Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
4
Helpful
2
Replies

Source AND destination routing

Wojciech Pawel Wlodarski
Level 1
Level 1

‎08-19-2013 04:36 AM - edited ‎03-04-2019 08:48 PM

Hi.

I need to apply source AND destination routing on my 29XX router.

In genereal the scenario is as follows:

- a TCP SYN comes from Internet to a public address in the pool I owe.

- I need to route this packet (and the rest of communication) to one of my internal servers based on: srcIP and port, dstIP and port.

- public dstIP of TCP SYN can be used by many external hosts

- srcIP is static (I know it before it sends any packet and it won't change)

An ideal solution would be routing based on extended ACL but as far as I know I can only route based on:

A) destination IP (classic routing)

B) source IP (policy routing)

Makeing long story short: I need A + B.

Example:

     TCP SYN s=1.1.1.1.64543 d=9.9.9.9.80 ==> s=1.1.1.1.64543 d=172.16.250.1.23

     TCP SYN s=1.1.1.1.44543 d=9.9.9.9.69 ==> s=1.1.1.1.44543 d=172.16.250.100.53

     TCP SYN s=2.2.2.2.34943 d=9.9.9.9.80 ==> s=2.2.2.2.34943 d=172.16.250.200.22

where values in brown are known before connection.

Note: I tried PAT but I was not able to use '1.1.1.1' for multiple rules. I cannot invert inside and outside NAT interfaces (so Internet would be my inside) because I need to use a 'normal' NAT for other services (located on the same subnet).

Note: In example I used well-known ports but I mean to use a solution for different service.

Any advice would be welcomed.

Thanks.

Labels:
0 Helpful
2 Replies 2

Rolf Fischer
Level 9
Level 9

‎08-19-2013 06:26 AM 

An ideal solution would be routing based on extended ACL but as far as I know I can only route based on:

Are you familiar with the concept of policy based routing (PBR)?

You can create an (extended) ACL to define the interesting traffic and based on that you can overwirte the next-hop for the default route or for a particular route of the local routing table.

Is this what your're looking for?

Best regards

Rolf

P.S.. Not sure if that works in combination with NAT, never tried that so far.

0 Helpful

Wojciech Pawel Wlodarski
Level 1
Level 1
In response to Rolf Fischer

‎08-19-2013 06:38 AM

Rolf.

I already tried it - it was my initial approach.

You can apply extended access list to policy routing but only source part of it is processed - destination IP address in ACL is ignored. In additon I do not know source TCP port :/

Regarding NAT and policy routing: it works as long as you keep in mind NAT order of operation (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml).

Thanks for post.

W.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card