Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
3
Replies

NAT/PBR config

ScarFace P
Level 1
Level 1

‎05-23-2017 11:25 PM - edited ‎03-08-2019 10:42 AM

Hi Experts,

We have multiple branches which communicates with one of the vendor for services. Right now we are in process to have all the branches over a single MPLS line to communicate with HQ. Everything was fine until we ran into an issue. One of the branch in Australia communicates with the vendor(Few IP addresses) via a transit branch in US further US has a VPN tunnel with Vendor. So the setup is like below.

Australia =======Destination Vendor ==== > US ===VPN Tunnel ====> Vendor

When we move Australia to another circuit and US is leftover on old circuit(HQ is being transit now) it was not able to communicate with the vendor.

Australia ==== Destination Vendor ===> UK-HQ === Direct route to Vendor ==== > Vendor (Where the Australia should reach to US then over VPN tunnel to Vendor.)

Now we want to remain in old routing while Australia is on new circuit and HQ is being transit network.

Australia === Destination Vendor ===> HQ(It should not put the traffic according to its routing table.) =====> US ====> VPN tunnel ===> Vendor

I thought of below solutions but could not get them working.

> NAT the Vendor IP on US core router and have Australia to send the vendor traffic to NAT ip address of US core.
> PBR- Recursive next hop- it failed because HQ has direct route to vendor and advertising it to US and all branches.

Please help with the configuration i have attached the topology for reference.

Thanks in advance.

Labels:
Preview file
65 KB
Preview file
125 KB
Preview file
110 KB
Preview file
145 KB
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎05-24-2017 03:32 AM

I'm not clear on why PBR doesn't work ie. at HQ use PBR to send the traffic to the UK Edge connecting to the US Core.

Why can't you do that ?

Jon

0 Helpful

ScarFace P
Level 1
Level 1
In response to Jon Marshall

‎05-24-2017 10:20 AM

Thanks Jon for the response.

Let me put the config which i had on my UK-Core. 

ip access-list extended AUS2Vendor

permit ip AUS/24 vendor/32 (being specific server IP-sddress)

Route map AUS2Vendor

match ip address AUS2Vendor

set ip next-hop recursive 10.30.0.2 (US-Core)

The above route map sends the traffic to UK-Edge but UK-Edge sends this traffic back to UK-Core as it has route pointing to core for vendor network. 

Only US core has route to its VPN tunnel for specific servers. Rest of the traffic will go through UK core.

So recursive next-hop will not work in this scenario. If you can recommend config that would be helpful.

Thank you

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ScarFace P

‎05-24-2017 10:22 AM

Can you not use PBR on the UK-Edge device as well ?

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card