route-map help

pokwan · ‎10-10-2004

Hi,

I have the following defined in the router

access-list 146 permit tcp any any eq 445

interface loopback 0

ip address 10.99.99.1 255.255.255.0

interface Vlan66

ip address 10.10.88.1 255.255.255.0

ip policy route-map test

route-map test permit 3

match ip address 146

set ip next-hop 10.99.99.2

ip route 0.0.0.0 0.0.0.0 10.1.1.2 <-- firewall outside address

A sh route-map test indicate that the policy has been a success "policy routing matches: 999 packets"

However, on the firewall (interface outside 10.1.1.2), I could see the deny statement I have inplaced.

106023: Deny tcp src outside:10.10.31.71/4651 dst inside:10.10.109.34/445 by access-group "acl_out"

Question:

With my statement on route-map set ip next-hop 10.99.99.2 (loopback0 interface), shouldn't the packet be sent to loopback interface and dropped?

The policy routing matches kept incrementing and it did suggest that the policy is executed. However it is not the case here instead the ip route 0.0.0.0 0.0.0.0 10.1.1.2 is executed.

What am I missing here?

TIA.

PF

Endwigast · ‎10-10-2004

Hi,

What is it excatly are you trying to do? What Ip range are you trying to route? Could you post a diagram of your network. Thanks.

:>

pokwan · ‎10-10-2004

Hi,

I am trying to discard all packets which met the condition on access-list 146 (any host accessing any host via port 445).

I thought by sending it the loopback interface will discard the packets.

Also, there should be another interface

int vlan 77

description ** link to the pix

ip address 10.1.1.1 255.255.255.0

Thanks.

PF

Richard Burts · ‎10-12-2004

The major problem with your route map is that you are not doing what you say you think you are doing. You say you are sending it to the loopback but you are not. You are sending it to 10.99.99.2 which is not the loopback address, instead it is an unreachable address in the subnet of the loopback.

Here is the config from your original post:

interface loopback 0

ip address 10.99.99.1 255.255.255.0

interface Vlan66

ip address 10.10.88.1 255.255.255.0

ip policy route-map test

route-map test permit 3

match ip address 146

set ip next-hop 10.99.99.2

If you were sending the packet to the actual loopback inteface I think you would get the results that you want. But I think that what is happening is that the packet gets to the router, matches the route map (which is why the counters are increasing), the router attempts to forward as the route map indicates but can not forward it, so it reverts to the default route, which gets it to the PIX.

Try modifying the route map to use the actual loopback address and let us know what happens.

HTH

Rick

HTH

Rick

amitbatra · ‎10-11-2004

hello

sending data to loopback never discard the data.if u give me more detail of ur network diagram so that i can find the solution for it .

Endwigast · ‎10-11-2004

hi,

use this instead:

route-map <....>

match ip address 146

set interface Null0

and do a show access-list command to see if anything is matching your access-list

:>

pokwan · ‎10-11-2004

Hi,

I tried with your idea and it is still the same. Here is show route-map

sh route-map test

route-map test, permit, sequence 3

Match clauses:

ip address (access-lists): 146

Set clauses:

interface Null0

Policy routing matches: 580 packets, 77555 bytes

On the firewall, the message still appears

106023: Deny tcp src outside:10.10.30.71/4071 dst inside:10.10.80.123/445 by access-group "acl_out"

It appeared to be using the static ip route defined on the router

ip route 0.0.0.0 0.0.0.0 10.1.1.2

Thanks.

PF