Problem to access http to other host on a vlan

khhhhhhhh957 · ‎12-16-2016

Hi,

My problem is this

I can ping hosts from another vlan but I can't access their web interface. Do you have any idea of the problem ?

Thank you very much and good day !

mattjones03 · ‎12-16-2016

Hi,

Just looking at the router configuration provided;

It would seem that your PBR is setting the next hop for http and https traffic to 217.23.30.105.

I would suggest that you place a deny statement into the "DATA" ACL, specifying the source and destination networks that you do not want the PBR to take action on.

ip access-list extended DATA

deny tcp <source network> <wildcard> <destination network> <wildcard> eq www 443
permit tcp 192.168.0.0 0.0.0.255 any eq www 443

khhhhhhhh957 · ‎12-19-2016

Hello,

Thank you for your answer, but it still doesn't work. Since the network 192.168.0.0, I can ping the network 192.168.20.0 but I can not access a http address of the network 192.168.20.0.

Thank you and good day

mattjones03 · ‎12-19-2016

Hi,

Just to confirm, did you add both the 192.168.0.0/24 and 192.168.20.0/24 into the DATA ACL?

khhhhhhhh957 · ‎12-19-2016

Hi,

This is my ACL :

ip access-list extended DATA
permit tcp 192.168.0.0 0.0.0.255 any eq www 443
permit tcp 192.168.20.0 0.0.0.255 any eq www 443
ip access-list extended VOIP
permit tcp 192.168.20.0 0.0.0.255 any eq www 443
permit tcp 192.168.0.0 0.0.0.255 any eq www 443

mattjones03 · ‎12-19-2016

Hi,

Your ACL is incorrect.

It should be;

ip access-list extended DATA
deny tcp 192.168.0.0 0.0.0.255 <host> eq www
deny tcp 192.168.20.0 0.0.0.255 <host> eq www
permit tcp 192.168.0.0 0.0.0.255 any eq www 443
permit tcp 192.168.20.0 0.0.0.255 any eq www 443

* Replace <host> with the IP address of the host in which HTTP isn't working.

khhhhhhhh957 · ‎12-20-2016

Hi,

Thank you for your help, but sorry, but it still does not work.

Here is my ACL :

ip access-list extended DATA
permit tcp 192.168.0.0 0.0.0.255 any eq www 443
deny tcp 192.168.0.0 0.0.0.255 host 192.168.20.13 eq www 443
deny tcp 192.168.20.0 0.0.0.255 host 192.168.20.13 eq www 443
permit tcp 192.168.20.0 0.0.0.255 any eq www 443
ip access-list extended VOIP
permit tcp 192.168.20.0 0.0.0.255 any eq www 443
!

khhhhhhhh957 · ‎12-20-2016

HI, I have found the solution with this :

ip access-list extended DATA
permit tcp 192.168.0.0 0.0.0.255 host 192.168.20.13 eq www 443
ip access-list extended LAN
permit tcp 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255 eq www 443
ip access-list extended VOIP
permit tcp 192.168.20.0 0.0.0.255 any eq www 443
!
!
route-map PBR permit 0
match ip address LAN
set ip next-hop 192.168.20.1
!
route-map PBR permit 10
match ip address DATA
set ip next-hop 217.11.40.105
!
route-map PBR permit 20
match ip address VOIP
set ip next-hop 192.168.1.1
!

What do you think of my solution ?

mattjones03 · ‎12-20-2016

Perfect,

Glad you managed to resolve that.