Policy based on svi

prashantrecon · ‎06-14-2013

Hi Team,

Need to do policy based routing on l3 switch for smtp traffic .Require config help.

AS per diagram

L3 switch is connected to ASA firewall and Router.

on l3 switch there are many SVI and there is default route to asa

currently entire traffic is going through asa with default route on asa as 0.0.0.0 0.0.0.0 x.x.x.x

Now i need to send only smtp traffic traffic through router, rest traffic through asa.Please find the below config

on L3 switch

ip access-list extended policy

permit tcp 172.16.20.0 any eq smtp

deny ip any any

rout-map Policy_in permit 10

match ip address policy

set ip next-hop 192.168.200.2

int vlan 50

ip address 172.16,20.1

ip policy route-map Policy_in

int gi0/2

no switchport

ip address 192.168.200.1 255.255.255.0

on Router

int fa0/1

ip adress 192.168.200.2 255.255.255.0

int s0/1

ip adress 207.191.52.1 255.255.255.0

I will nat 172.16.20.x traffic on this router and will put reverse route .

paul driver · ‎06-14-2013

Hello

Your PBR config looks okay - Are you saying this isnt working?

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

prashantrecon · ‎06-14-2013

Hi,

Still haven't checked .Just want to make sure does it work befor implementing live.

Another thing i need to ask you is there any changes of asymetrical routing in this case.

paul driver · ‎06-14-2013

Hello,

I assume there would be a possibility if the destination address has multiple paths back to the scr -

I forgot to mention also it would be applicable to add this to the route-map for resilancy purposes.

set ip next-hop verify-availability x.x.x.x

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

prashantrecon · ‎06-17-2013

Hi

Please find the config below

ip access-list extended policy

permit tcp 172.16.20.0 any eq 3389

permit icmp 172.16.20.0 any eq echo

permit icmp 172.16.20.0 any eq echo-reply

deny ip any any

rout-map Policy_in permit 10

match ip address policy

set ip next-hop 192.168.222.2

int vlan 50

ip address 172.16.20.1

ip policy route-map Policy_in

int gi1/48

no switchport

ip address 192.168.222.1 255.255.255.0

no shutdown

--------------------------------------------------------------------------------------------------------------------------------------------------------------

on router

int fa0/0/0/1

ip adress 192.168.222.2 255.255.255.0

no shutdown

ip nat inside

int fa0/0

ip address 201.x.x.x 255.255.255.0

no shutdown

ip nat outside

ip route 172.16.20.0 255.255.255.0 192.168.222.1

ip nat pool test 201.x.x.53 201.x.x.53 netmask 255.255.255.252

ip nat inside source list 103 pool test overload

ip nat inside source static tcp 172.16.20.5 3389 201.x.x.52 3389

access-list 103 permit 172.16.20.0 0.0.0.255 any

When i do ip nat translation it is not displaying any outside global ip at all

also not able to do rdp from outside network to 201.x.x.52 machine which is natted to 172.16.20.5

prashantrecon · ‎06-17-2013

Hi

I have cleared xlate it started working.

But the problem is when i issue command

permit tcp 172.16.20.0 any eq 3389

Not able to do rdp from outside network.

But when excuted permit ip 172.16.20.0 0.0.0.255 any it is working fine.

Requirement is to send only rdp traffic

Abzal · ‎06-17-2013

Hi,

try to change it to be like this

permit tcp host 172.16.20.5 eq 3389 any

Because server listens on TCP 3389 and client will use random port and connect to server socket.

Hope it will help.

Best regards,
Abzal

prashantrecon · ‎06-17-2013

Thanks a lot