Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3672
Views
4
Helpful
9
Replies

Policy based routing not working

Go to solution
jasonww04
Level 1
Level 1

‎07-12-2011 03:26 PM - edited ‎03-04-2019 12:57 PM

One router with two different ISPs. I want 3 subnets to go out one ISP and 1 subnet to go out the other. What's wrong with my config?

interface FastEthernet0/0

ip address 172.17.35.1 255.255.255.0 secondary

ip address 172.18.35.1 255.255.255.0

ip nat inside

ip policy route-map Director

!

interface FastEthernet0/0.1

encapsulation dot1Q 2

ip address 172.19.35.1 255.255.255.0

ip access-group BlockLANAllowPrint in

ip nat inside

ip policy route-map Director

!

interface FastEthernet0/0.2

encapsulation dot1Q 3

ip address 172.20.35.1 255.255.255.0

ip access-group BlockLANAllowPrint in

ip nat inside

ip policy route-map Director

!

interface FastEthernet0/1

  ip address 206.x.x.4 255.255.255.248

ip nat outside

crypto map to_vpn

!

interface FastEthernet0/1/0

switchport access vlan 10

!

interface Vlan10

ip address 173.x.x.3 255.255.255.252

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 206.x.x.3 9

ip route 0.0.0.0 0.0.0.0 173.x.x.4 25

ip nat inside source route-map NAT interface FastEthernet0/1 overload

ip nat inside source route-map Residents interface Vlan10 overload

!

ip access-list extended BlockLANAllowPrint

deny   ip 172.20.35.0 0.0.0.255 172.19.35.0 0.0.0.255

deny   ip 172.20.35.0 0.0.0.255 172.18.35.0 0.0.0.255

deny   ip 172.20.35.0 0.0.0.255 172.17.35.0 0.0.0.255

permit tcp 172.19.35.0 0.0.0.255 172.18.35.0 0.0.0.255 eq 9100

permit tcp 172.19.35.0 0.0.0.255 172.18.35.0 0.0.0.255 eq lpd

permit tcp 172.19.35.0 0.0.0.255 172.18.35.0 0.0.0.255 eq 161

deny   ip 172.19.35.0 0.0.0.255 172.18.35.0 0.0.0.255

deny   ip 172.19.35.0 0.0.0.255 172.17.35.0 0.0.0.255

permit ip 172.19.35.0 0.0.0.255 any

permit ip 172.20.35.0 0.0.0.255 any

ip access-list extended NAT

deny   ip any 10.0.0.0 0.0.0.255

deny   ip any 10.11.0.0 0.0.255.255

deny   ip 172.18.35.0 0.0.0.255 172.18.136.0 0.0.0.255

deny   ip any 10.18.0.0 0.0.0.255

deny   ip 172.18.35.0 0.0.0.255 10.41.0.0 0.0.255.255

deny   ip 172.18.35.0 0.0.0.255 10.52.0.0 0.0.255.255

deny   ip 172.18.35.0 0.0.0.255 10.253.1.0 0.0.0.255

deny   ip 172.18.35.0 0.0.0.255 10.254.1.0 0.0.0.255

deny   ip any 10.61.0.0 0.0.255.255

deny   ip 172.18.35.0 0.0.0.255 172.18.34.0 0.0.0.255

deny   ip 172.18.35.0 0.0.0.255 172.18.22.0 0.0.0.255

permit ip 172.18.35.0 0.0.0.255 any

permit ip 172.17.35.0 0.0.0.255 any

permit ip 172.19.35.0 0.0.0.255 any

permit ip 172.20.35.0 0.0.0.255 any

ip access-list extended Residents-ACL

permit ip 172.20.35.0 0.0.0.255 any

ip access-list extended TWFiber-ACL

permit ip 172.17.35.0 0.0.0.255 any

permit ip 172.18.35.0 0.0.0.255 any

permit ip 172.19.35.0 0.0.0.255 any

!

route-map Director permit 10

match ip address Residents-ACL

set ip next-hop 173.x.x.4

!

route-map Director permit 11

match ip address TWFiber-ACL

set ip next-hop 206.x.x.3

!

route-map Residents permit 10

match ip address Residents-ACL

match interface Vlan10

set ip next-hop 173.x.x.4

!

route-map NAT permit 10

match ip address NAT

match interface FastEthernet0/1

set ip next-hop 206.x.x.3

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎07-13-2011 05:06 AM

you have overlaping between the PBR policies and NAT policies

try to make it like this but review it in terms of the requried ACLs

ip nat inside source route-map NAT interface FastEthernet0/1 overload

ip nat inside source route-map Residents interface Vlan10 overload

route-map Director permit 10

match ip address Residents-ACL

set ip next-hop 173.x.x.4

!

route-map Director permit 11

match ip address TWFiber-ACL

set ip next-hop 206.x.x.3

!

route-map Residents permit 10

match ip address Residents-ACL

match interface Vlan10

set ip next-hop 173.x.x.4

!

route-map NAT permit 10

match ip address NAT

match interface FastEthernet0/1

set ip next-hop 206.x.x.3

also have a look at the bellow docuemnt  i posted on CSC before for understanding and improvments to your setup

https://supportforums.cisco.com/docs/DOC-8313

good luck

if helpful Rate

View solution in original post

0 Helpful
9 Replies 9

Go to solution
p.mcgowan
Level 3
Level 3

‎07-13-2011 03:45 AM

looks like you are doing NAT on the interfaces you are trying to PBR but the NAT address range is not being matched on the route-maps

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎07-13-2011 05:06 AM

you have overlaping between the PBR policies and NAT policies

try to make it like this but review it in terms of the requried ACLs

ip nat inside source route-map NAT interface FastEthernet0/1 overload

ip nat inside source route-map Residents interface Vlan10 overload

route-map Director permit 10

match ip address Residents-ACL

set ip next-hop 173.x.x.4

!

route-map Director permit 11

match ip address TWFiber-ACL

set ip next-hop 206.x.x.3

!

route-map Residents permit 10

match ip address Residents-ACL

match interface Vlan10

set ip next-hop 173.x.x.4

!

route-map NAT permit 10

match ip address NAT

match interface FastEthernet0/1

set ip next-hop 206.x.x.3

also have a look at the bellow docuemnt  i posted on CSC before for understanding and improvments to your setup

https://supportforums.cisco.com/docs/DOC-8313

good luck

if helpful Rate

0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to Marwan ALshawi

‎07-19-2011 03:06 PM

Still doesn't work. 172.20.35.0/24 network cannot get to the internet while the other three subnets have no problems.

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to jasonww04

‎07-19-2011 04:50 PM

can you try this

update only the NAT route-maps as bellow

access-list 10 permit any

route-map Residents permit 10

match ip address 10

match interface Vlan10

!

route-map NAT permit 10

match ip address 10

match interface FastEthernet0/1

then after you updated cleart the the nat sessions then try it again

good luck

Go to solution
jasonww04
Level 1
Level 1
In response to Marwan ALshawi

‎07-21-2011 03:19 PM

Putting the match ip address 10 under route-map NAT crashed the router, even when I first removed the ip nat statement using the route-map. I'm at a total loss as to how this isn't working.

I even tried a simpler config and it fails as well

interface FastEthernet0/0

ip address 172.17.35.1 255.255.255.0 secondary

ip address 172.18.35.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.1

encapsulation dot1Q 2

ip address 172.19.35.1 255.255.255.0

ip access-group BlockLANAllowPrint in

ip nat inside

!

interface FastEthernet0/0.2

encapsulation dot1Q 3

ip address 172.20.35.1 255.255.255.0

ip access-group BlockLANAllowPrint in

ip nat inside

ip policy route-map Director

ip nat inside source route-map NAT interface FastEthernet0/1 overload

ip nat inside source route-map Residents interface Vlan10 overload

route-map Director permit 10

match ip address Residents-ACL

set ip next-hop 173.167.242.134

!!

route-map Residents permit 10

match ip address Residents-ACL

match interface Vlan10

!

route-map NAT permit 10

match ip address NAT

match interface FastEthernet0/1

0 Helpful

Go to solution
Amit Aneja
Level 3
Level 3
In response to jasonww04

‎07-22-2011 12:08 PM

Looks like you have a wrong entry in the ACL NAT.

ip access-list extended NAT

permit ip 172.20.35.0 0.0.0.255 any

With the initial configuration you have posted here, remove this entry from the ACL NAT & remove "set ip next-hop" from the route-maps "Residents" & "NAT".

route-map Residents permit 10

match ip address Residents-ACL

match interface Vlan10

!

route-map NAT permit 10

match ip address NAT

match interface FastEthernet0/1

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to Amit Aneja

‎07-22-2011 05:01 PM

the permit any any acl 10 suggested about should do it not sure why did not work as this ACL will be for NATing after the PBR kicked in !! ( at least for testing )

0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to Marwan ALshawi

‎07-27-2011 02:15 PM

Finally got the router on a SmartNet contract. Hopefully, the issue is figured out tomorrow. I'll post results.

0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to jasonww04

‎07-28-2011 02:53 PM

Here is the config that is working - turns out I was testing it wrong. Sourcing the trace from f0/0.2 was failing because traffic generated by the router itself will not be routed by PBR.

interface FastEthernet0/0.2

encapsulation dot1Q 3

ip address 172.20.35.1 255.255.255.0

ip access-group BlockLANAllowPrint in

ip nat inside

ip policy route-map Director

ip route 0.0.0.0 0.0.0.0 206.169.3.33 9

ip nat inside source route-map NAT interface FastEthernet0/1 overload

ip nat inside source route-map Residents interface Vlan10 overload

route-map Director permit 10

match ip address Residents-ACL

set ip next-hop 173.167.242.134

!

route-map Residents permit 10

match ip address Residents-ACL

match interface Vlan10

!

route-map NAT permit 10

match ip address NAT

match interface FastEthernet0/1

0 Helpful
Top