12-14-2009 08:08 PM - edited 03-06-2019 08:57 AM
ip access-list extended new
5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0
6 deny 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0
7 permit 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0
Route-Map newnew permit 5
match ip address new
set ip nex-hop 10.32.254.5
interface fa3/1
ip adress 100.100.100.1 255.255.255.252
ip policy route-map newnew
ip route 172.27.200.0 255.255.255.0 144.1.4.85
with the above config , the source 10.32.52.6 is able to ping 172.27.200.100 but 172.27.200.100 is not able to ping 10.32.52.6 . IF I USE the command " ip route 172.27.200.0 255.255.255.0 10.32.254.5" ping works both ways.I am trying to get this two way ping working using the route map matching above access-list and had no success....This config is being used on 4006 cisco switch....any ideas?
12-14-2009 08:25 PM
It's hard to say without seeing the rest of the config....you don't show any info pertaining to the 10.32.54.0 network other than in the access list. Do you have a route for that network, or is it on one of your interfaces? And where is 144.1.4.85? Is that an interface IP?
Also, line 7 of your access-list is never going to be applied as that traffic is denied by line 6 and I think you meant to specify the return traffic like this....
ip access-list extended new
5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0
6 deny 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0
7 permit 172.27.200.100 0.0.0.0 10.32.52.0 0.0.0.255
That's the best I can do without seeing the rest of your config....
12-14-2009 08:55 PM
10.32.254.5 and 144.1.4.85 are vpn routers that are part of vlan interfaces on this 4006 switchoo
172.27.200.0 is terminating on these two vpn routers for 2 different tunnels.10.32.0.0/16 is behind 10.32.254.5 and 144,1,0.0/16 is behind 144.1.4.85
12-15-2009 01:52 PM
Couple of things I see:
ip access-list extended new
5 permit 10.32.52.6 0.0.0.0 172.27.200.100 0.0.0.0
6 deny 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0
7 permit 10.32.52.0 0.0.0.255 172.27.200.100 0.0.0.0
You are denying the traffic then permitting it. You will never get to the permit because the ACL is read top down and it will stop there. So traffic from 10.32.52.0/24 to 172.27.200.100 is being denied.
You are only showing lines 5-7 what are lines 1-4, and are there any other lines after 7?
12-16-2009 02:31 PM
If you want this route map to apply in both directions, then you have to apply the 'ip policy route-map newnew' to the interface that is recieving the traffic from 172.27.200.100. Try that and see....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide