Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1814
Views
0
Helpful
5
Replies

ISR 4000 ZBF, PBR, NAT on single in interface ?

kthned
Level 3
Level 3

‎11-03-2018 02:00 PM - edited ‎11-03-2018 02:02 PM

Hi

I have ISR 4451-x router running zone base firewall and NAT.  

 

 

Working setup 

ip route 0.0.0.0 0.0.0.0 x.54.23.254

interface GigabitEthernet0/0/0
 description Internet
 ip address x.54.23.210 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip verify unicast reverse-path
 zone-member security OUTSIDE
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 description inside
 ip address 172.16.4.10 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip verify unicast reverse-path
 zone-member security INSIDE
 negotiation auto
 ip virtual-reassembly

 

 

During a change window we have to remove the default route due to some reason so I created a Policy base route to route traffic to int gi0/0/0

 

 

no ip route 0.0.0.0 0.0.0.0 x.54.23.254

route-map internet deny 10 
        match ip address PrivateNet-rfc1918 ! send dest.address == RFC 1918 to global route table
route-map internet permit 20 
        match ip address ALL-internet ! send internet trafic to int gi0/0/0
        set ip next-hop x.54.23.209

interface GigabitEthernet0/0/1
           ip policy route-map internet

Just after applying PBR on inter gi0/0/1, we lost all TCP connctions but not UDP session

 

Half-open Sessions
Session ID 0x00667A6F (10.83.32.179:54761)=>(17.248.146.42:443) https SIS_OPENING
Created 00:00:10, Last heard 00
Bytes sent (initiator:responder) [0:0]



 

I can see th NAT was OK & UDP trafic had establish session. So the question is what happened to ZBF when PBR ticked over to control the traffic. is there any feature in compatibity ? 

Labels:
0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎11-04-2018 12:27 PM

Hello

Re-apply your default and remove the route-map stanza 10 and test again.


conf t

ip route 0.0.0.0 0.0.0.0 x.54.23.254
no route-map internet deny 10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

kthned
Level 3
Level 3
In response to paul driver

‎11-04-2018 12:32 PM

Actually as soon as i remove PBR from interface and added default route it work. but that is like going back to point zero. 

conf t

ip route 0.0.0.0 0.0.0.0 x.54.23.254
no route-map internet deny 10

 

not understand your point if I remove stanza 10 and add default route so it would be the same thing i both ways ? i.e. sending traffic to  x.54.23.254 by default gateway and PBR ?

0 Helpful

paul driver
VIP
VIP
In response to kthned

‎11-04-2018 01:21 PM - edited ‎11-04-2018 01:23 PM

Hello

 if you just want everything to go via a different next hop then you DONT have to PBR you only need to change the default to route.

 

However I am assuming that you just want to PBR only specific hosts towards a different next hop address and not everything -If so then you'll need both the default route and the PBR next hop ip address

 

So the route-map only needs to match on the traffic that you want PBR and all other traffic will go via the default route


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

kthned
Level 3
Level 3
In response to paul driver

‎11-04-2018 01:46 PM

Hej Paul

 

yes I understand your point. Actually we move default gateway to another interface that is by default-originate from the ospf peer. I have implemented PBR many times so I have a good understanding on the PBR and default routing table. 

But here my question is why ZBF shows half open connections :( . WHY udp establish connection and why tcp half open.

I see the traffic traffic going outside and never returning

Again as soon as i remove PBR all TCP connection trafic work. Strange.

0 Helpful

paul driver
VIP
VIP
In response to kthned

‎11-04-2018 02:04 PM

Hello

Looking at your configuration I dont at this time that the ZBFW is the issue, the next-hop address is in the same subnet and via the same outside interface than your previous default route -  Is the PBR next hop reachable.

 

What I do see is your not specifying the next hop for the rest of the traffic not captured by your route-map

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card