09-25-2008 01:52 PM - edited 03-06-2019 01:36 AM
Hi,
I have one router connected to 2 ISPs. One of the ISP is used for Internet connectivity&VPN with branch office A and the other for VPN with a branch office B. The IPSEC endpoint on this side is an ASA, which is behind of this router. (See the attached picture)
I don't have an AS/BGP so I tried to use policy routing on the router to redirect traffic to ISPB for the second tunnel and NAT to achieve symmetric routing.
router config:
ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable
route-map ISPB permit 10
match ip address 110
access-list 110 permit ip host 192.168.10.2 host 10.20.20.2
...
route-map ISPB_policy_route permit 10
match ip address 110
set ip next-hop 10.2.2.1
...
interface fastethernet 0
ip address 10.2.2.2 255.255.255.0
interface fastethernet 1
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip policy route-map SPB_policy_route
interface vlan1
ip address 10.1.1.1 255.255.255.0
ip nat outside
....
ip route 0.0.0.0 0.0.0.0 10.1.1.1
Although in the output of debug ip policy i see that the policy routing is working, on the branch B router I can see the packets coming from 10.2.2.3, the tunnel never comes up.
If I put a static route to the 10.20.20.2/32 via 10.2.2.1 the tunnel is going UP.
What could be the answer for this??
Thanks,
Oszkar
09-26-2008 02:04 PM
This is exactly my question..:)
Why the policy routing isn't working without a route to the 10.20.20.0 network.
If I put this static route:
ip route 10.20.20.2 255.255.255.255 10.2.2.1
everything is OK, but the policy routing becomes completely needless.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide