Hello Georg:

The config is a lot more complicated, I've tried to reduce it to the minimal expression of the problem. It has PBR and static routes!

Post your config...it doesn't matter if it's complicated...;)

Here are the relevant and curated parts:

object-group network AlwaysThroughISP3
description This IP will always exit through TELECOM to the internet unless link is down
host 192.168.16.100
!
object-group network LocalNetworks
description All local networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
192.168.32.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatEnabled
description Internet Access Nat enabled networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatedThroughISP3
host 192.168.20.2
!

track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP1
ip address A.B.C.D 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ISP2
ip address E.F.G.H 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/3
description ISP3
switchport access vlan 100
no ip address
!
interface Vlan1
ip address 192.168.16.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3
!
interface Vlan10
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3
!
interface Vlan11
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
!
interface Vlan12
ip address 192.168.28.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip virtual-reassembly in
!
interface Vlan20
ip address 172.16.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3
!
interface Vlan21
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysTelecom
!
interface Vlan100
description ISP3
ip address I.J.K.L 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
!
ip local policy route-map router-local
ip forward-protocol nd
!
ip nat pool ISP1-pool A.B.C.D A.B.C.D prefix-length 24
ip nat pool ISP2-pool E.F.G.H E.F.G.H prefix-length 24
ip nat pool ISP3-pool I.J.K.L I.J.K.L prefix-length 29
ip nat source route-map ISP1-nat pool ISP1-pool overload
ip nat source route-map ISP2-nat pool ISP2-pool overload
ip nat source route-map ISP3-nat pool ISP3-pool overload
ip nat source static tcp 192.168.20.2 80 I.J.K.L 80 extendable
ip nat source static tcp 172.16.128.105 443 A.B.C.D 443 extendable
ip route 0.0.0.0 0.0.0.0 A.B.C.D 10 track 1
ip route 0.0.0.0 0.0.0.0 E.F.G.H 10 track 2
ip route 0.0.0.0 0.0.0.0 I.J.K.L 20 track 3
!
ip access-list extended ISP1_Local
permit ip host A.B.C.D any
permit icmp host A.B.C.D any
ip access-list extended ISP2_Local
permit ip host E.F.G.H any
permit icmp host E.F.G.H any
ip access-list extended ISP3_Local
permit ip host I.J.K.L any
permit icmp host I.J.K.L any
ip access-list extended LinuxServer
permit ip any host 192.168.20.2
ip access-list extended LinuxServerPorts
permit tcp any any eq www
ip access-list extended WindowsServer
permit ip any host 172.16.100.3
ip access-list extended WindowsServerPorts
permit tcp any any eq 443
ip access-list extended always-isp3-pbr
deny ip object-group AlwaysThroughISP3 object-group LocalNetworks
deny icmp object-group AlwaysThroughISP3 object-group LocalNetworks
permit ip object-group AlwaysThroughISP3 any
permit icmp object-group AlwaysThroughISP3 any
deny ip any any
deny icmp any any
ip access-list extended navigation-nat
deny ip object-group LocalNetworks object-group LocalNetworks
deny icmp object-group LocalNetworks object-group LocalNetworks
permit ip object-group NatEnabled any
permit icmp object-group NatEnabled any
deny ip any any
deny icmp any any
ip access-list extended static-nat-isp3-pbr
deny ip object-group NatedThroughISP3 object-group LocalNetworks
permit tcp object-group NatedThroughISP3 eq www any established
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
threshold 40
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
threshold 40
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-interface Vlan100
threshold 40
timeout 1000
frequency 3
ip sla schedule 3 life forever start-time now
!
route-map ISP3-nat permit 10
match ip address navigation-nat
match interface Vlan100
!
route-map ISP1-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/0
!
route-map router-local permit 10
match ip address ISP1_Local
set ip next-hop ISP1GW
!
route-map router-local permit 20
match ip address ISP2_Local
set ip next-hop ISP2GW
!
route-map router-local permit 30
match ip address ISP3_Local
set ip next-hop ISP3GW
!
route-map AlwaysISP3 permit 5
match ip address static-nat-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map AlwaysISP3 permit 10
match ip address always-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map ISP2-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/1
!
!

event manager applet CLEAR_NAT_ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_DOWN
event track 3 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_UP
event track 3 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
!
end

Hello,

where is your access list 'always-telecom-pbr' ? Did you omit that, and if so, can you post it ?

interface Vlan10
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3

!

route-map AlwaysISP3 permit 5
match ip address static-nat-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map AlwaysISP3 permit 10
match ip address always-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3

Sorry, I've just edited the post, it was a misspelling!

route-map AlwaysISP3 permit 5
match ip address static-nat-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
! 
route-map AlwaysISP3 permit 10
match ip address always-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3

Hello

Confirm are these 3 different subnets?

w.x.y.z is a host in vlan 10

a.b.c.d is a host in vlan 11

A.B.C.D is a public IP assigned to an interface

If so

Inter-vlan w.x.y.z <-->a.b.c.d traffic should t get natted , why do think it should?

However i see you are also policy routing on vlan 10 so what are you trying to achieve with this?

Note:  Any traffic not defined in a PBR statement will get routed normally also the tracked next-hop address is considered reachable if the tracked object is up it will get PBR'd. Otherwise it will be rib routed ( normal routed)

res

Paul

Yes, three different subnets.

Inter-vlan w.x.y.z <-->a.b.c.d traffic should t get natted , why do think it should?

It seems that it get's translated in the back path, because somehow it matches the ip nat source static statement! That's why I want to exclude the traffic!

PBR is used to set next-hop in packets that must be always-nated through isp 3 (overloaded) and the static nat in isp 3 interface, because there's no route to isp 3 if isp 1 AND isp 2 are up! (isps 1 and 2 have AD 10 in routeing table and 3 has AD 3, and all are tracked!)

Hello,

make sure your spelling is correct, as I don't see that access list either.

ip access-list extended always-isp3-pbr

!

always-ISP3-pbr

Either way, I' try and lab this. In the meantime, I am not sure if you need an empty route map sequence to allow local traffic, which should look like this:

route-map AlwaysISP3 permit 5
match ip address static-nat-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map AlwaysISP3 permit 10
match ip address always-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3

!

route-map AlwaysISP3 permit 15

route-map AlwaysISP3 permit 15 is not there anymore (it was there for testing... sorry for that)

always-ISP3-pbr is always-isp3-pbr

I've changed those names when i curated the config for posting