Re: Route traffic from public IP to other public IP

PiotrOSki · ‎05-14-2018

Hello Everybody

I would like to ask someone with good knowledge of Cisco IOS etc. to help with this

I have Cisco 3945E with IOS Version 15.4(3)M7

What I want to reach is that all traffic to some specific public IP should be sent to different public IP
How it looks (please check also attached .jpg):
traffic from Cisco to y.y.y.y should be sent to x.x.x.x
traffic from Cisco to any other than IP should be routed through def gateway

I have configured dial-peers on this cisco and for one of this dp I want to send SIP traffic through server on where is ipsec configured to other vendor.

I've tried simly ip route but it does not works at all, it looks like below

ip route 0.0.0.0 0.0.0.0 default gateway
ip route y.y.y.y 255.255.255.224 GigabitEthernet0/0 x.x.x.x

but when I run traceroute to y.y.y.y it does not show any hops..

Could someone help with this? I really appreciate for advice.

Diana Karolina Rojas · ‎05-14-2018

Hello Piort,

In order to do what you want you have to configure PBR, I thing you can accompish this with this device, but this is done in software so is possible the CPU of your device gives up, If you do not have a big network with a big demand of traffic so you can probe this with out problem.

Firts you have to create an ACL

access-list 100 permit ip host IPdeCisco host y.y.y.y

You can add as ACL lines as sources/destinations you want to be routing to X.X.X.X in the interface

second, create a route-map

route-map Navigation, permit, sequence 10
Match ip address (access-lists): 100
set ip next-hop x.x.x.x

an finally you have to apply this to the IN interface of the packet

ip policy route-map Navigation

When this condition (specific source ip address and specific destination ip address) does not occur so the router send the traffic to the defult route do you have in the device.

----Please do not forget to rate useful post, this motivate us to continuing posting in the community.----

Regards,

PiotrOSki · ‎05-15-2018

Hello Diana

Thank you for your help

I configured as you described, now it looks like:

interface GigabitEthernet0/0
description uplink
ip address z.z.z.z 255.255.255.248
ip access-group 101 in
no ip unreachables
ip policy route-map Navigation
duplex full
speed auto

route-map Navigation permit 10
match ip address 100
set ip next-hop x.x.x.x
!

access-list 100 permit ip host z.z.z.z host y.y.y.y

But still packet is send to y.y.y.y instead of x.x.x.x

Maybe I configured something improperly ?

I wolud like to add that SIP call is coming to cisco and then cisco sends this Invite to destination IP of outgoing Dial-peer

Diana Karolina Rojas · ‎05-15-2018

Good morning estimated,

I thing you are confusing with the route-map, in the ACL 100 you have to put the source and the destination IP address of the PACKET, you dont have to put the IP address of interfaces so you need to know which ip address are the origin of your packets before apply this, if you need that ALL the traffic from the interface Cisco with destination y.y.y.y goes to x.x.x.x so your acl has to be something like this:

access-list 100 permit ip any host y.y.y.y

Please do not forget to rate useful post.

Best Regards,

PiotrOSki · ‎05-16-2018

Hi,

Yes indeed I need that ALL the traffic from the interface Cisco with destination y.y.y.y goes to x.x.x.x

This cisco handles SIP traffic with topology hiding.

All packets are directed to cisco, and then based on dial-peer configured on cisco packet is send to vendor IP - maybe this is important

With

access-list 100 permit ip any host y.y.y.y

cisco also does not sends packets to x.x.x.x

interface GigabitEthernet0/0
description uplink
ip address z.z.z.z 255.255.255.248
ip access-group 101 in
no ip unreachables
ip policy route-map Navigation
duplex full
speed auto

route-map Navigation permit 10
match ip address 100
set ip next-hop x.x.x.x
!
access-list 100 permit ip any host y.y.y.y

 
sh route-map
route-map Navigation, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop x.x.x.x
Policy routing matches: 0 packets, 0 bytes

Diana Karolina Rojas · ‎05-16-2018

Good morning,

The ACL100 is not matching, this means that maybe you apply the policy in a wrong interface and the criterial is not fulfilling, remember you have to put the policy in the interface that recibes the packet that goes to y.y.y.y or maybe there is something I dont know about your network? if you can send me a more specific diagram is better.

Please do not forget to rate useful post, this motivate us to continuing posting in the community.

Best Regards,

PiotrOSki · ‎05-17-2018

Hi,

Please check enclosed 2.jgp with packet flow

I can add that Cisco has only one interface

And I can add that on interface is assigned ip access-group 101 in

access-list 101 permit udp host a.a.a.a host z.z.z.z eq 5060
access-list 101 permit udp host x.x.x.x host z.z.z.z eq 5060
access-list 101 permit udp host y.y.y.y host z.z.z.z eq 5060
access-list 101 deny   udp any host z.z.z.z eq 5060
access-list 101 deny   tcp any host z.z.z.z eq 5060
access-list 101 permit ip any any
!

ip forward-protocol nd

PiotrOSki · ‎06-07-2018

Hi,

Still with no success, any help really appreciated

I've testeed route map with cisco 3945 and 3845 but still packets are not routed as expected.

looks that no packet was matched to use route map?

sh route-map
route-map Navigation, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop x.x.x.x
Policy routing matches: 0 packets, 0 bytes

>> interface has assigned

ip policy route-map Navigation

route-map Navigation permit 10
match ip address 100
set ip next-hop x.x.x.x
!
!

Access list config(there are two access lists, one for route map, and second assigned to interface:ip access-group 101 in ):
access-list 100 permit ip any host y.y.y.y
access-list 100 permit ip any host y.y.y.y
access-list 101 permit udp host b.b.b.b. host z.z.z.z eq 5060
access-list 101 permit udp host c.c.c.c host z.z.z.z eq 5060
...