Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
7
Replies

route map over vpn

zirkelad
Level 1
Level 1

‎04-01-2009 10:23 AM - edited ‎03-06-2019 04:56 AM

I have a vpn to a remote site and I want to redirect traffic on port 80 to a host on that network. I tried doing a route map like this:

access-list 101 deny tcp any 172.17.16.0 0.0.0.255

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

route-map bluecoat permit 10

match ip address 101

set ip next-hop 172.17.16.45

set ip default next-hop 172.17.16.45

int Eth0/0

ip policy route-map bluecoat

Where Eth0/0 is the ingress port, but it doesn't appear to be applied, since hosts can still get to any web site.

The 172.17.16.45 host is on the other side of a vpn. I can get to hosts on both sides of the vpn. I can't ping that host from the router though.

Labels:
0 Helpful
7 Replies 7

Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎04-01-2009 10:50 AM

Andy,

Please provide us a brief diagram.

Next-hop has to be a connected next-hop for that command.

HTH,

Toshi

0 Helpful

zirkelad
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎04-01-2009 11:14 AM

host - 172.17.196.0/24

|

router - 172.17.196.1

|

VPN

|

router - 10.0.1.2

| - static route to 172.17.16.0/24

switch

|

content filter - 172.17.16.45

Again hosts on either side of the vpn can talk to each other. I'm trying to force traffic on the web ports to the conent filter.

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to zirkelad

‎04-01-2009 11:21 AM

Andy,

Which device did you put those command on?

router - 10.0.1.2 ? or The switch connected to Bluecoat

Toshi

0 Helpful

zirkelad
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎04-01-2009 12:22 PM

those commands are on the first router, 172.17.196.1, where the clients are first passing through. Basically I want to re-direct all the web traffic going through 172.17.196.1 to the content filter 172.17.16.45 as described in the diagram.

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to zirkelad

‎04-01-2009 12:31 PM

Andy,

That will not work. As I mentioned earlier. The first router will finally forward traffic based on the routing table. You may know that PBR doesn't change the destination IP address. It just re-write Destination MAC to send to the next-hop you configured.

Well, What I can recommend is as follows:

- Bluecoat is running as a proxy. Right? Can you force users to do somethings on internet browser. Such as Manually configuring or Automatic Detect.

- let's check the switch at the other side. Can it support PBR? If it can, Go configuring on it. I mean, Configuring PBR on the direction that packets coming from the first router.

HTH,

Toshi

0 Helpful

zirkelad
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎04-01-2009 01:09 PM

I see what you're saying now. The vpn isn't set up to pass all traffic through it, only traffic destined for the local lan, other outbound traffic is natd at the 196.1 router.

Maybe a proxy would be the best solution here. Would it be possible to do the forwarding with mac table entries? Is that possible for vpns? Do they have an interface name?

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to zirkelad

‎04-01-2009 01:12 PM

Andy,

Would it be possible to do the forwarding with mac table entries? Is that possible for vpns? Do they have an interface name?

Sorry man,It's not possible. You may consider the switch at the far end to do PBR. It's just an option if the switch can do.

HTH,

Toshi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card