Re: PBR configuration

stamil · ‎07-04-2019

Hi ,

I am new to Cisco routers and i was trying to configure PBR in Cisco router. I was facing problem in forwarding HTTP Traffic to the cache_server. Please help me to find the rules to forward the HTTP traffic.

Thanks,

Tamil

Hector Gustavo Serrano Gutierrez · ‎07-04-2019

Hi @stamil,

Could you please post the current PBR configuration for your Router?

stamil · ‎07-04-2019

Hi @Hector Gustavo Serrano Gutierrez ,

Please Take look at my config

wan --> FastEthernet2/0

LAN --> FastEthernet 1/0

Cache_iface --> FastEthernet 2/1

interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
!
interface FastEthernet1/0
ip address 192.168.50.1 255.255.255.0
ip policy route-map linux-proxy
ip nat inside
ip virtual-reassembly
duplex half
!
!
interface FastEthernet2/0
ip address 192.168.200.200 255.255.255.0
ip nat outside
ip policy route-map wan-proxy
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet2/1
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!

ip nat inside source list 1 interface FastEthernet2/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.200.1
!
ip access-list extended http-traffic
permit tcp any any eq www
ip access-list extended wan-traffic
permit tcp any eq www any
!
access-list 1 permit 192.168.56.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
route-map linux-proxy permit 1
match ip address http-traffic
set ip next-hop 192.168.56.125
!
route-map wan-proxy permit 1
match ip address wan-traffic
set ip next-hop 192.168.56.125
!
!
!

This my running configuration

Dennis Mink · ‎07-04-2019

PBR config looks correct.

what exactly isnt working?

is traffic on port 80 hitting 192.168.156.125 at all?

Please remember to rate useful posts, by clicking on the stars below.

Hector Gustavo Serrano Gutierrez · ‎07-04-2019

Hi @stamil,

I tested the configuration in VIRL. It is OK.

The Cisco Router with PBR + NAT shouldn't be the problem here.

As @Dennis Mink suggested, what do you see on that linux-proxy (192.168.156.125)?. Is it actually forwarding the HTTP request traffic back to the Router?

Cheers.

stamil · ‎07-05-2019

Hi @Hector Gustavo Serrano Gutierrez ,

Thanks for your reply and i accept your point. In cache_box side, while running wireshark it shows these errors

TCP RETRANSMISSION
TCP PREVOIUS SEGMENT NOT CAPTURED
TCO DUP ACK
TCP ACKED UNSEEN SEGMENT
TCP FAST RETRANSMISSION
TCP OUT-OF-ORDER

When i google on those error the similar answer was there was multi-path between server and client

can you please help me to sort this problem, I suspect the rules are not forwarding properly.

Please provide some debug techniques to check packet flow in router level.

Hector Gustavo Serrano Gutierrez · ‎07-05-2019

Hi @stamil,

Those TCP messages can be caused by many different factors, including devices beyond this Cisco Router and linux-proxy server.

What is the issue you are facing at this moment? Is it no connectivity, constant disconnections or poor performance when attempting to pass the traffic thru your linux-proxy?

The PBR configuration should be forwarding all the traffic destined to TCP port 80 to that linux-proxy.

In reverse direction, the return traffic with TCP port 80 as source, is also being forwarded to that same linux-proxy.

This is just TCP port 80 traffic (HTTP). Not DNS, not HTTPS.

Moving forward, here is how you can take packet captures on the Cisco IOS Router:

Embedded Packet Capture for Cisco IOS and IOS-XE Configuration Example

Cisco IOS Configuration Example

Hope this helps.