10-01-2006 10:49 AM - edited 03-03-2019 02:11 PM
I have this scenario:
!
crypto ipsec transform-set VPN_PROD esp-3des esp-sha-hmac
!
crypto map VPN_PROD 1 ipsec-isakmp
description VPN_PROD
set peer 192.168.1.4
set transform-set VPN_PROD
match address ACL_VPN_PROD
!
!
!
interface FastEthernet0/1
description LAN COnnection
ip address 10.0.160.4 255.255.255.248
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
!
! ==== ISP_01 ===
!
interface Serial0/0.102 point-to-point
description ISP_01_PROD
ip address 192.168.150.21 255.255.255.252
frame-relay interface-dlci 102
crypto map VPN_PROD
!
! ==== ISP_02 ===
!
interface Serial0/2.19 point-to-point
description ISP_02_desa
ip address 192.168.151.21 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 19
!
!
ip route 192.168.10.4 255.255.255.255 192.168.150.22 name PROD
ip route 192.168.10.4 255.255.255.255 192.168.151.22 20 name desa
!
!
ip nat inside source static 10.0.44.50 172.20.10.64 route-map rm_desa
!
!
ip access-list extended ACL_VPN_PROD
permit ip host 10.0.44.31 host 192.168.10.4 log-input
!
!
ip access-list extended acl_desa
permit ip host 10.0.44.50 host 192.168.10.4
!
!
route-map rm_desa permit 10
match ip address acl_desa
set default interface Serial0/2.19
!
!
Hi,
I?m implementing this to get connection through a NAT statement to a network partner using the floting route shown
as desa, this route is not in the routing table and I have found that using policy routing and route-map there are two
commands:
1.- set default interface "type number"
2.- set ip default next-hop "ip address"
tha I can use in order to get connection if in the routing table has no explicit route for the destination network.
In this case I have 2 differents ISP?s and only one of them with nat. Can anyone tell me if this can work?, I tried but I couldn?t see in the nat table the translation 10.0.44.50 -> 172.20.10.64. there is something wrong??
Regards,
Alex
10-02-2006 06:14 AM
Alex,
Is there a route back to 172.20.10.64 from the remote network ? Also, the remote network must source *only* with IP 192.168.10.4 since that's the only route in your router at the present time.
I also recommend changing the route-map from
set default interface Serial0/2.19
to
set ip next-hop 192.168.151.22
___
Please rate helpful posts.
Thanks
10-03-2006 11:58 AM
Hi,
Thanks for your answer, I put the set default interface command because I read this is used when there is no entry in the routing table, and this is the case for the floating route pointing to the same destination but different ISP and also to do nat. I?ll be testing this thursday in the morning but I?m not sure if it will work. There is another command for testing: set ip default next-hop, but I never have tested this commands, and I don?t know if they will work for my case.
10-03-2006 12:27 PM
My understanding is that the set default interface command is supported only over point-to-point links, unless a route-cache entry exists using the same interface specified in the set interface command in the route map.
The set ip default next-hop will only check for default routing information. If the route is on the routing table, it will use it. Is that what you want ?
10-06-2006 05:51 AM
Hi Edison,
I want to use the connection through the ISP_02, the interface is configured as point-to-point, and for this connection there is a floating static route to the destinnation 192.168.10.4, the same for the another ISP.
! ==== ISP_02 ===
!
interface Serial0/2.19 point-to-point
description ISP_02_desa
ip address 192.168.151.21 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 19
!
10-06-2006 08:17 AM
Alex,
What about a route back ?
Have you tried a traceroute and see where it dies ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide