Hi,

Yes, I applied the policy to the interface where the traffic is coming from.

Thanks!

Probably the most common error in trying to implement Policy Based Routing is applying the policy to the wrong interface (most often applied to the outbound interface). It sounds like that is not your problem. To help us find the issue would you post the configuration (hiding any sensitive information such as public IPs and passwords).

HTH

Rick

Hi, here is the configuration, one more thing now if I run a tracert to GOOGLE.COM from a computer with the IP subnet I want to get out using the ISP2 I got a first hop to the Router and the next hop is the ISP2 gateway but after that no response, no Internet. I changed the IPs for letters if an IP is more than once it has the same set of letters.

In bold is what I added to the configuration

Router#show run
Building configuration...

!
version 15.5
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
service counters max age 10
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 50000 informational
logging console critical
no logging monitor
!
aaa new-model
!
!
aaa authentication login TelnetAccess local
aaa authentication login ConsoleAccess local
aaa authentication login AuxPortAccess local
aaa authorization exec default local if-authenticated
aaa accounting exec default
 action-type start-stop
!
aaa accounting commands 15 default
 action-type start-stop
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
no ip source-route
no ip gratuitous-arps
!

no ip bootp server

no ip domain lookup
ip domain name xxxxxxxxxxx
!
login block-for 30 attempts 4 within 10
login delay 2
login on-failure log
!
subscriber templating
!
multilink bundle-name authenticated
!
license accept end user agreement
license boot level securityk9
!
spanning-tree extend system-id
!
redundancy
 mode none
!

vlan internal allocation policy ascending
!
track 10 ip sla 10 reachability
!
track 20 ip sla 20 reachability
!
ip tcp selective-ack
ip tcp timestamp
ip tcp path-mtu-discovery
!
class-map match-any STREAMING-VIDEO
 match dscp af31  af32  af33  cs5
class-map match-any INTERACTIVE-VIDEO
 match dscp cs4  af41  af42  af43
class-map match-any CRITICAL-DATA
 match dscp af11  af12  af13  cs2  af21  af22  af23
class-map match-any VOICE
 match dscp ef
class-map match-any SCAVENGER
 match dscp cs1
class-map match-any CALL-SIGNALING
 match dscp cs3
class-map match-any NET-CTRL
 match dscp cs6
!
policy-map WAN
 class INTERACTIVE-VIDEO
  bandwidth remaining percent 30
  random-detect dscp-based
  set dscp tunnel af41
 class STREAMING-VIDEO
  bandwidth remaining percent 10
  random-detect dscp-based
  set dscp tunnel af31
 class NET-CTRL
  bandwidth remaining percent 5
  set dscp tunnel cs6
 class CALL-SIGNALING
  bandwidth remaining percent 4
  set dscp tunnel af21
 class CRITICAL-DATA
  bandwidth remaining percent 25
  random-detect dscp-based
  set dscp tunnel af21
 class SCAVENGER
  bandwidth remaining percent 1
  set dscp tunnel af11
 class VOICE
  priority level 1
  police cir percent 10
  set dscp tunnel ef
 class class-default
  bandwidth remaining percent 25
  random-detect dscp-based
  fair-queue
  queue-limit 1536 packets
!
!
crypto ipsec profile dmvpn-ISP2
 set security-association lifetime seconds 1800
 set security-association replay window-size 512
 set transform-set strong
 set pfs group5
!
crypto ipsec profile dmvpn-ISP1
 set security-association lifetime seconds 1800
 set security-association replay window-size 512
 set transform-set strong
 set pfs group5
!
interface Loopback0
 description *** Main Management IP Address Loopback0 ***
 ip address a.a.a.a 255.255.255.255
 no ip redirects
 no ip unreachables
 ip verify unicast reverse-path
!
interface Tunnel0
 description *** Tunnel Connections (ISP1) to SITES WANs ***
 ip address b.b.b.b 255.255.255.0
 no ip redirects
 ip mtu 3300
 ip hold-time eigrp 2008 10
 no ip next-hop-self eigrp 2008
 no ip split-horizon eigrp 2008
 ip nhrp authentication abcd
 ip nhrp map multicast dynamic
 ip nhrp network-id 6
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 delay 1000
 keepalive 3 10
 tunnel source GigabitEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 145
 tunnel protection ipsec profile dmvpn-ISP1 shared
  no clns route-cache
!
interface Tunnel1
 description *** Tunnel Connections (ISP2) to SITES WANs ***
 ip address c.c.c.c 255.255.255.0
 no ip redirects
 ip mtu 3300
 ip hold-time eigrp 2008 10
 no ip next-hop-self eigrp 2008
 no ip split-horizon eigrp 2008
 ip nhrp authentication abcd
 ip nhrp map multicast dynamic
 ip nhrp network-id 7
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 delay 1000
 keepalive 3 10
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
 tunnel key 146
 tunnel protection ipsec profile dmvpn-ISP2 shared
  no clns route-cache
!
interface GigabitEthernet0/0/0
 description ISP1 OUTSIDE
 ip address d.d.d.d 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat outside
 ip verify unicast reverse-path
 load-interval 30
 media-type rj45
 speed 1000
 no negotiation auto
 no cdp enable
 arp timeout 3600
 service-policy output WAN
!
interface GigabitEthernet0/0/1
 description ISP2-T OUTSIDE
 ip address e.e.e.e 255.255.255.248
 no ip redirects
 no ip unreachables
 ip nat outside
 ip verify unicast reverse-path
 load-interval 30
 media-type rj45
 speed 1000
 no negotiation auto
 no cdp enable
 arp timeout 3600
 service-policy output WAN
!
interface GigabitEthernet0/0/2
 description *** HA Crosslink to Router 2 GigabitEthernet 0/0/2 ***
 ip address f.f.f.a 255.255.255.240
 ip nat inside
 standby 10 ip f.f.f.b
 standby 10 priority 105
 standby 10 preempt delay minimum 20
 ip policy route-map PublicISP2
 load-interval 30
 negotiation auto
 arp timeout 3600
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
!
router eigrp 31
 network a.a.a.a 0.0.0.0
 network f.f.f.0 0.0.0.15
 redistribute eigrp 2008
 passive-interface default
 no passive-interface GigabitEthernet0/0/2
!
!
router eigrp 2008
 network b.b.b.0 0.0.0.255
 network c.c.c.0 0.0.0.255
 redistribute eigrp 31
 passive-interface default
 no passive-interface Tunnel0
 no passive-interface Tunnel1
!
ip nat inside source route-map ISP2 interface GigabitEthernet0/0/1 overload
ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map PublicISP2 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/2
ip route 0.0.0.0 0.0.0.0 "IP gateway ISP1" name ISP1
ip route 0.0.0.0 0.0.0.0 "IP gateway ISP2" 10 name ISP2-T
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
ip sla 10
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
 threshold 2000
 timeout 2000
 frequency 6
ip sla schedule 10 life forever start-time now
ip sla 20
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1
 frequency 6
ip sla schedule 20 life forever start-time now
logging trap debugging
logging facility syslog
logging host h.h.d.101
access-list 1300 remark == RO SNMP ACL ==
access-list 1300 permit h.h.a.0 0.0.0.255
access-list 1300 permit h.h.b.0 0.0.0.255
access-list 1300 permit h.h.c.0 0.0.0.255
access-list 1300 permit h.h.d.0 0.0.0.255
access-list 100 remark == NAT ==
access-list 100 permit ip h.h.a.0 0.0.0.255 any
access-list 100 permit ip h.h.b.0 0.0.0.255 any
access-list 100 permit ip h.h.c.0 0.0.0.255 any
access-list 100 permit ip h.h.d.0 0.0.0.255 any
access-list 101 remark == VTY ACL ==
access-list 101 permit ip h.0.0.0 0.0.0.255 any
access-list 101 permit ip h.h.0.0 0.0.255.255 any
access-list 101 permit ip h.x.0.0 0.0.255.255 any
access-list 101 permit ip h.x.0.0 0.0.255.255 any
access-list 101 permit ip h.x.0.0 0.0.255.255 any
access-list 101 permit ip host x.x.x.x any
access-list 101 deny   ip any any log-input
access-list 102 remark == NATPublic WIFI ==
access-list 102 permit ip h.h.e.0 0.0.0.255 any
!
route-map ISP1 permit 10
 match ip address 100
 match interface GigabitEthernet0/0/0
!
route-map ISP2 permit 10
 match ip address 100
 match interface GigabitEthernet0/0/1
!
route-map PublicISP2 permit 10
 match ip address 102
 set ip default next-hop "IP gateway ISP2"
!
snmp-server community public RO 1300
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host h.h.d.101 version 2c public

!
control-plane
!
banner exec ^C

banner motd ^C

^C
!
line con 0
 login authentication ConsoleAccess
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 20
 access-class 101 in vrf-also
 exec-timeout 20 0
 privilege level 15
 login authentication TelnetAccess
 transport preferred none
 transport input ssh
line vty 5 15
 session-timeout 20
 access-class 101 in vrf-also
 privilege level 0
 login authentication TelnetAccess
 no exec
 transport preferred none
 transport input ssh
!
event manager applet NAT-CLEAR
 event track 10 state any
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat trans forced"
!
end

Thanks!

Juan Barahona

Juan

You ask us for help and then you make it much more difficult to provide help than it needs to be. In your original post you identify the subnet for which you want to apply PBR (10.1.12.0). But in the config that you post there is no interface with that subnet. And the access list used for PBR does not identify that subnet. I understand the desire to protect sensitive information. But how in the world do you classify a private network (10.1.12.0 ) as sensitive??? If you do want our help then you need to give us information that is useful.

HTH

Rick

Hi Rick,

As I wrote in the last post before the router configuration I changed every IPs for letters and there are always the same set of letters for the same IP address here is the part with the 10.1.12.0 subnet

access-list 102 remark == NATPublic WIFI ==
access-list 102 permit ip h.h.e.0 0.0.0.255 any

h.h.e.0 --> 10.1.12.0

access-list 102 remark == NATPublic WIFI ==
access-list 102 permit ip 10.1.12.0 0.0.0.255 any

Thanks for your help and understanding.

Juan Barahona

Juan

You told us that I got a first hop to the Router and the next hop is the ISP2 gateway. That indicates that the PBR route map is working. So the problem at this point is not PBR but is something else, and I suspect that it might be address translation. I see that you added this to the config and I do not understand the logic of doing that 

ip nat inside source route-map PublicISP2 interface GigabitEthernet0/0/1 overload

something like route map ISP2 would be more appropriate. But it looks like the ACL for that route map may not include the h.h.e subnet.

HTH

Rick