06-14-2013 07:07 AM - edited 03-04-2019 08:12 PM
Hi Team,
Need to do policy based routing on l3 switch for smtp traffic .Require config help.
AS per diagram
L3 switch is connected to ASA firewall and Router.
on l3 switch there are many SVI and there is default route to asa
currently entire traffic is going through asa with default route on asa as 0.0.0.0 0.0.0.0 x.x.x.x
Now i need to send only smtp traffic traffic through router, rest traffic through asa.Please find the below config
on L3 switch
ip access-list extended policy
permit tcp 172.16.20.0 any eq smtp
deny ip any any
rout-map Policy_in permit 10
match ip address policy
set ip next-hop 192.168.200.2
int vlan 50
ip address 172.16,20.1
ip policy route-map Policy_in
int gi0/2
no switchport
ip address 192.168.200.1 255.255.255.0
on Router
int fa0/1
ip adress 192.168.200.2 255.255.255.0
int s0/1
ip adress 207.191.52.1 255.255.255.0
I will nat 172.16.20.x traffic on this router and will put reverse route .
06-14-2013 07:14 AM
Hello
Your PBR config looks okay - Are you saying this isnt working?
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
06-14-2013 07:26 AM
Hi,
Still haven't checked .Just want to make sure does it work befor implementing live.
Another thing i need to ask you is there any changes of asymetrical routing in this case.
06-14-2013 07:43 AM
Hello,
I assume there would be a possibility if the destination address has multiple paths back to the scr -
I forgot to mention also it would be applicable to add this to the route-map for resilancy purposes.
set ip next-hop verify-availability x.x.x.x
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
06-17-2013 01:45 AM
Hi
Please find the config below
ip access-list extended policy
permit tcp 172.16.20.0 any eq 3389
permit icmp 172.16.20.0 any eq echo
permit icmp 172.16.20.0 any eq echo-reply
deny ip any any
rout-map Policy_in permit 10
match ip address policy
set ip next-hop 192.168.222.2
int vlan 50
ip address 172.16.20.1
ip policy route-map Policy_in
int gi1/48
no switchport
ip address 192.168.222.1 255.255.255.0
no shutdown
--------------------------------------------------------------------------------------------------------------------------------------------------------------
on router
int fa0/0/0/1
ip adress 192.168.222.2 255.255.255.0
no shutdown
ip nat inside
int fa0/0
ip address 201.x.x.x 255.255.255.0
no shutdown
ip nat outside
ip route 172.16.20.0 255.255.255.0 192.168.222.1
ip nat pool test 201.x.x.53 201.x.x.53 netmask 255.255.255.252
ip nat inside source list 103 pool test overload
ip nat inside source static tcp 172.16.20.5 3389 201.x.x.52 3389
access-list 103 permit 172.16.20.0 0.0.0.255 any
When i do ip nat translation it is not displaying any outside global ip at all
also not able to do rdp from outside network to 201.x.x.52 machine which is natted to 172.16.20.5
06-17-2013 03:33 AM
Hi
I have cleared xlate it started working.
But the problem is when i issue command
permit tcp 172.16.20.0 any eq 3389
Not able to do rdp from outside network.
But when excuted permit ip 172.16.20.0 0.0.0.255 any it is working fine.
Requirement is to send only rdp traffic
06-17-2013 03:44 AM
Hi,
try to change it to be like this
permit tcp host 172.16.20.5 eq 3389 any
Because server listens on TCP 3389 and client will use random port and connect to server socket.
Hope it will help.
Best regards,
Abzal
06-17-2013 04:10 AM
Thanks a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide