Goal is to route any client from source 192.168.207.0 to the high speed internet on router 3

route map policy is apply to the interface. when i do the debug ip policy enable, I do see it route to the correct path  which is 192.168.0.6, however it cannot return 8.8.8.8 .is there something wrong with my nat. from the 2008 server when trying to ping 192.168.1.11 I do get a reply. however, ping 8.8.8.8 no response. ping  8.8.8.8 from router 192.168.0.6 is Good.

I suspect it is a NAT issue. Bear in mind that you are not doing any NAT on R1 for 192.168.207.0/24 because you are sending it across to the core switch.

So wherever you do the NAT for the high speed internet link you need to make sure you have added that subnet to make sure the IPs are translated.

Jon

so if i send over the core switch do I make f1/0 nat outside. I try both and it is not working

my config below:

interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.207.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map COX
 duplex auto
 speed auto
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet1/0 overload
!
ip access-list standard NAT
 permit 192.168.0.0 0.0.255.255
 permit 192.168.0.0 0.0.0.255
 permit 192.168.207.0 0.0.0.255
!
access-list 1 permit 192.168.207.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp any any eq www
no cdp log mismatch duplex
!
route-map COX permit 10
 match ip address 101 1
 set ip next-hop 192.168.0.6
!
route-map COX permit 20
 match ip address 101
 set ip next-hop 192.168.0.6
!
route-map COX permit 30
 match ip address 2
 set ip default next-hop 40.130.1.1

Where do you do the NAT for the high speed internet ? I assume it is on R3 so that is where you should do the NAT for this subnet as well.

That means both the core switch and R3 need to know about 192.168.207.0/24 and how to get to it so they need routes.

I notice also your configuration has changed but not sure why. You only need to do PBR for the 192.168.207.0/24 subnet not any of the others.

Jon

First, thanks for the response

the core switch and the R3 know about the 192.168.207.0 and can route. I can ping all the internal address. it is the outside 8.8.8.8 that I cant get a response from client

192.168.207.2.

here my R3

config

ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.0.6 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 8.8.8.8 255.255.255.255 192.168.1.1
ip route 192.168.207.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list standard NAT
 permit 192.168.0.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


             ^

R3(config)#do sh run
Building configuration...

Current configuration : 1222 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.0.6 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 8.8.8.8 255.255.255.255 192.168.1.1
ip route 192.168.207.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list standard NAT
 permit 192.168.0.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

R3(config)# ping 8.8.8.8
             ^
% Invalid input detected at '^' marker.

R3(config)#exit
R3#ping
*Mar  1 09:38:36.085: %SYS-5-CONFIG_I: Configured from console by console
R3#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/28 ms
R3#

it works..Thanks you much..u r awesome.

No problem, glad to hear it is working.

Jon

Hi Jon,

after I applied the PBR and send internet traffic to the designated router. it works for about 2 days and I start seeing flapping connection. I had to reboot the router to get connection back. My thought is it due to congestion, what is your thought on this? where do I start to analyze this issue? I was monitoring for couple of days and noticed that if there were lots of connection coming from the match policy then it will cause the router to drop internet connection. then I have to reboot the router to make it work again.