Results 1 to 1 of 1

Thread: Dual ISP with NAT and ACL

  1. #1

    Question Dual ISP with NAT and ACL

    I have a configuration as follows to allow for proper dynamic and static Nats of both my primary ISP and secondary ISP as below and everything is working , but the 10.0.0.52 which is my DNS server mapped to the 216.140.140.4 (Primary ISP) and 216.150.150.6 (Secondary ISP) wokrs when accessed through the Primary ISP (216.140.140.4) but not through the 216.150.150.5. I checked the Nat translations and It shows that translations are being done for the 10.0.0.52 to the 216.150.150.6 but I can access it though.
    One thing to point out though is that the 10.0.0.52 is my DNS server in my internal network and host a list of websites withe internal address of 10.0.0.59,.61,.53.
    and I can only access the 10.0.0.61 website.
    I was thinking that may be I might need to point to a DNS server using the ip name-server 10.0.0.52 command but am confused becase the same address is accessible with the Primary ISP without the Name-server command being there.
    Can someone please let me know what I might need to do.

    Secondly Please guys I want to create an ACL such that All outside users should only be able to use the selected ports ie 3389,25,21,21,53,110,80 to access the server resources, but the servers can be used to have full access to the internet.
    Please can someone check if my Configuration will allow that and if it is ok.

    ip sla 1
    Icmp-Echo 216.140.140.1 source-ip 216.140.140.2
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 1 life forever start-time now
    ip sla monitor 2
    Icmp-Echo 216.150.150.254 source-ip 216.150.150.4
    timeout 1000
    threshold 2
    frequency 3
    ip sla schedule 2 life forever start-time now
    !
    !
    track 1 sla 1 reachability
    !
    track 2 sla 2 reachability
    !
    !
    interface gi0/0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map PRIVATE-INGRESS
    duplex auto
    speed auto
    no keepalive
    !
    interface gi0/1
    ip address 216.150.150.4 255.255.255.0 secondary
    ip address 216.140.140.2 255.255.255.224
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto

    ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
    ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
    !
    !
    ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
    ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
    ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
    ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
    ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
    ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
    ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
    !
    ip access-list standard PRIMARY-NEXT-HOP
    permit 216.140.140.1
    ip access-list standard SECONDARY-NEXT-HOP
    permit 216.150.150.254
    ip access-list standard DYNAMIC-PRIMARY
    deny 10.0.0.24
    deny 10.0.0.25
    deny 10.0.0.30
    deny 10.0.0.16
    deny 10.0.0.22
    deny 10.0.0.23
    deny 10.0.0.21
    deny 10.0.0.33
    deny 10.0.0.44
    deny 10.0.0.58
    deny 10.0.0.59
    deny 10.0.0.61
    deny 10.0.0.54
    deny 10.0.0.52
    deny 10.0.0.53
    deny 10.0.0.216
    deny 10.0.0.220
    deny 10.0.0.230
    deny 10.0.0.228
    deny 10.0.0.251
    permit 10.0.0.0 0.255.255.255
    ip access-list standard DYNAMIC-SECONDARY
    deny 10.0.0.59
    deny 10.0.0.52
    deny 10.0.0.53
    deny 10.0.0.16
    deny 10.0.0.58
    deny 10.0.0.61
    permit 10.0.0.0 0.255.255.255
    !
    !
    route-map STATIC-NAT-PRIMARY permit 10
    match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map STATIC-NAT-PRIMARY deny 20
    !
    route-map STATIC-NAT-SECONDARY permit 10
    match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map STATIC-NAT-SECONDARY deny 20
    !
    route-map SECONDARY-NAT permit 10
    match ip address DYNAMIC-SECONDARY
    match ip next-hop SECONDARY-NEXT-HOP
    !
    route-map SECONDARY-NAT deny 20
    !
    route-map PRIVATE-INGRESS permit 10
    set ip next-hop verify-availability 216.140.140.1 10 track 1
    set ip next-hop verify-availability 216.150.150.254 20 track 2
    !
    route-map PRIVATE-INGRESS permit 11
    !
    route-map PRIMARY-NAT permit 10
    match ip address DYNAMIC-PRIMARY
    match ip next-hop PRIMARY-NEXT-HOP
    !
    route-map PRIMARY-NAT deny 20



    access-list 101 permit tcp any host 216.150.150.6 eq www
    access-list 101 permit tcp any host 216.150.150.6 eq 20:21
    access-list 101 permit tcp any host 216.150.150.6 eq 25
    access-list 101 permit tcp any host 216.150.150.6 eq 53
    access-list 101 permit udp any host 216.150.150.6 eq 53
    access-list 101 permit tcp any host 216.150.150.6 eq 110
    access-list 101 permit tcp any host 216.150.150.6 eq 143
    access-list 101 permit tcp any host 216.150.150.6 eq 443
    access-list 101 permit tcp any host 216.150.150.6 eq 3389


    access-list 101 permit tcp any host 216.140.140.4 eq www
    access-list 101 permit tcp any host 216.140.140.4 eq 20:21
    access-list 101 permit tcp any host 216.140.140.4 eq 25
    access-list 101 permit tcp any host 216.140.140.4 eq 53
    access-list 101 permit udp any host 216.140.140.4 eq 53
    access-list 101 permit tcp any host 216.140.140.4 eq 110
    access-list 101 permit tcp any host 216.140.140.4 eq 143
    access-list 101 permit tcp any host 216.140.140.4 eq 443
    access-list 101 permit tcp any host 216.140.140.4 eq 3389


    access-list 101 permit tcp any host 216.140.140.17 eq www
    access-list 101 permit tcp any host 216.140.140.17 eq 20:21
    access-list 101 permit tcp any host 216.140.140.17 eq 25
    access-list 101 permit tcp any host 216.140.140.17 eq 53
    access-list 101 permit udp any host 216.140.140.17 eq 53
    access-list 101 permit tcp any host 216.140.140.17 eq 110
    access-list 101 permit tcp any host 216.140.140.17 eq 143
    access-list 101 permit tcp any host 216.140.140.17 eq 443
    access-list 101 permit tcp any host 216.140.140.17 eq 3389
    access-list 101 permit tcp any host 216.140.140.17 eq 8080


    access-list 101 permit tcp any host 216.140.140.6 eq www
    access-list 101 permit tcp any host 216.140.140.6 eq 20:21
    access-list 101 permit tcp any host 216.140.140.6 eq 25
    access-list 101 permit tcp any host 216.140.140.6 eq 53
    access-list 101 permit udp any host 216.140.140.6 eq 53
    access-list 101 permit tcp any host 216.140.140.6 eq 110
    access-list 101 permit tcp any host 216.140.140.6 eq 143
    access-list 101 permit tcp any host 216.140.140.6 eq 443
    access-list 101 permit tcp any host 216.140.140.6 eq 3389


    access-list 101 permit tcp any host 216.150.150.10 eq www
    access-list 101 permit tcp any host 216.150.150.10 eq 20:21
    access-list 101 permit tcp any host 216.150.150.10 eq 25
    access-list 101 permit tcp any host 216.150.150.10 eq 53
    access-list 101 permit udp any host 216.150.150.10 eq 53
    access-list 101 permit tcp any host 216.150.150.10 eq 110
    access-list 101 permit tcp any host 216.150.150.10 eq 143
    access-list 101 permit tcp any host 216.150.150.10 eq 443
    access-list 101 permit tcp any host 216.150.150.10 eq 3389


    access-list 101 permit tcp any host 216.140.140.7 eq www
    access-list 101 permit tcp any host 216.140.140.7 eq 20:21
    access-list 101 permit tcp any host 216.140.140.7 eq 25
    access-list 101 permit tcp any host 216.140.140.7 eq 53
    access-list 101 permit udp any host 216.140.140.7 eq 53
    access-list 101 permit tcp any host 216.140.140.7 eq 110
    access-list 101 permit tcp any host 216.140.140.7 eq 143
    access-list 101 permit tcp any host 216.140.140.7 eq 443
    access-list 101 permit tcp any host 216.140.140.7 eq 3389


    access-list 101 permit tcp any host 216.150.150.11 eq www
    access-list 101 permit tcp any host 216.150.150.11 eq 20:21
    access-list 101 permit tcp any host 216.150.150.11 eq 25
    access-list 101 permit tcp any host 216.150.150.11 eq 53
    access-list 101 permit udp any host 216.150.150.11 eq 53
    access-list 101 permit tcp any host 216.150.150.11 eq 110
    access-list 101 permit tcp any host 216.150.150.11 eq 143
    access-list 101 permit tcp any host 216.150.150.11 eq 443
    access-list 101 permit tcp any host 216.150.150.11 eq 3389


    access-list 101 permit tcp any host 216.140.140.8 eq www
    access-list 101 permit tcp any host 216.140.140.8 eq 20:21
    access-list 101 permit tcp any host 216.140.140.8 eq 25
    access-list 101 permit tcp any host 216.140.140.8 eq 53
    access-list 101 permit udp any host 216.140.140.8 eq 53
    access-list 101 permit tcp any host 216.140.140.8 eq 110
    access-list 101 permit tcp any host 216.140.140.8 eq 143
    access-list 101 permit tcp any host 216.140.140.8 eq 443
    access-list 101 permit tcp any host 216.140.140.8 eq 3389
    access-list 101 permit tcp any host 216.140.140.8 eq 8080


    access-list 101 permit tcp any host 216.140.140.18 eq 3389
    access-list 101 permit tcp any host 216.140.140.25 eq 3389
    access-list 111 permit tcp any host 216.140.140.29 eq 3389
    access-list 101 permit tcp any host 216.140.140.15 eq 3389
    access-list 101 permit tcp any host 216.140.140.13 eq 3389
    access-list 101 permit tcp any host 216.140.140.26 eq 3389
    access-list 101 permit tcp any host 216.140.140.27 eq 3389
    access-list 101 permit tcp any host 216.140.140.28 eq 3389
    access-list 101 permit tcp any host 216.140.140.19 eq 3389
    access-list 101 permit tcp any host 216.140.140.11 eq 80
    access-list 101 permit tcp any host 216.150.150.8 eq 80
    access-list 101 permit tcp any host 216.140.140.12 eq www
    access-list 101 permit tcp any host 216.140.140.12 eq 3389



    interface gi0/1
    ip access-group 101 in
    Last edited by ahmziahmzi; 12-26-12 at 01:52 PM.

Similar Threads

  1. AMD Dual Core Fix - Read if you have an AMD Dual Core CPU
    By mnosteele52 in forum Hardware & Overclocking
    Replies: 16
    Last Post: 02-15-07, 02:38 PM
  2. Dual core/Dual CPU/Quad CPU users
    By YARDofSTUF in forum Hardware & Overclocking
    Replies: 13
    Last Post: 11-15-05, 05:17 PM
  3. Dual CPU
    By ntvh in forum General Discussion Board
    Replies: 9
    Last Post: 04-28-05, 03:23 PM
  4. dual ip
    By tar6et in forum Broadband Tweaks Help
    Replies: 2
    Last Post: 11-12-03, 11:46 PM
  5. WinXP Home will not support Dual CPU's or Dual Monitors even!
    By Brent in forum General Discussion Board
    Replies: 1
    Last Post: 05-04-01, 08:39 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •