pbr not working

AndersBramsen · ‎01-04-2012

hi all

have trying the last three night to make pbr on my Home network

I have 2 isp, on via 3G and one ADSL

What i want to do is fx route all www via adsl and so on,,

so have tryed following but dont seem to work

ip access-list extended www_adsl

permit tcp any eq 80 any

!

route-map LOCAL_POLICY 10

match ip address www_adsl

set ip next-hop 95.166.108.1

set ip precedence 7

!

ip local policy route-map LOCAL_POLICY

have also tryed

access-list 101 permit tcp any any eq 80

route-map reroute10traffic permit 10

match ip address 101

set ip next-hop 95.166.108.1

ip local policy route-map reroute10traffic

dont know what is best?

none of then can make it work for me

my next-hop is the one on adsl

cadet alain · ‎01-04-2012

Hi,

first if you want traffic from the LAN to be PBRd then you must apply following command on the L3 interface where traffic is coming in:

ip policy route-map xxx

The one you configured : ip local policy route-map xxx is for locally generated traffic from the router

second, the first ACL wouldn't work because web traffic hasn't got port 80 as source but it has as destination port

3rd, I suppose you're doing NAT and if this is the case you'll have to use route-maps for NAT overload for the 2 WAN interfaces.

Post the following: sh run | s nat|route-map|access-list|policy

Regards.

Alain

Don't forget to rate helpful posts.

AndersBramsen · ‎08-17-2012

Here is the latest runnig config, but still not working....anyone got a clue whats wrong ?

I´m getting hits in my acl but if i try to do some www trafic, not working...

! Last configuration change at 22:14:50 UTC Thu Aug 16 2012 by abramsen

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco819

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3588425243

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3588425243

revocation-check none

rsakeypair TP-self-signed-3588425243

!

no ip source-route

ip cef

!

no ip bootp server

no ip domain lookup

ip domain name it-kon.dk

ip name-server 192.168.0.1

ip name-server 208.67.222.222

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 60 "OK"

license udi pid C819HG+7-K9 sn FCZ1606C0BY

!

controller Cellular 0

gsm sim primary slot 1

gsm failovertimer 7

!

ip tcp synwait-time 10

ip ssh version 2

!

no crypto ipsec nat-transparency udp-encapsulation

!

interface Cellular0

description To ISP 1 (3G)$FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 60

dialer in-band

dialer idle-timeout 900

dialer string gsm

dialer-group 2

async mode interactive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

description Wan port to ADSL

ip address dhcp client-id GigabitEthernet0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

ip address 10.10.10.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface Dialer0

ip address negotiated

encapsulation slip

dialer pool 2

dialer idle-timeout 0

dialer string gsm

dialer persistent

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip dns view default

domain timeout 1

no dns forwarding

ip nat inside source route-map 3G interface Cellular0 overload

ip nat inside source route-map ADSL interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 Cellular0 10

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 110

!

access-list 10 permit 10.10.10.0 0.0.0.255

access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq www

access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq 443

access-list 101 permit ip any any

dialer-list 1 protocol ip list 1

dialer-list 2 protocol ip permit

!

route-map ADSL permit 10

match ip address 10

match interface GigabitEthernet0

!

route-map PBR permit 10

match ip address 100

set ip next-hop 95.166.108.20

set interface GigabitEthernet0

!

route-map PBR permit 30

match ip address 101

set ip next-hop 95.209.150.20

!

route-map 3G permit 10

match ip address 10

match interface Cellular0

!

control-plane

!

line con 0

line aux 0

line 3

exec-timeout 0 0

script dialer gsm

login

modem InOut

no exec

transport input all

rxspeed 21600000

txspeed 5760000

line vty 0 4

access-class 23 in

privilege level 15

password fuQuophuja1

login local

transport input ssh

!

scheduler allocate 20000 1000

!

end