Re: Direct Internet access for IWAN not working

carl_townshend · ‎04-26-2018

Hi All

I am setting up a branch site on my IWAN,

APIC has deployed the config.

I have had to add some config for the Internet access as described in the Cisco CVD for DIA, this is because the outside interface sits in a front door VRF for the vpn tunnels etc.

However it does not appear to be working, the config I have done is below

ip access-list extended INTERNAL-NETS
permit ip any x.x.x.x 0.0.3.255

route-map INET-INTERNAL permit 10
description Return routing for Local Internet Access
match ip address INTERNAL-NETS
set global

interface GigabitEthernet0/0/0
description ***wan*** int
bandwidth 20000
ip vrf forwarding IWAN-TRANSPORT-1
ip address x.x.x.x 255.255.255.252
ip nat outside
zone-member security OUTSIDE
ip policy route-map INET-INTERNAL
negotiation auto
no cdp enable
service-policy output prm-dscp#iwan-8-id0#shape#20.0

I can see NAT happening etc, but I cannot ping out or access the internet

Any ideas?

cbmoore_ars · ‎05-18-2018

Carl,

It appears as though you should be denying your "INTERNAL-NETS" or be a little more specific on your ACL...

**** Maybe ****

ip access-list extended INTERNAL-NETS
deny ip any x.x.x.x 0.0.3.255

deny ip any 10.0.0.0 0.255.255.255

(deny the rest of rfc-1918 & your internal prefixes)

permit ip any any <- To "pbr" your default traffic

*****************

Also, make sure that your intended f-vrf return traffic is leaked back into your global route table.

The information is provided "as is" without warranty of any kind. I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information provided.