side VLAN. I noticed a comment in the Routing manual page 2-2 is says that secondary IP addresses are not supported. Is a host static route equivalent to a secondary address.
Is it possible to achieve my goal.
Thank you
CathyThe problem is most probably asymetric routing.
When the client connects to the vip, the ace module will forward the traffic to the server re-using the client ip address so that the server believes it is communicating directly with the client.
The response from the server is sent to the client.
Since there are routers inbetween, they route the traffic using the best path which is most probably not through the ACE module.
So the client receives a resposne from the server which it drops because it is expecting a response from the vip.
one easy solution is to perform client nat on the ACE blade.
interface vlan 395
nat-pool 1 128.243.253.188 128.243.253.188 netmask 255.255.255.248 pat
Then configure
policy-map multi-match L4POLICY
class L4VIPCLASS
nat dynamic 1 vlan 395
If it works after that, you'll now you had an asymetric routing issue.
You can then keep the client nat solution or investigate the asymetry.
Gilles.
Maybe you are looking for
-
Is there really no way to get a refund for iTunes match?
Apple does not any support for iTunes Match and has not been able to make it work. Why then, does Apple not issue a refund for a defective product? Macbook Pro 2.7 with 8GB ram, 10.7.3 with iTunes 10.6.1 I have created a new music library, created a
-
HT1386 Syncing iTunes with iPod issues...
When I sync my iPod touch with iTunes it does not organize my music correctly. For example under one artist only one album will be shown when actually I have three in iTunes. But when I look under the albums category they all appear. How can I fix th
-
CS5/win: line break instead of paragraph?
Hello, how can I insert just a line break and not a new paragraph? Shift-Enter as it works in **all other** programs do not work. Thanks Carlos
-
Maximum number of saved searches on home screen
Does any one know what the maximum number of saved searches that will render on the home screen is? Thanks
-
I have a client that wants the following: A website with a community events list where people can log-in and add their own events to an events list, plus sign up for an automated email newsletter they would get weekly. Events that are occurring withi