02-23-2012 04:48 PM - edited 03-07-2019 05:08 AM
I have a 1941W that has a connection to my ISP (Gi0/1) and another connection to a remote lab (Gi0/0). Everything is working fine how it is setup. All my traffic from my internal networks can access the Internet and devices on the 192.168.201.0 /24 can access the Internet and the lab 10.89.0.0/16.
Now I want to have two devices (192.168.201.51 & .147) use Gi0/0 when accessing host 63.85.190.67. There is no route to this subnet since it reside in the remote lab. Here is what I have right now. How would I setup a PBR to have those two host use Gi0/0 when accessing 63.85.190.67
interface Vlan192
ip address 192.168.201.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface GigabitEthernet0/0
description LAB
ip address 10.89.67.170 255.255.255.192
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description INTERNET_CONNECTION
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip nat inside source list 103 interface GigabitEthernet0/0 overload
ip route 10.89.0.0 255.255.0.0 GigabitEthernet0/0
access-list 101 remark INSIDE_NETWORK
access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255
access-list 101 permit ip 192.168.201.0 0.0.0.255 any
access-list 103 remark LAB
access-list 103 permit ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255
Gateway of last resort is 72.57.36.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 72.57.36.1
.
.
.
.
.
S 10.89.0.0/16 is directly connected, GigabitEthernet0/0
C 10.89.67.128/26 is directly connected, GigabitEthernet0/0
L 10.89.67.170/32 is directly connected, GigabitEthernet0/0
69.0.0.0/32 is subnetted, 1 subnets
S 69.252.202.6 [254/0] via 71.57.36.1, GigabitEthernet0/1
72.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 72.57.36.0/23 is directly connected, GigabitEthernet0/1
L 72.57.36.242/32 is directly connected, GigabitEthernet0/1
192.168.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.201.0/24 is directly connected, Vlan192
L 192.168.201.1/32 is directly connected, Vlan192
Thanks,
Scott
Solved! Go to Solution.
02-23-2012 08:33 PM
Hello,
Let me change this ACL. Please let me see the output of "show ip nat trans"
access-list 101 remark INSIDE_NETWORK
access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255
access-list 101 deny ip host 192.168.201.51 host 63.85.196.67
access-list 101 deny ip host 192.168.201.147 host 63.85.196.67
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.100.0 0.0.0.255 any
access-list 101 permit ip 10.10.200.0 0.0.0.255 any
access-list 101 permit ip 10.10.210.0 0.0.0.255 any
access-list 101 permit ip 192.168.201.0 0.0.0.255 any
HTH,
Toshi
02-23-2012 08:52 PM
Scott
I would suggest a change in the route map that you are using for PBR. Instead of setting the interface
set interface GigabitEthernet0/0
I would suggest that you set the next hop address to be used instead of just setting the interface. If you set the interface then it forces the router to arp for the destination address. And if the next hop router does not respond to the arp request (proxy arp) then the traffic will fail.
HTH
Rick
02-23-2012 06:39 PM
Ip route 63.85.190.67 255.255.255.255 192.168.201.1 would route the whole subnet to be able to get to the ipaddress. If it is only needed on 2 devices you may want to add a static route to the computers. In windows you can do it via route add command.
Hth
Sent from Cisco Technical Support iPhone App
02-23-2012 06:40 PM
Hi Scott,
You just try this link : http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html
F.e.
!
ip access ex mytraffic
permit ip host 192.168.201.51 host 63.85.190.67
permit ip host 192.168.201.147 host 63.85.190.67
!
route-map GotoGi0/0 permit 10
match ip address mytraffic
set interface Gi0/0
!
Int vlan 192
ip policy route-map GotoGi0/0
!
HTH,
Toshi
02-23-2012 07:09 PM
Thanks… just tried it and still no go. I do see hits on the route-map though. Since Gi0/0 requires Nat, is there something special I need to also do?
interface Vlan192
ip address 192.168.201.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map GotoGi0/0
ip access-list extended mytraffic
permit ip host 192.168.201.51 host 63.85.190.67
permit ip host 192.168.201.147 host 63.85.190.67
route-map GotoGi0/0 permit 10
match ip address mytraffic
set interface GigabitEthernet0/0
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip nat inside source list 103 interface GigabitEthernet0/0 overload
access-list 101 remark INSIDE_NETWORK
access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.100.0 0.0.0.255 any
access-list 101 permit ip 10.10.200.0 0.0.0.255 any
access-list 101 permit ip 10.10.210.0 0.0.0.255 any
access-list 101 permit ip 192.168.201.0 0.0.0.255 any
access-list 103 remark LAB
access-list 103 permit ip host 192.168.201.51 host 63.85.190.67
access-list 103 permit ip host 192.168.201.147 host 63.85.190.67
access-list 103 permit ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255
route-map GotoGi0/0, permit, sequence 10
Match clauses:
ip address (access-lists): mytraffic
Set clauses:
interface GigabitEthernet0/0
Policy routing matches: 241 packets, 33749 bytes
icmp 10.89.66.170:1 192.168.201.147:1 10.89.66.66:1 10.89.66.66:1
icmp 71.57.36.242:1 192.168.201.147:1 63.85.190.67:1 63.85.190.67:1
02-23-2012 07:16 PM
Hi,
It always happens when you have 2 WAN links. To remedy this problem. You just try this.
F.e.
#Assuming that ACLs are correct.
!
route-map TrafficG0/0 permit 10
match ip address 101
match interface G0/0
!
route-map TrafficG0/1 permit 10
match ip address 103
match interface G0/1
!
ip nat inside source route-map TrafficG0/0 interface GigabitEthernet0/0 overload
ip nat inside source route-map TrafficG0/1 interface GigabitEthernet0/1 overload
!
HTH,
Toshi
02-23-2012 07:31 PM
Well no go yet☺
icmp 10.89.66.170:1 192.168.201.147:1 10.89.66.67:1 10.89.66.67:1
icmp 71.57.36.242:1 192.168.201.147:1 63.85.190.67:1 63.85.190.67:1
I had to move the rules around since it was switched around a bit.
route-map TrafficG0/0 permit 10
match ip address 103
match interface G0/0
!
route-map TrafficG0/1 permit 10
match ip address 101
match interface G0/1
!
ip nat inside source route-map TrafficG0/0 interface GigabitEthernet0/0 overload
ip nat inside source route-map TrafficG0/1 interface GigabitEthernet0/1 overload
IL-AUR-1941W#sh route-map all
STATIC routemaps
route-map TrafficG0/1, permit, sequence 10
Match clauses:
ip address (access-lists): 101
interface GigabitEthernet0/1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TrafficG0/0, permit, sequence 10
Match clauses:
ip address (access-lists): 103
interface GigabitEthernet0/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map GotoGi0/0, permit, sequence 10
Match clauses:
ip address (access-lists): mytraffic
Set clauses:
interface GigabitEthernet0/0
Policy routing matches: 145 packets, 10730 bytes
DYNAMIC routemaps
Current active dynamic routemaps = 0
02-23-2012 07:50 PM
Hi,
Let me see your current configuration.
Toshi
02-23-2012 07:15 PM
Thanks… I did look at that link and other that are out there. I did have routes set in my windows, but wanted to get this working instead, because every time I reboot I have to add that route back.
It’s weird, because if I stop pining from host 192.168.201.147 to host 63.85.190.67, the counters on the route-map stops, so I know its hitting the route-map. Must be something with Nat, even though my other devices are fine getting to the other devices in the lab from Gi0/0.
02-23-2012 08:17 PM
02-23-2012 08:33 PM
Hello,
Let me change this ACL. Please let me see the output of "show ip nat trans"
access-list 101 remark INSIDE_NETWORK
access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255
access-list 101 deny ip host 192.168.201.51 host 63.85.196.67
access-list 101 deny ip host 192.168.201.147 host 63.85.196.67
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.100.0 0.0.0.255 any
access-list 101 permit ip 10.10.200.0 0.0.0.255 any
access-list 101 permit ip 10.10.210.0 0.0.0.255 any
access-list 101 permit ip 192.168.201.0 0.0.0.255 any
HTH,
Toshi
02-23-2012 08:46 PM
That worked:)
icmp 10.89.66.170:1 192.168.201.147:1 10.89.66.67:1 10.89.66.67:1
icmp 10.89.66.170:1 192.168.201.147:1 63.85.196.67:1 63.85.196.67:1
02-23-2012 08:52 PM
Scott
I would suggest a change in the route map that you are using for PBR. Instead of setting the interface
set interface GigabitEthernet0/0
I would suggest that you set the next hop address to be used instead of just setting the interface. If you set the interface then it forces the router to arp for the destination address. And if the next hop router does not respond to the arp request (proxy arp) then the traffic will fail.
HTH
Rick
02-23-2012 09:04 PM
Rick,
Well that worked... i initially just looked at the nat translation without even trying to ping that address. Well I'm able to ping it now. Thanks for all the help guy's!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide