08-09-2010 05:31 AM - edited 03-04-2019 09:21 AM
I have a 3845 with a T1 that we use for Public DNS queries and zone transfers with a ISP. The defualt route on the router points to the other side on the T1.
Recently we added a DS3 that will be used for VPN users. So, from what I understand, since I wont be able to use route-maps for VPN users because the traffic hits the router encrypted, I will have to do it for the DNS traffic.
What I want to do is make the DS3 the defualt route, have DNS traffic go through the T1, and Bob's your uncle.
This is what I have done so far:
route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62
ip access-list extended DNS_traffic
permit tcp any eq domain any
permit udp any eq domain any
interface Serial1/0
description Qwest DS3 - VPN traffic
ip address 63.63.63.63 255.255.255.252
ip nat outside
ip access-group inbound_qwest_DS3 in
interface Serial0/0/0:1
description Qwest - T1 - DNS traffic
ip address 88.88.88.88 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside
ip virtual-reassembly
ip policy route-map rmap_DNS_traffic
no ip route 0.0.0.0 0.0.0.0 63.63.63.62 
ip route 0.0.0.0 0.0.0.0 88.88.88.87
But this is not working. Anyone see what I am doing wrong?
Thanks,
Pedro
Solved! Go to Solution.
08-09-2010 06:53 AM
pener1963 wrote:
OK Jon. Note taking. I thought the route map had to be applied to the OUTGOING interface, but if thats not so, it will go on this interface:
interface GigabitEthernet0/0.10
Description - To Edge Firewall
encapsulation dot1Q 10
172.31.1.8 255.255.255.240
ip policy route-map rmap_DNS_traffic
Question
Would it be easier to just add the ips of the servers them selves to the Access List? i.e.:
ip access-list extended DNS_traffic
permit ip host 192.168.40.11 any
permit ip host 192.168.40.12 anyroute-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62Instead of the source port which is what I did before:
ip access-list extended DNS_traffic
permit tcp any eq domain any
permit udp any eq domain any
It would certainly be better to use the IP's and if you want to route all traffic for these 2 ips down the T1 then yes use "ip any any". But if you only want to route the DNS traffic you will need to use the ports. Either way i would use the IPs and not "any".
Jon
08-09-2010 06:22 AM
pener1963 wrote:
I have a 3845 with a T1 that we use for Public DNS queries and zone transfers with a ISP. The defualt route on the router points to the other side on the T1.
Recently we added a DS3 that will be used for VPN users. So, from what I understand, since I wont be able to use route-maps for VPN users because the traffic hits the router encrypted, I will have to do it for the DNS traffic.
What I want to do is make the DS3 the defualt route, have DNS traffic go through the T1, and Bob's your uncle.
This is what I have done so far:
route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62ip access-list extended DNS_traffic
permit tcp any eq domain any
permit udp any eq domain anyinterface Serial1/0
description Qwest DS3 - VPN traffic
ip address 63.63.63.63 255.255.255.252
ip nat outside
ip access-group inbound_qwest_DS3 ininterface Serial0/0/0:1
description Qwest - T1 - DNS traffic
ip address 88.88.88.88 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside
ip virtual-reassembly
ip policy route-map rmap_DNS_trafficno ip route 0.0.0.0 0.0.0.0 63.63.63.62
ip route 0.0.0.0 0.0.0.0 88.88.88.87
But this is not working. Anyone see what I am doing wrong?Thanks,
Pedro
Pedro
This is a very confusing post.
1) You say you want to use T1 for DNS traffic and yet the route-map next-hop is set to the DS3 next-hop ?
2) What is the IP address of the DNS server ?
3) where is the DNS server in location to your router ie. which interface does it come in on ?
Jon
08-09-2010 06:33 AM
Opps my bad. For obvious reasons I cant copy right from the config....but you are right, it should read:
route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 88.88.88.87
ip access-list extended DNS_traffic
permit tcp any eq domain any
permit udp any eq domain any
interface Serial1/0
description Qwest DS3 - VPN traffic
ip address 63.63.63.63 255.255.255.252
ip nat outside
ip access-group inbound_qwest_DS3 in
interface Serial0/0/0:1
description Qwest - T1 - DNS traffic
ip address 88.88.88.88 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside
ip virtual-reassembly
ip policy route-map rmap_DNS_traffic
no ip route 0.0.0.0 0.0.0.0 63.63.63.62
ip route 0.0.0.0 0.0.0.0 88.88.88.87
The IPs of the DNS servers are 192.168.40.11 and .12
The DNS servers are on the other side of the FW. There is a route on the 3845 for them:
ip route 192.168.40.0 255.255.255.0 172.31.1.4
Sorry about that. All this is confusing enough.
08-09-2010 06:38 AM
Pedro
The IPs of the DNS servers are 192.168.40.11 and .12
The DNS servers are on the other side of the FW. There is a route on the 3845 for them:
ip route 192.168.40.0 255.255.255.0 172.31.1.4
Sorry about that. All this is confusing enough.
You need to apply the route-map to the incoming interface for the DNS servers ie. you are trying to send the DNS servers traffic down the T1 link but you have applied the route-map to the T1 link. You need to apply it to the interface on the router that the DNS traffic comes from ie. the interface that connects to 172.31.1.4 by the looks of it.
Jon
08-09-2010 06:49 AM
OK Jon. Note taking. I thought the route map had to be applied to the OUTGOING interface, but if thats not so, it will go on this interface:
interface GigabitEthernet0/0.10
Description - To Edge Firewall
encapsulation dot1Q 10
172.31.1.8 255.255.255.240
ip policy route-map rmap_DNS_traffic
Question
Would it be easier to just add the ips of the servers them selves to the Access List? i.e.:
ip access-list extended DNS_traffic
permit ip host 192.168.40.11 any 
permit ip host 192.168.40.12 any
route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62
Instead of the source port which is what I did before:
ip access-list extended DNS_traffic
permit tcp any eq domain any
permit udp any eq domain any
08-09-2010 06:53 AM
pener1963 wrote:
OK Jon. Note taking. I thought the route map had to be applied to the OUTGOING interface, but if thats not so, it will go on this interface:
interface GigabitEthernet0/0.10
Description - To Edge Firewall
encapsulation dot1Q 10
172.31.1.8 255.255.255.240
ip policy route-map rmap_DNS_traffic
Question
Would it be easier to just add the ips of the servers them selves to the Access List? i.e.:
ip access-list extended DNS_traffic
permit ip host 192.168.40.11 any
permit ip host 192.168.40.12 anyroute-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62Instead of the source port which is what I did before:
ip access-list extended DNS_traffic
permit tcp any eq domain any
permit udp any eq domain any
It would certainly be better to use the IP's and if you want to route all traffic for these 2 ips down the T1 then yes use "ip any any". But if you only want to route the DNS traffic you will need to use the ports. Either way i would use the IPs and not "any".
Jon
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide