Static routes, ISDN & different remote IP addresses

Scenario:
My client has 4 sites situated around an ISP MPLS cloud. All 4 CE routers connect to ISP PE equipment via different access circuits (See attached diagram).
The central site has Cisco 2800 router with 10M LES circuit into MPLS cloud (FastEthernet i/f) and ISDN BRI i/f for incoming calls from 3 remote sites.
The 3 remote sites are Cisco 1800 routers all with ISDN dial-out i/fs and 1 site has numbered X21 serial link into MPLS cloud, whilst other 2 sites have IP unnumbered DSL circuits.
Problem:
1. Routing on the 4 routers is by static routes only, as ISP does not permit routing protocol.
2. Central router does not know if the remote DSL & X21 circuits have gone down, as they are all access circuits into MPLS cloud.
3. Central router (2800) needs floating static routes to change so that packets route via ISDN when remote sites dial in, but these are proving problematic to configure, as both the ISDN and FastEther i/fs show as up on the 2800 under normal operation. So the routes stay as the higher weighted route all the time, regardless of whether the remote has dialled in or not.
The remote routers (3) can dial in fine when their Serial or ATM interfaces go down (using backup command on i/fs). I have tried using floating static routes on the central router using 10.1.0.0/29 addresses assigned to the 4 ISDN interfaces, but the floating static remains up all the time, as the interface on the central router stays up all the time (as expected). The ISDN static route therefore stays in the routing table all the time, even when there is no ISDN call into the central site. The config on the central router is as follows:
interface BRI0/1/0
ip address 10.1.0.1 255.255.255.248
encapsulation ppp
isdn switch-type basic-net3
ppp authentication chap
ip route 172.16.2.0 255.255.255.0 10.1.0.2
ip route 172.16.2.0 255.255.255.0 10.0.0.1 200
ip route 172.16.3.0 255.255.255.0 10.1.0.3
ip route 172.16.3.0 255.255.255.0 10.0.0.1 200
ip route 172.16.4.0 255.255.255.0 10.1.0.4
ip route 172.16.4.0 255.255.255.0 10.0.0.1 200
The only way I think I can get around this problem in a simple manner is to have floating static routes with higher weights assigned to completely different IP addresses than the local ISDN interface. In the past I have seen that async modems dialing into a PRI circuit appear as directly connected in the routing table of an AS5300 (and work), even though they may be different network addresses than the PRI Dialer i/f address. An example of the static routes on the central router would be as follows:
ip route 172.16.2.0 255.255.255.0 2.2.2.2 (Route to site 1 only when ISDN backup is invoked)
ip route 172.16.2.0 255.255.255.0 10.0.0.1 200 (Route to site 1 under normal conditions, i.e when remote has NOT dialled central via ISDN)
ip route 172.16.3.0 255.255.255.0 3.3.3.3 (Route to site 2 only when ISDN backup is invoked)
ip route 172.16.3.0 255.255.255.0 10.0.0.1 200 (Route to site 2 under normal conditions, i.e when remote has NOT dialled central via ISDN)
ip route 172.16.4.0 255.255.255.0 4.4.4.4 (Route to site 3 only when ISDN backup is invoked)
ip route 172.16.4.0 255.255.255.0 10.0.0.1 200 (Route to site 3 under normal conditions, i.e when remote has NOT dialled central via ISDN)
Questions:
1. Has anyone experienced this type of problem across multiple access circuits?
2. Has anyone tried to implement different IP addresses at the remote ends of an ISDN network? (See diagram below) I want to try /32 addresses on the 4 routers, e.g 1.1.1.1, 2.2.2.2, 3.3.3.3 and 4.4.4.4. (Dont have time to lab test this solution)
3. Can anyone suggest a simple solution?

What you want is object tracking, which will resolve this problem.
This technology sets up an object that pings a remote address. You use a route map to force the ping out of the interface that appears to remain up, in this case the MPLS main interface.
When a link fails somewhere, the object no longer gets a response and transitions to the down state.
You can use a static route that tracks the object to become active, this will be used to activate your local ISDN.
This was described in Packet Magazine 2ndQ 2004, here:
http://www.cisco.com/web/about/ac123/ac114/downloads/packet/packet/apr04/pdfs/apr04.pdf
Read the article about Static and Policy Routing Enhancements, its excellent and should help you out.
Another way would be to build a GRE based VPN over the existing MPLS network, have you considerd that?
Andy

Similar Messages

Cannot add static routes wrt350n

Router has latest firmware and was just set to default values. I cannot add a static route, says "static route invalid" no matter what address I input (keeping it simple, trying 192.168.1.XXX)
I have never had this problem with any other router and I'm thinking it's broken. Thought I'd ask here to make sure I wasn't missing a setting before I throw this thing out the window.
Any help would be appreciated.
Thanks, Nick.

Thanks for the help, it is appreciated...
I would like to use a static IP address for my LAN multimedia server, MythTV reccommends a static address for the backend server. I have also always used Static IP addresses for my LAN.
I am a little confused, and my networking is very rusty so please bear with me. Perhaps I have not provided enough information, because I do not fully understand your response. I don't understand how subnetting is relevant.
My network is a simple home network, with one router separating my LAN from the cloud. I have one LAN, no subnetting, 192.168.1.0/255.255.255.0.
Every home router I have used before I have set up the LAN portion like this... And it has always worked in the past...
gateway: 192.168.1.1/24.
static routes 192.168.1.(2-5)/24 for my stationary hosts.
dhcp range 192.168.1.(10-15)/24 for laptops and guests.
In response:
1) Yes it is LAN traffic, but the hosts still need addresses, right? Not sure what you're getting at here.
2) Not sure what you mean... example host 192.168.1.20/24, and the router 192.168.1.1/24are both within the 192.168.1.0/24 network, right? So requests from the cloud are broadcast to all in my LAN, right? How is this relevant?
3) I thought the gateway (on my only router) has to be part of the LAN addressing. By Linksys/Cisco default, the router LAN side gateway is 192.168.1.1/24 and it sends out dhcp addresses to 192.168.1.(100-149)/24.
Am I severly confused or are we just on the wrong page?

Persistent Static Routes

I have three Macs that need to have persistent static routes set up. I installed RouteSplit for this purpose and it seems to work well. After reboot, I can ping a host machine on the static route. But if I try to mount an SMB share over that route, it fails and I find that I can't even ping the host address anymore. If I reboot, I am back to having connectivity again, but attempting to mount the SMB share breaks it again. Is there something in the SMB.conf file that is breaking my static route?
By the way, even after it has been broken, I can do a netstat -rn and it shows the static route in the routing table. I am lost.
Bob Reed

I can ping a host machine on the static route
By name, or by address?
But if I try to mount an SMB share over that route, it fails and I find that I can't even ping the host address anymore
By name, or by address?
You don't state how you're testing your ping, either before or after the attempt to mount the server.
There is a 100% disconnect between SMB and your routing table - it shouldn't be possible for SMB to affect that, nor should SMB care how to get to the specified host. Therefore I'm thinking the problem lies somewhere in between, possibly in the name resolution part of the process, hence my questions.

ACE and host static routes?

Hi,
Does an ACE context work with host static routes?
I've been trying to set up a context to load balance LDAP where the servers have IP addresses across multiple VLANs and I'm not allowed to change the IP addresses. I've tried bridging and routing configurations. The only case that works is where the server is a member of the server-side VLAN. I noticed a comment in the Routing manual page 2-2 is says that secondary IP addresses are not supported. Is a host static route equivalent to a secondary address.
Is it possible to achieve my goal.
Thank you
Cathy

The problem is most probably asymetric routing.
When the client connects to the vip, the ace module will forward the traffic to the server re-using the client ip address so that the server believes it is communicating directly with the client.
The response from the server is sent to the client.
Since there are routers inbetween, they route the traffic using the best path which is most probably not through the ACE module.
So the client receives a resposne from the server which it drops because it is expecting a response from the vip.
one easy solution is to perform client nat on the ACE blade.
interface vlan 395
nat-pool 1 128.243.253.188 128.243.253.188 netmask 255.255.255.248 pat
Then configure
policy-map multi-match L4POLICY
class L4VIPCLASS
nat dynamic 1 vlan 395
If it works after that, you'll now you had an asymetric routing issue.
You can then keep the client nat solution or investigate the asymetry.
Gilles.

Any static routing experts here?

Have a setup involving 3 routers and various workstations as follows
Ont Cat5 -> Actiontec wan port. Actiontec subnet 192.168.1
Actiontec lan port -> Netgear wndr3200 wan port (192.168.1.253). Netgear seubnet 192.168.0
Actiontec lan port -> Dlink dir655 wan port (192.168.1.254). Dlink subnet 192.168.3
Have user devices on all 3 subnets and the can all talk to the internet fine. In addition can access the Actiontec admin from any device on the Netgear or Dlink subnets.
Would like to be able to access the Netgear and Dlink subnets from devices on Actiontec subnet. I know this involes building static routes on all the routers and have done this but still can't access so presume either my static routes are incorrect or more likely there is something I have to in the router firewalls. I lean more to the router firewalls as I am guessing they are blocking the inbound traffic.
Anybody have any hints as to how this is done?
Solved!
Go to Solution.

You'd generally have a static route pointed to the (WAN) address of the next router in the chain.
Your outside router (Actiontec) would have
static route 192.168.0.0/24 with the nexthop 192.168.1.253.
static route 192.168.3.0/24 with the nexthop 192.168.1.254.
Your Dlink and netgear shouldn't need any static routes needed (since they are, generally speaking, default routing to the wan port). The problem you're running into is that they're also NATing the address.
So when you receive a packet from 192.168.3.2 (connected to the DLINK) on 192.168.1.2 (connected to the ACTIONTEC) the receiving device sees src:192.168.1.254 dst:192.168.1.2 most likely. When you're sending a packet to 192.168.3.2, with a nexthop of 192.168.1.254, that natting part isn't going to work like you expect (it's expecting a packet to 192.168.1.254 with a specific port, which it will then port-forward to 192.168.3.2 on the port you tell it to, whether it's the same port or not, based on port forwarding rules built on the dlink).
Does that help at all? Unless you can turn natting off, you need to be doing port-based stuff with port forwarding, in the setup you're describing, IMO.
Paul

Routing loop when tracing to remote ip address on vpn concentrator

When I try and ping a remote address on my vpn 3000 concentrator I get ttl exceded. When I try and tracert from my workstation to the remote address on my vpn 3000 I see a loop.
Tracing route to x.3.17.145
over a maximum of 30 hops:
1    29 ms    31 ms    28 ms 172.4.0.20
2    32 ms    30 ms    29 ms 172.4.0.25
3    38 ms    29 ms    31 ms 172.3.0.21
4    33 ms    30 ms    32 ms 172.4.0.25
5    32 ms    49 ms    27 ms 172.3.0.21
6    35 ms    30 ms    38 ms 172.4.0.25
7    31 ms    28 ms    28 ms 172.3.0.21
   8    28 ms    28 ms    42 ms 172.4.0.25
9    38 ms    27 ms    32 ms 172.3.0.21
10    35 ms    28 ms    36 ms 172.4.0.25
11    35 ms    27 ms    28 ms 172.3.0.21
12    30 ms    28 ms    28 ms 172.4.0.25
13    39 ms    30 ms    43 ms 172.3.0.21
14    48 ms    28 ms    29 ms 172.4.0.25
15    36 ms    28 ms    34 ms 172.3.0.21
16    39 ms    39 ms    56 ms 172.4.0.25
17    42 ms    38 ms    47 ms 172.3.0.21
18    35 ms    39 ms    41 ms 172.4.0.25
19    49 ms    32 ms    29 ms 172.3.0.21
20    32 ms    28 ms    29 ms 172.4.0.25
21    28 ms    43 ms    30 ms 172.3.0.21
22    37 ms    32 ms    34 ms 172.4.0.25
23    29 ms    31 ms    32 ms 172.3.0.21
24    29 ms    33 ms    31 ms 172.4.0.25
25    32 ms    41 ms    43 ms 172.3.0.21
26    43 ms    29 ms    39 ms 172.4.0.25
27    47 ms    33 ms    31 ms 172.3.0.21
28    37 ms    29 ms    35 ms 172.4.0.25
29    44 ms    30 ms    91 ms 172.3.0.21
30    31 ms    41 ms    50 ms 172.4.0.25
172.3.0.21 is my private interface on the vpn 3000.
172.4.0.20 is my public interface on the vpn 3000.
172.4.0.25 is the default gateway / router interface on my router.
interface GigabitEthernet1/1/0.1
description connected to LAN
encapsulation dot1Q 1 native
ip address 10.3.0.25 255.255.255.0
interface GigabitEthernet0/0.4
description vpn 3000 concentratorconnection
encapsulation dot1Q 4
ip address 10.4.0.25 255.255.255.0
172.3.0.21 has a no default gateway on the vpn conentrator.
172.3.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.

Hi John
could you clarify where you are pinging from and where you are pinging to please?
From the LAN to a destination across a VPN tunnel?
Or from a source across the VPN tunnel to a host on the concentrator's LAN?
Or from a source across the VPN tunnel to a host on the Internet?
I suppose your last line has a typo, it should be
172.4.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.
right?
Apart from the default gateway are there any other static routes configured on the vpn3k and the router? No dynamic routing protocol?
tnx
Herbert

Can i use same address pool for different remote access VPN tunnel groups and policy

Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
Shnail

Thanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx

Empty 'remote-media-address' field in CDR on IOS router

Hello community,
We have CISCO2911-V/K9 with c2900-universalk9_npe-mz.SPA.153-3.M.bin
CDR file accounting is configured:
gw-accounting file
primary ftp 192.168.1.1/ username test password test
acct-template callhistory-detail
maximum fileclose-timer 65
CDR files are regulary flushed to FTP server. But 'remote-media-address' in sip calls records are '0.0.0.0'.
In other side 'sh call hist voice' gives correct information about remote voice gateway IP addresses.
What can be the cause of problem?

Try using webvpndomain.com/myVPNGW as host

Configuring static routes at the network edge

We have some Cisco 1750 routers at the edge of our network which are running RIP. We were advised to use static routes on the router, since there was only one route (across a WAN link) for traffic to go from the hub connected to the router, as RIP would only waste the limited bandwidth to the router. We posted this problem previously and got a response which stated :You could set up a default static route on your edge router, run RIP on your internal routers in order to propagate the default, but block the RIP to the outside.
On your edge router, make a default route to your external link. Keep RIP running as before, but add the line redistribute static in your rip configuration. That will get the default route propagated.
Now to stop the RIP on the external interface: If the link is on a different major IP network to your internal network, you can simply not include it in the network commands under rip. But if it is in the same network, then RIP will be enabled on the interface, so you will have to add passive-interface xxxxx, where xxxxx refers to the interface carrying your external link,
Alternatively, you could define your default route using the ip default-network command. This will get propagated automatically into the RIP even without the redistribute command.
We tried it, the problem is that the router is unreachable, via the serial or Ethernet, although if connected to the router via console port, with the configuration screen , you are able to ping external locations, and are able to telnet into the router, but he PC's on the Ethernet side of the router cant see the network.
Assistance\Advice requested.
attached you wll find , the actual reply , and a copy of some info from our work file.

Ernie
I have looked at the config that you posted and I see several issues. The serial interface on Salvage is 172.20.2.2. Your message indicates that it is connected via serial to a 3640 which your message seems to indicate is 172.20.1.4. But that makes the 3640 on a different subnet. Connections over a serial link should be in the same subnet on both ends. (The exception to that is when you are using the ip unnumbered feature - which you are not). I suspect that part of your problem is that the routers do not see themselves on a connected subnet. When you run RIP over the link it can compensate for that to some degree. But when you stop RIP the problem has impact.
Also I see that you have a static default route as Kevin suggested. And in RIP you have redistribute static. But there is no default metric defined. To redistribute into RIP you need a default metric. Another aspect of the problem with the default route is that the next hop for the default route is 172.20.1.4, but without RIP running I believe that Salvage has no idea how to get to that address. You can confirm this by doing show ip route 172.20.1.4 on Salvage. I suspect that you will get an error about route not in table.
Beyond these issues I believe that there is a larger problem of misunderstanding. When I look at your original post in this thread it talks about not running RIP over the serial link. And when I read Kevin's response the first paragraph is describing not running RIP over the serial interface when it says do static default on your edge router and run RIP on your internal router. If you are not running RIP over the serial interface then I see no reason to run RIP on Salvage at all. There is one piece of this that Kevin did not address. If you do not run RIP over the serial link then how does the 3640 know about the Ethernet subnet at Salvage. I believe that the answer is that the 3640 needs to configure a static route to 172.20.27.0 with the 1750 serial interface as the next hop. And if there are other routers that the 3640 communicates with via RIP then the 3640 needs to redistribute static into RIP (remembering to have a default metric).
If you address these issues I believe that you will have connectivity from the central network to the remote subnet on Salvage.
HTH
Rick

Is it possible in IOS to have two static routes for the same subnet, one a higher priority and "failover" between the 2?

Hi All
Is it possible in IOS to have for a particular subnet:
a) Two static routes?
b) Make one static route a higher priority than the other?
c) If one static router "goes down", failover to the lower priority static route?
We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
Again, many thanks in advance for all responses!
Thanks
John

Hi John,
Hope the below explaination will help you...
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
R1(config)# ip sla 1
R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 1 life forever start-time now
The above configuration defines and starts an IP SLA probe.
The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
R1(config)# track 1 ip sla 1 reachability
The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
To verify the track status use the use the “show track” command as shown below:
R1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:03:19
Latest operation return code: Unknown
The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
Tracking
Return Code
Track State
Reachability
OK or over threshold
(all other return codes)
Up
Down
The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
Please rate the helpfull posts.
Regards,
Naidu.

Default static route and Null 0

Hi Everyone,
Need to clear some doubts for below setup
Switch 3550A is connected to Internet Router and has OSPF nei relationship with it.
3550A#                      sh run int fa0/11
Building configuration...
Current configuration : 272 bytes
interface FastEthernet0/11
description OSPF LAN Connection to 2691 Router Interface Fas 0/1
no switchport
ip address 192.168.5.2 255.255.255.254
sh ip route shows
3550A#sh ip route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 20:39:56, FastEthernet0/11
3550A#
All is working fine.
For testing purposes i config below static route on 3550A
ip default-network 192.168.1.0
ip route 192.168.1.0 255.255.255.0 Null0
After above change
3550A#           sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
S*   192.168.1.0/24 is directly connected, Null0
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 20:38:38, FastEthernet0/11
Now i can not ping to internet as below
3550A#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
When we ping from Switch then source IP is always the Outside interface IP right?
So in this case Switch is using which IP as source?
Ping to internet is not working as default network is set to 192.168.1.0 and all request goes to this IP and then it goes to
Null interface right?
Extended ping works fine as below
3550A#ping
Protocol [ip]:
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.5.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.2
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/79/80 ms
Second thing to confirm is this ping works because 192.168.5.2 is directly connected to Internet Router interface?
Regards
MAhesh

Hi Mahesh,
When we ping from Switch then source IP is always the Outside interface IP right?
That is correct. By default it is always the outgoing interface on the device unless you specify it differently.
Ping to internet is not working as default network is set to 192.168.1.0 and all request goes to this IP and then it goes to
Null interface right?
That is correct. Null0 can't be used as next-hop.
Second thing to confirm is this ping works because 192.168.5.2 is directly connected to Internet Router interface?
No, that is because 192.168.5.0/30 is NATed. Remember 192.168.x.x address is a private segment and cannot access the Internet unless NAT is used.
HTH
Reza

Problems setting up static routing

HI
I'm having a problem setting up static routing. I keep getting the message "invalid static route". I have an E1550 router and my frimware is up to date. I have tried a few different gateway addresses ie 192.168.1.1, 127.0.0.1 and my router's address on the net, but I keep getting the same message. Has anyone else had this problem and been able to fix it?

I think the E1550 router supports LAN to LAN routing provided that you have two local networks. If you only have a plain modem and the E1550, I believe you can't do Static routing on that type of setup. Found this link that might help: http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=12a84336a124498eb5d6f0204b85191e_17589.xml&pid=80&...

How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
Jorge

Hi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni

Is there a way to add a static route in an Ipod touch ?

I am trying to get the ipod touch to configure correctly for our wireless network.
The wireless side does not provide DNS or DHCP directly . Rather this is done from a different
subnet . This assists to a small extent with our wirless security in that the attacker must also know
routing address and DNS and DHCP addresses to steal web access. In windows or Linux this can be done
by route add (DHCP IP Address) netmask 255.255.255.255 (gateway IP address)
and route add (DNS IP Address) netmask 255.255.255.255 (gateway IP address)
and manually specifying the DNS and DHCP addresses. Even if i manually enter the
the IP address without a simple static route I will not get DNS services across the gateway.
I am no apple expert but route add has been in use since the internet was still on 2 wheels
surely this can still be done ?
Thanks in advance

hi!
have you seen javax.swing.JMenuItem ?
and have a look into
http://java.sun.com/docs/books/tutorial/uiswing/components/menu.html
:)

RA VPN into ASA5505 behind C871 Router with one public IP address

Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.255.0.0 0.0.255.255 any
deny   ip 255.0.0.0 0.255.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip host 0.0.0.0 any
deny   icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny   ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: end

Hi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB

Static routes, ISDN & different remote IP addresses

Similar Messages

Maybe you are looking for