Re: policy routing & nat on the same router - Page 2

oszkari · ‎09-25-2008

Hi,

I have one router connected to 2 ISPs. One of the ISP is used for Internet connectivity&VPN with branch office A and the other for VPN with a branch office B. The IPSEC endpoint on this side is an ASA, which is behind of this router. (See the attached picture)

I don't have an AS/BGP so I tried to use policy routing on the router to redirect traffic to ISPB for the second tunnel and NAT to achieve symmetric routing.

router config:

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable

route-map ISPB permit 10

match ip address 110

access-list 110 permit ip host 192.168.10.2 host 10.20.20.2

...

route-map ISPB_policy_route permit 10

match ip address 110

set ip next-hop 10.2.2.1

...

interface fastethernet 0

ip address 10.2.2.2 255.255.255.0

interface fastethernet 1

ip address 10.1.1.2 255.255.255.0

ip nat inside

ip policy route-map SPB_policy_route

interface vlan1

ip address 10.1.1.1 255.255.255.0

ip nat outside

....

ip route 0.0.0.0 0.0.0.0 10.1.1.1

Although in the output of debug ip policy i see that the policy routing is working, on the branch B router I can see the packets coming from 10.2.2.3, the tunnel never comes up.

If I put a static route to the 10.20.20.2/32 via 10.2.2.1 the tunnel is going UP.

What could be the answer for this??

Thanks,

Oszkar

oszkari · ‎09-26-2008

This is exactly my question..:)

Why the policy routing isn't working without a route to the 10.20.20.0 network.

If I put this static route:

ip route 10.20.20.2 255.255.255.255 10.2.2.1

everything is OK, but the policy routing becomes completely needless.