it only connect to ASR, and

julxu · ‎02-25-2015

Hi

I need to configure a policy route as,

that if traffic from xxx.xxx.xx.0/24 to yyy.yyy.yyy.0/24 than route it to vpn box xxx.xxx.1.10

if traffic from xxx.xxx.1.10 to yyy.yyy.yyy.0/24 go to default route 0.0.0.0

I believe it is ok to ach using route map, am I right? if so, could I get advice how to setup?

Any comments will be appreciated

thanks in advance

julxu

Cisco Freak · ‎02-26-2015

Hi,

You can achieve this with the help of policy based routing(PBR) in the router.

CF

julxu · ‎02-26-2015

thanks for the reply, please advice the tip? how to do it?

Cisco Freak · ‎02-26-2015

Please share more about your configuration to give exact config details.

This link clearly explains the steps involved in it:

https://glennmatthys.wordpress.com/2012/04/24/policy-based-routing-example-route-one-subnet-via-isp-a-and-another-via-isp-b/

CF

julxu · ‎02-26-2015

Hi Freak

my case is:

asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100

assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3

assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1

assume taget network is 10.200.200.0/24

I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24) to be redirect to10.10.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.10.2.2" on asr1004.

Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?

ip local policy route-map vpn-out

access-list 100 permit ip 10.10.2.2 any

route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100

interface TenGigabitEthernet0/0/0
description bgp to get default
ip address 10.100.100.100 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

!
interface TenGigabitEthernet0/1/0
description get internaltraffic
ip address 10.3.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp

interface GigabitEthernet0/2/1
description vpn
ip address 10.10.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
media-type rj45
negotiation auto

ip local policy route-map vpn-out

access-list 100 permit ip 10.10.2.2 any

route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100

ip route 10.200.200.0/24 10.10.2.2

Please advice if it is correct one?

Cisco Freak · ‎02-26-2015

Hi,

I am sorry..I am not able to understand your network setup. :(

I see that the traffic is router to 10.10.2.2 from the ASR. So if you want to encrypt the traffic from there, do you have required VPN configs there?

ip local policy route-map vpn-out

access-list 100 permit ip 10.10.2.2 any

route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100

Also, why are you configuring the local policy-map. The traffic is NOT initiated from this router, so we will NOT need a local policy map. Local policy map is applied to affect the traffic initiated from that device itself.

Also, why the next-hop is set to an interface IP 10.100.100.100 within that device itself?

julxu · ‎02-26-2015

the vpn has only one interface.

and currently it setup as:

if to go 10.200.200.0/24 go to 10.10.2.1

if to go 10.10.0.0/16 go to 10.10.2.1 also.

so this leave me no room to setup static route.

for example:if my pc has ip 10.10.50.50, and I access the 10.200.200.50, the traffic will come to asr1004 int te0/10, and since I have default route there so it go to 10.10.2.2 (ip route 10.200.200.0/24 10.10.2.2). the vpn encrpt the traffic and it sent it back to asr1004. with same destnation, than the asr1004 resend the traffic back to vpn box .....

if I have another router to make vpn in middle, than, there will be no problem, but, I have only one router, not two. so I guess if it is possible to do PBR?

if not local one, can I do below:

int te0/1/0 (for internal traffic)

ip policy route-map redirect-to-vpn

route-map match-vpn-traffic

match ip address to-target

set ip net-hop 10.10.2.1

access-list extend to-target permit 10.10.0.0 255.255.0.0 10.200.200.0 255.255.0.0

if it is still not a right one? please advice what I should do to correct this issue.

Cisco Freak · ‎02-26-2015

What is the VPN box? Does it have a outbound connectivity towards 10.200.200.0/24. Or the only way is via ASR?

How is the VPN config there? Who is the other end VPN peer?

CF

julxu · ‎02-26-2015

it only connect to ASR, and it has only one interface.

I have only know the vpn do not use routing protocol, so I guess it is static route configure for only two direction. one to internet and one to internal.

I think it expect I have two routers, which one is FW for internal and one for border.

and they expect the FW will use static router to redirect traffic to it,

but our FW do not doing routing also, it also only static setup.. that left only one box (border router) doing routing.

or there is any other way?

how to configure bgp/static for policy route