Re: Route-Map Internet Access on ISR-4331

florian.hanig1 · ‎07-14-2023

Hi,

I try to configure Route-Map to route Traffic to the local Internet Breakout (GigabitEthernet0/0/0).

Hardware: ISR-4331
iOS-Version: 17.06.05

The Client IP "10.9.1.25" should have Internet access via the Route-Map...

This do not work.
On other old Routers (Cisco 890 Series), this configuration worked..
But on the New ISR-4331 doesnt work...

Any ideas to solve my problem ?

Thank you.

Configuration:

interface GigabitEthernet0/0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 91.x.x.x 255.255.255.248
ip nat outside
ip access-group 120 in
load-interval 30
negotiation auto
crypto map VPN
service-policy output prio-pol
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.10
description *** VLAN 10 DATA ***
encapsulation dot1Q 10
ip address 10.9.1.1 255.255.255.0
ip helper-address 10.1.1.5
ip nat inside
ip access-group Netze10-40 in
ip tcp adjust-mss 1380
ip virtual-reassembly


ip nat inside source route-map nonat_coco interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 91.x.x.x 10



ip access-list extended Netze10-40
10 permit icmp any any
20 permit udp any 0.0.0.255 255.255.255.0 range bootps bootpc
270 permit ip host 10.9.1.25 any
280 permit ip any host 10.9.1.25

ip access-list extended coco_nat
10 deny ip any any
80 permit ip host 10.9.1.25 any
90 permit ip any host 10.9.1.25

route-map nonat_coco permit 10
match ip address coco_nat
match interface GigabitEthernet0/0/0

DanielP211 · ‎07-14-2023

Hello Florian,

The issue here is the deny ip any any that blocks your trafic in combination with two matches inside the route-map.

BR

****Kindly rate all useful posts*****

Jon Marshall · ‎07-14-2023

1) the acl has a deny ip any any before the permit lines so it will never get to the permit lines

2) the route map is not applied to the interface

Jon

Flavio Miranda · ‎07-14-2023

Hi @florian.hanig1

I would change this part:

ip access-list extended coco_nat
80 permit ip host 10.9.1.25 any
90 permit ip any host 10.9.1.25

route-map nonat_coco permit 10
match ip address coco_nat
match interface GigabitEthernet0/0/0

route-map nonat_coco permit 20

DanielP211 · ‎07-14-2023

The correct solution is this:

ip nat inside source route-map NAT_RM interface GigabitEthernet0/0/0 overload

ip access-list extended NAT_acl
permit ip 10.9.1.0 0.0.0.255 any

route-map NAT_RM permit 10
match ip address NAT_acl

****Kindly rate all useful posts*****

florian.hanig1 · ‎07-14-2023

@Flavio Miranda

I already tried to remove the deny line in acl.. - no change...

And what is the point of using this command?

route-map nonat_coco permit 20

@DanielP211

I only want to gib 10.9.1.25 access, not the whole net...

And in Route-Map, i have to remove the "match interface" ?

@Jon Marshall

Was do you mean with "2) the route map is not applied to the interface " ??

Jon Marshall · ‎07-14-2023

Apologies, just ignore that, I thought you were trying to do PBR.

Jon

DanielP211 · ‎07-14-2023

Hello!

Then use this:

ip nat inside source route-map NAT_RM interface GigabitEthernet0/0/0 overload

ip access-list extended NAT_acl
permit ip host 10.9.1.25 any

deny ip any any

route-map NAT_RM permit 10
match ip address NAT_acl

****Kindly rate all useful posts*****

MHM Cisco World · ‎07-14-2023

@Jon Marshall and me confus' that why he mention pbr.

But why ?

Because we see route map with NATing.

If you dont use PBR then why route map with NAT

You can simply use access list standard with NAT

No need route map match acl and match egress interface.

No need.

florian.hanig1 · ‎07-18-2023

I have now tried everything, unfortunately without success - does not work.

I noticed that all traffic is sent via a Site2Site connection and the route map doesn't work.

Any ideas ?

MHM Cisco World · ‎07-18-2023

Share last config' I will apply to my lab and check solution.

florian.hanig1 · ‎08-08-2023

Problem resolved... Thanks to @MHM Cisco World

If I do a "deny ip any any log" in the ACL that is applied to the Internet interface, I get the following output in the log when I try to go to the Internet via the route-map:

000229: Jul 21 10:55:43.034 MESZ: %FMANFP-6-IPACCESSLOGP: F0/0: fman_fp_image: list 120 denied udp 8.8.8.8(53) -> ##EXTERNAL IP##(5591), 1 packet
000230: Jul 21 10:55:43.574 MESZ: %FMANFP-6-IPACCESSLOGP: F0/0: fman_fp_image: list 120 denied udp 8.8.8.8(53) -> ##EXTERNAL IP##(5594), 1 packet

If I add

permit ip any host ##EXTERNAL IP##

to the ACL, it works now...

But the Router try first to route the traffic over the Site2Site VPN, and then the local breakout...

How to fix this to only use the local breakout for certain clients ?

Any Ideas ?

The S2S VPN Crypto map hast this entry:

match address VPN

and ACL VPN is:

ip access-list extended VPN
10 permit ip 10.9.0.0 0.0.255.255 any