Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5185
Views
0
Helpful
17
Replies

Policy based routing on Cisco 2911 ISR

Go to solution
andy_4578
Level 1
Level 1

‎03-19-2013 01:49 AM - edited ‎03-04-2019 07:20 PM

Hi,

I have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.

Is anyone able to see whats wrong?

Config attached minus the crypto stuff and the publics have been changed.

Thanks                  

1 person had this problem
Labels:
15356655-DubaiISR.txt.zip
0 Helpful
17 Replies 17

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Bilal Nawaz

‎03-19-2013 09:27 AM

Okay I assume your NAT is for the VPN...?

In which case there is no internet purposed NAT for anything coming from inside LAN gi0/0?

So im not sure but what i think is happening is that your traffic is being routed down the VPN where your default route is pointing which is fine (there is your 4mb down which isn't meant to happen right?). But traffic going out is being sent to 192.168.200.253 with the 'set ip default next-hop 192.168.200.253'.

This should only be HTTP and 443 traffic right?

To do NAT for your LAN using overload you could do something like this:

ip nat pool NAT_TEST 192.168.200.254 192.168.200.254 prefix 24

!

ip nat inside source list 10 pool NAT_TEST overload

!

access-list 10 permit 172.16.5.0 0.0.0.255 (your LAN that needs access to Internet)

Im not sure what the affect will be as you have two interfaces with the 'ip nat outside' command on them. If anything you could do a 'reload in #'

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml (NAT)

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml (NAT for IPSEC)

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
andy_4578
Level 1
Level 1
In response to Bilal Nawaz

‎03-19-2013 09:41 AM

Hi,

No the nat overload is purely for internet access on fa0/0/0 the nat inside interface is gi0/0

Trouble is until the route-map works properly i cant remove the nat rule on gi0/1 or all the machines will lose internet access.

The VPN's are for access back to the servers in our datacenter in the UK,  Http or Https traffic shouldnt be going down the vpn at all, it should all go out locally.

The default route 0.0.0.0 0.0.0.0 94.1.1.1 is pointing to a leased line router sitting infront of the cisco

0 Helpful

Go to solution
andy_4578
Level 1
Level 1

‎03-19-2013 01:19 PM

Thanks guys its all working using the match interface on the nat route-maps

Cheers for your help :-)

0 Helpful
Customers Also Viewed These Support Documents