Solved: Re: route-map/access-list question newbie

Ryan Young · ‎12-20-2013

I'm quite new to the whole cisco thing here. I am very hesitant to make changes as I'm not 200% certain I won't bring down the whole network. (We are a very small company)

We have a cisco 1811 router (yes I know its old)

Now we have a route map and I am trying to understand it to make it work the way we want. Basically we have a few servers, and we don't want certain servers to use our cable internet connection, we want it to use our T1. Our T1 is using an ASA5505 as a router. I don't know why, I know its not best practice but I was just hired and thats all I need to say about that. I'm trying to make due. Web traffic currently goes out our Cable interface, everything else, including transfer speed on speedtest.net goes out our T1. This makes for bad, bad VoIP phone calls. We also have a tunnel punched in the T1 from our other office as well as our Exchange2010 server using the T1. If our cable goes down everything goes to the T1 (by design). We have an extended access-list defined that our route-map uses for ip matching. I want to change the Access-list to not allow local network ips. I know if I put in allow ip any any it will break our network and NOTHING goes out the T1 line, and no one can get to our email server anymore. So, I was thinking of adding a few statements in, but was wondering if anyone could help me with the logic so I know if I'll break the network. I'd hate to have to pull out the rolled cable and use the console. (I really need to get a USB to Serial interface). Now you understand a little bit about my situation, now for all the numbers, etc.

Internal network 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (We only use 40 addresses, why they chose 16 is beyond me, stupid really)

PTP VPN: 192.168.116.0/24 comes in and goes out our T1.

1811 Router: 90.0.0.254/192.168.30.254/192.168.0.254

ASA: 90.0.0.50

!

track 40 ip sla 40 reachability

delay down 90 up 60

!

interface Vlan1

description ***LAN INTERFACE 90.0.0.x Network***$FW_INSIDE$

ip address 90.0.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map WEBPBR

!

interface Vlan10

description ****LAN INTERFACE 192.168.0.x NET*****$FW_INSIDE$

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip helper-address 90.0.0.2

ip virtual-reassembly

ip policy route-map WEBPBR

!

! Static Routes

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

ip route 0.0.0.0 0.0.0.0 197.164.245.109 200

ip route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

ip route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

ip route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

ip route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

ip access-list extended WEBTRAFFIC
deny   ip any host 208.67.222.222
deny   ip any 172.20.0.0 0.0.255.255
deny   tcp host 90.0.0.2 any eq www
deny   tcp host 90.0.0.14 any eq www
deny   tcp host 90.0.0.235 any eq www
deny   ip host 192.168.0.40 any
deny   ip any host 192.168.0.40
deny   ip host 192.168.0.41 any
deny   ip any host 192.168.0.41
deny   ip any host 192.168.0.221
deny   ip host 192.168.0.221 any
deny   ip host 192.168.0.225 any
deny   tcp host 90.0.0.10 any eq www
deny   ip any host 192.168.0.225
deny   tcp host 90.0.0.11 any eq www
deny   tcp host 90.0.0.9 any eq www
deny   tcp host 90.0.0.8 any eq www
deny   tcp host 90.0.0.7 any eq www
deny   tcp host 90.0.0.6 any eq www
deny   tcp host 90.0.0.1 any eq www
deny   tcp host 90.0.0.13 any eq www
deny   tcp host 90.0.0.200 any eq www
permit tcp any any eq www
permit ip host 192.168.0.131 any
permit ip host 192.168.0.130 any
permit ip host 192.168.0.132 any
permit ip host 192.168.0.133 any
permit ip host 192.168.0.134 any
permit ip host 192.168.0.135 any
permit ip host 192.168.0.136 any
permit ip host 192.168.0.137 any
permit ip host 192.168.0.138 any
permit ip host 192.168.0.139 any
permit ip host 192.168.0.140 any
permit ip host 192.168.0.141 any
permit ip host 192.168.0.142 any
permit ip host 192.168.0.143 any
permit ip host 192.168.0.144 any
permit ip host 192.168.0.145 any
permit ip host 192.168.0.146 any
permit ip host 192.168.0.147 any
permit ip host 192.168.0.148 any
permit ip host 192.168.0.149 any
permit ip host 192.168.0.150 any
permit ip host 90.0.0.80 any
permit ip host 90.0.0.81 any
permit ip host 90.0.0.82 any
permit ip host 90.0.0.83 any
permit ip host 90.0.0.84 any
permit ip host 90.0.0.85 any
permit ip host 90.0.0.86 any
permit ip host 90.0.0.87 any
permit ip host 90.0.0.88 any
permit ip host 90.0.0.89 any
permit ip host 90.0.0.90 any
permit ip host 90.0.0.91 any
permit ip host 90.0.0.92 any
permit ip host 90.0.0.93 any
permit ip host 90.0.0.94 any
permit ip host 90.0.0.95 any
deny   tcp host 90.0.0.3 any eq www

ip sla 40

icmp-echo 208.67.220.220 source-interface Vlan1

timeout 6000

frequency 20

ip sla schedule 40 life forever start-time now

route-map WEBPBR permit 2

match ip address WEBTRAFFIC

set ip next-hop verify-availability 197.164.245.109 1 track 40

******This is how we have it setup right now. If I would put in a few lines at the top of WEBTRAFFIC with:

deny ip any 192.168.0.0 0.0.0.255

deny ip any 90.0.0.0 0.0.0.255

deny ip any 192.168.116.0 0.0.0.255

! Etc with all internal networks

**And then put at the bottom:

permit ip any any

will that break EVERYTHING so we can't communicate with anything? Or is that what I actually have to do so we get internal routing etc? Also I assume that I would put in the 15 IP addresses that are coming in the ASA as well? (We have 14 public IP addresses (one for T1 gateway) Would that go in as well? I don't want to try putting those in at the top and make it so no one can do anything. I hope I made it clear what I'm trying to do...

Message was edited by: Ryan Young

Richard Burts · ‎12-22-2013

I have not read this thread thoroughly enough to be able to speak to the subtleties of whether this access will fully do what you want. But I can answer the specific question that you ask. Yes - the access list is processed top down and if some line higher in the access list does match then the processing for that packet will not get to the permit at the bottom of the access list.

HTH

Rick

HTH

Rick

View solution in original post

cadet alain · ‎12-21-2013

Hi,

deny ip any 192.168.0.0 0.0.0.255

deny ip any 90.0.0.0 0.0.0.255

deny ip any 192.168.116.0 0.0.0.255

You don't want these subnets to be policy routed, you want them to use the path from the routing table ?

if so then as PBR is an ingress feature and those subnets will never be the destination ogf packets entering the interfaces where PBR is configured, you should reverse your ACL like this:

deny ip 192.168.0.0 0.0.0.255 any

deny ip 90.0.0.0 0.0.0.255 any

deny ip 192.168.116.0 0.0.0.255 any

! Etc with all internal networks

**And then put at the bottom:

permit ip any any

the permit ip any any will force all traffic from any source
to any destination to be Policy based routed, I suppose this is not what you want.

Could you be more precise and tell us exactly
which traffic shouldn't be policy routed and which should

Regards

Alain

Don't forget to rate helpful posts.

Ryan Young · ‎12-22-2013

Basically we want to policy route everything but a few servers through the cable modem interface fa0 everything else will go through our T1 router which is our 90.0.0.50.

If we choose permit ip any any everything goes out the policy routing. The way it currently is setup up top, only WWW (And the static IPs which are phones) goes out our Cable. EVERYTHING else goes out our T1. We want to reserve the T1 to our servers and site to site vpn tunnels. (And client vpn). I think I am going to put our phones on a different subnet so we can QoS our data better. Right now the only Quality of Service is our manual Policy based routing. (Remember I'm new to being a CCNA, and this company) So What I'm trying to do currently, is to stop internal networks from being policy based (else everything goes out our FA0) And stopping certain servers from using the policy routing to force it to go out our T1. So if I understand what we are currently doing, if I change the top WEBTRAFFIC from what it is to the following, Will it do what I'm wanting to right now? In the future I will create a new VLAN for the phone traffic and QoS that VLAN above everyone else. But since our VoIP phones use 8x8 instead of internal VoIP, I can't really automate the process.

This is what I'm thinking of doing with the access-list WEBTRAFFIC:

ip access-list extended WEBTRAFFIC

deny ip any host 208.67.222.222

deny ip any 172.20.0.0 0.0.255.255

deny ip any 90.0.0.0 0.0.0.255

deny ip any 192.168.0.0 0.0.0.255

deny ip any 192.168.30.0 0.0.0.255

deny ip any 192.168.116.0 0.0.0.255

deny ip any ! T1 line IP subnet

deny ip host 90.0.0.2 any

deny ip host 90.0.0.14 any

deny ip host 90.0.0.235 any

deny ip host 192.168.0.40 any

deny ip host 192.168.0.41 any

deny ip host 192.168.0.225 any

deny ip host 90.0.0.10 any

deny ip host 90.0.0.11 any

deny ip host 90.0.0.9 any

deny ip host 90.0.0.8 any

deny ip host 90.0.0.7 any

deny ip host 90.0.0.6 any

deny ip host 90.0.0.1 any

deny ip host 90.0.0.13 any

deny ip host 90.0.0.200 any

deny ip host 90.0.0.3 any

permit ip any any

Now if my thinking is correct, the access-list goes in order from the top to the bottom, if it equals something at the top, then the permit does not apply correct?

Message was edited by: Ryan Young

Richard Burts · ‎12-22-2013

I have not read this thread thoroughly enough to be able to speak to the subtleties of whether this access will fully do what you want. But I can answer the specific question that you ask. Yes - the access list is processed top down and if some line higher in the access list does match then the processing for that packet will not get to the permit at the bottom of the access list.

HTH

Rick

HTH

Rick