Policy map or route-map

teymur azimov · ‎09-29-2011

Hi dears.

Core switch connect to ASA.

I configurated two subnet at core switch 3750. one of 192.168.193.0, 192.168.20.0 and second one is 10.10.1.0.

i write one ip route 0.0.0.0 0.0.0.0.0 192.168.193.222 (192.168.193.222-proxy server ip address).

and i want to 10.10.10.0 send to ASA not proxy server. ASa inside ip address 172.30.30.1 which is connected core switch.

how to send 10.10.10.0 to asa. i must be write route map but i do not know how.

please help me at this issue.

access-list 104 ip permit 10.10.10.0 0.0.0.255 any

route-map Classify permit 10

match ip address 104

set ip next-hop 172.30.30.1 ---asa inside ip.

i wrote it but it can not working.

shehinpm1 · ‎09-29-2011

Hi teymur,

1.i dont think u need to put static default to proxy server,proxy information only wil put under browser.

2.your route-map seems fine,but hv you applied this under interface.

BR,

shehin

pls rate if helpfull

cadet alain · ‎09-29-2011

Hi,

you must link this route-map with a Policy-based Routing on an interface inbound where traffic from 10.10.10.0 is coming from.

You want to do this on the 3750 switch? then you must first the sdm template to activate PBR then reload :

sdm prefer routing

then apply policy inbound with ip policy route-map Classify command on a routed port or SVI.

Regards.

Alain.

Don't forget to rate helpful posts.

Alexander Maroukian · ‎09-29-2011

Hi,

Once you write 10.10.10.0 network then 10.10.1.0? Did you check the config if the networks are the same? Have you applied the route map to the interface "ip policy route-map Classify" to the correct interface?

Can you post some sanitated config?

Best regards,

Alex

Latchum Naidu · ‎09-29-2011

Hi teymur,

It is route-map you need to configure and set ip default next-hop as your ASA inside IP.
See the below example config.

interface Vlan100
description Vlan 100 towards aaa
ip address 192.168.2.1 255.255.255.0
ip policy route-map Net-access
!

route-map Net-access1 permit 10
match ip address 11
set ip default next-hop 172.30.30..1 (hope you already have a vlan for this in your coreswitch)

access-list 11 permit ip 10.10.10.0 0.0.0.255 any

Please rate the helpful posts.
Regards,
Naidu.

teymur azimov · ‎09-29-2011

Hi Dears

thanks all of you.

i wrote the route-map at core switch and i want 10.10.10.0 subnet send to ASA.

Core swtich connect to ASA inside interface.

int vlan 8: 172.30.30.2 config at core switch and 172.30.30.1 ASA inside ip.

vlan 30: 10.10.10.1/24 configurated at core switch.

my configuration is:

access-list 104 ip permit 10.10.10.0 0.0.0.255 any

route-map Classify permit 10

match ip address 104

set ip next-hop 172.30.30.1 ---asa inside ip.

my question is where i applied this route-map??

shehinpm1 · ‎09-29-2011

Hi,

apply this in under vlan 30 interface,ls make sure you r access-list in curect format

acl 104 permit ip XXXXX

pls rate if helpfull

teymur azimov · ‎09-29-2011

thanks Shehin

i can be apply vlan 30: 10.10.10.0/24 subnet.???

thanks.

shehinpm1 · ‎09-29-2011

yes.the only requirement is the next hop has to be reachable from the switch

teymur azimov · ‎09-29-2011

the asa inside ip 172.30.30.1 connect to core switch. at core switch the this interface access vlan 8 which is (int vlan 8 172.30.30.2)

thanks

cadet alain · ‎09-29-2011

Hi,

as long as the next-hop is reachable from the switch point of view it will work.

just ping it to verify reachability and if it's ok then it will work.

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎09-29-2011

Hi,

OK config like below...

And make sure the 172.30.30.1 is pingble from your Coreswitch and from vlan interface of network 10.10.10.0

int vlan 10
ip address 10.10.10.1 255.255.255.0
ip policy route-map Net-access

route-map Net-access1 permit 10
match ip address 11
set ip default next-hop 172.30.30.1

access-list 11 permit ip 10.10.10.0 0.0.0.255 any

Please rate the helpful posts.
Regards,
Naidu.

shehinpm1 · ‎09-29-2011

Hi temyur,

in your case it will be interface vlan 30.

do a extended ping with source of 10.10.10.1 with destination 172.30.30.1 (it sould be reachable but just to make sure)

BR,

shehin

pls rate if helpfull

Alexander Maroukian · ‎09-29-2011

Hi,

You must aplly "sdm prefer routing" as proposed by Alain or "sdm prefer routing-pbr" if you are going to do PBR. Have you apllied this command do you know if your switch is using SDM routing? You can check "show sdm prefer" your sdm status by this command.

Best regards,

Alex

shehinpm1 · ‎09-29-2011

Hi,

the sw will give you an error message if SDM prefer is not enabled.and also wl get error msg if any unsuppoted cmd in routemap when u apply under interface.

Thx shehin