Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1537
Views
0
Helpful
5
Replies

may i route private IP block through outside interface directly

Go to solution
clin
Level 1
Level 1

‎05-24-2011 09:42 PM

hi all

thanks in advance for anyone can provide your proposal!

the title is not  exactly what i want to present.

say , i have a 5510 and two ISP , simple diagram like below:

                              outside1 IPX1 ------------- ISP1 GW IP X2

10.0.0.0 ----  5510                                                                    --------- HQ------ outside IPZ 5520--- 192.168.0.0

                              outside2 IPY1 ------------- ISP2 GW IP Y2

the objective is

1. internet traffic go through ISP1

2. VPN traffic (10.0.0.0-192.168.0.0) go through ISP2


ok , let's say VPN tunnel , NAT and so on ... ... are all good , works expected.

my question is may i configure route like below to achieve my objextive ?


route outside1 0.0.0.0 0.0.0.0 X2

route outside2 192.168.0.0 255.255.0.0 Y2

or only public IP could be routing in outside interface like this :

route outside1 0.0.0.0 0.0.0.0 X2

route outside2  z 255.255.255.248 Y2

hope your help , thanks !

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-24-2011 10:56 PM

Yes, you certainly can, and your configuration posted is correct.

You also need to configure route for the VPN peer address as follows:

route outside2 255.255.255.255 Y2

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to clin

‎05-25-2011 02:44 AM

Yes, you are absolutely correct.

All 3 routes are required:

route outside2 192.168.0.0 255.255.0.0 Y2

route outside2 255.255.255.255 Y2

route outside1 0.0.0.0 0.0.0.0 X2

First route is required as it will look up which interface it should send the VPN traffic (prior to encryption).

Second route is required as it will look up after the VPN traffic has been encrypted.

Lastly, the last route is for your normal default route to ISP1.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎05-25-2011 02:47 AM

Same concept when you have an overlapping route with bigger mask towards inside and remote LAN happens to be covered in the route towards inside.

For example:

You have "route inside 10.0.0.0 255.0.0.0 inside-next-hop", and your remote LAN subnet happens to be 10.10.10.0/24.

You would need to configure explicit route for "route outside 10.10.10.0 255.255.255.0 outside-next-hop".

Otherwise, it will be routed back towards the inside next hop, and cause routing loop.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-24-2011 10:56 PM

Yes, you certainly can, and your configuration posted is correct.

You also need to configure route for the VPN peer address as follows:

route outside2 255.255.255.255 Y2

0 Helpful

Go to solution
clin
Level 1
Level 1
In response to Jennifer Halim

‎05-25-2011 02:33 AM

hi Jennifer

thanks for your support.

so  do you mean the entire configuration regarding "routing" will be :

route outside2 192.168.0.0 255.255.0.0 Y2

route outside2 255.255.255.255 Y2

route outside1 0.0.0.0 0.0.0.0 X2

i have last question:

do you think i only put route

outside2 255.255.255.255 Y2

it will works as expected ? i mean all VPN traffic will go through ISP2 ?

in my view , all "VPN interesting traffic" point to so if i point to ISP2 then all VPN traffic should be follow the rule.app:ds:rule


i understand if only put "route outside2 192.168.0.0 255.255.0.0 Y2" won't work well becasue routing to Y2  will be attracted by default gateway to X2.

so could you please provide your brilliant idea !

thanks a lot !

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to clin

‎05-25-2011 02:44 AM

Yes, you are absolutely correct.

All 3 routes are required:

route outside2 192.168.0.0 255.255.0.0 Y2

route outside2 255.255.255.255 Y2

route outside1 0.0.0.0 0.0.0.0 X2

First route is required as it will look up which interface it should send the VPN traffic (prior to encryption).

Second route is required as it will look up after the VPN traffic has been encrypted.

Lastly, the last route is for your normal default route to ISP1.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎05-25-2011 02:47 AM

Same concept when you have an overlapping route with bigger mask towards inside and remote LAN happens to be covered in the route towards inside.

For example:

You have "route inside 10.0.0.0 255.0.0.0 inside-next-hop", and your remote LAN subnet happens to be 10.10.10.0/24.

You would need to configure explicit route for "route outside 10.10.10.0 255.255.255.0 outside-next-hop".

Otherwise, it will be routed back towards the inside next hop, and cause routing loop.

0 Helpful

Go to solution
clin
Level 1
Level 1
In response to Jennifer Halim

‎05-25-2011 03:15 AM

great explanation !

very helpful ! appreciate your help !

0 Helpful
Customers Also Viewed These Support Documents