02-25-2015 11:10 PM - edited 03-07-2019 10:51 PM
Hi
I need to configure a policy route as,
that if traffic from xxx.xxx.xx.0/24 to yyy.yyy.yyy.0/24 than route it to vpn box xxx.xxx.1.10
if traffic from xxx.xxx.1.10 to yyy.yyy.yyy.0/24 go to default route 0.0.0.0
I believe it is ok to ach using route map, am I right? if so, could I get advice how to setup?
Any comments will be appreciated
thanks in advance
julxu
02-26-2015 03:00 AM
Hi,
You can achieve this with the help of policy based routing(PBR) in the router.
CF
02-26-2015 03:02 AM
thanks for the reply, please advice the tip? how to do it?
02-26-2015 03:13 AM
Please share more about your configuration to give exact config details.
This link clearly explains the steps involved in it:
https://glennmatthys.wordpress.com/2012/04/24/policy-based-routing-example-route-one-subnet-via-isp-a-and-another-via-isp-b/
CF
02-26-2015 04:00 AM
Hi Freak
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24) to be redirect to10.10.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
interface TenGigabitEthernet0/0/0
description bgp to get default
ip address 10.100.100.100 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface TenGigabitEthernet0/1/0
description get internaltraffic
ip address 10.3.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernet0/2/1
description vpn
ip address 10.10.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
media-type rj45
negotiation auto
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
ip route 10.200.200.0/24 10.10.2.2
Please advice if it is correct one?
02-26-2015 04:16 AM
Hi,
I am sorry..I am not able to understand your network setup. :(
I see that the traffic is router to 10.10.2.2 from the ASR. So if you want to encrypt the traffic from there, do you have required VPN configs there?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
Also, why are you configuring the local policy-map. The traffic is NOT initiated from this router, so we will NOT need a local policy map. Local policy map is applied to affect the traffic initiated from that device itself.
Also, why the next-hop is set to an interface IP 10.100.100.100 within that device itself?
02-26-2015 04:42 AM
02-26-2015 04:53 AM
What is the VPN box? Does it have a outbound connectivity towards 10.200.200.0/24. Or the only way is via ASR?
How is the VPN config there? Who is the other end VPN peer?
CF
02-26-2015 05:06 AM
it only connect to ASR, and it has only one interface.
I have only know the vpn do not use routing protocol, so I guess it is static route configure for only two direction. one to internet and one to internal.
I think it expect I have two routers, which one is FW for internal and one for border.
and they expect the FW will use static router to redirect traffic to it,
but our FW do not doing routing also, it also only static setup.. that left only one box (border router) doing routing.
or there is any other way?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
the vpn has only one interface.
and currently it setup as:
if to go 10.200.200.0/24 go to 10.10.2.1
if to go 10.10.0.0/16 go to 10.10.2.1 also.
so this leave me no room to setup static route.
for example:if my pc has ip 10.10.50.50, and I access the 10.200.200.50, the traffic will come to asr1004 int te0/10, and since I have default route there so it go to 10.10.2.2 (ip route 10.200.200.0/24 10.10.2.2). the vpn encrpt the traffic and it sent it back to asr1004. with same destnation, than the asr1004 resend the traffic back to vpn box .....
if I have another router to make vpn in middle, than, there will be no problem, but, I have only one router, not two. so I guess if it is possible to do PBR?
if not local one, can I do below:
int te0/1/0 (for internal traffic)
ip policy route-map redirect-to-vpn
route-map match-vpn-traffic
match ip address to-target
set ip net-hop 10.10.2.1
access-list extend to-target permit 10.10.0.0 255.255.0.0 10.200.200.0 255.255.0.0
if it is still not a right one? please advice what I should do to correct this issue.