PBR on ipsec interface to let remote side have internet ..possible ?

Dr.X · ‎09-02-2015

Hi

i have site to site vpn tunnel on 2 cisco 1841 routers and its ok .

but i need the local subnet on the remote side to have internet from the main side .

the question is being asked is .

can i do PBR on the interfaces where crypto exist to set next hop as loopback interface and in the loopback interface i do ip nat inside ???

i tried to match ipsec interface with PBR of remote subnet , but always the counts are 0 , whcih i think will not work

i read about VPN VTI interfaces ...i know it will solve it

but my question agian here , is it possible to do NAT for remote vpn subnet to go internet from the main side without using VTI ???

question in another flavor , can we match ipsec traffic by PBR ?? on the same inteface ??

thankx

pjain2 · ‎09-02-2015

Hey Ahmed,

What is the crypto acl config on both the routers?

How many tunnels do you have on the remote end? if there is only one tunnel, then to be able to get internet access from subnet B through the main site, you can just allow all the traffic from subnet B across the vpn.

Subnet A-----main site===vpn====remote side---subnet B

after allowing the traffic from the subnet B through the crypto acl, you need to configure u-turning on the Main site for the internet traffic as follows:

interface loopback 0

ip address 10.0.1.1 255.255.255.0

ip nat inside

ip access-list extended VPN-NAT-list

deny ip <subnet B> <mask> <subnet A> <mask>
permit ip <subnet B> <mask> any

Add a new Route-Map
route-map VPN-NAT permit 10
match address VPN-NAT-list
set ip next-hop 10.0.1.2

Place on the WAN interface a Policy map
interface GigabitEthernet0/1
ip policy route-map VPN-NAT

In the nat rule:

ip nat inside source route-map RMP_GE01_OVERLOAD interface GigabitEthernet0/1 overload

ip access-list extended ACL_GE01_OVERLOAD
remark IPSec Rule

Deny ip <subnet B> <Mask> <subnet A> <Mask>
permit ip <subnet B> <Mask> any

route-map RMP_GE01_OVERLOAD permit 10
match ip address ACL_GE01_OVERLOAD

Dr.X · ‎09-07-2015

thank you so much for the great reply .

but im wondering , is it possible to match a crypto traffic under he wan interface using PBR ??

i tried alot to match any traffic comes from the remote tunnel (site B) entering the Wan of Main side ,

but no luck

are u sure that method above can work if i want branch side remote pcs , get internet from main side internet ???

i tried alot and alot , but never able to match the crypoted traffic from the PBR

here is sample of wt i mean :

VAN#sh run int gi
VAN#sh run int gigabitEthernet 0/0
Building configuration...

Current configuration : 259 bytes
!
interface GigabitEthernet0/0
description WAN
ip address dhcp
ip flow ingress
ip nat outside
ip virtual-reassembly
ip policy route-map ipsec
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map VZW-MAP
end

VAN#sh rou
VAN#sh route-map ipsec
route-map ipsec, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
interface Loopback80
Policy routing matches: 617 packets, 37020 bytes
route-map ipsec, permit, sequence 200
Match clauses:
Continue: to next entry is undefined
Set clauses:
Policy routing matches: 1111 packets, 125629 bytes
VAN#sh ip acce
VAN#sh ip access-lists 110
Extended IP access list 110
10 permit esp any any
20 permit ahp any any
40 permit ip any host 172.16.0.1 ====> thiis is a pc on side B , never able to have match

note from main side i can ping 172.16.0.1 , but i cant let that pc get internet or match it from main side

what do u think ?

pjain2 · ‎09-09-2015

hey Ahmed,

please see my example config shown above:

ip access-list extended ACL_GE01_OVERLOAD
remark IPSec Rule

Deny ip <subnet B> <Mask> <subnet A> <Mask>
permit ip <subnet B> <Mask> any<-------------------------------

route-map RMP_GE01_OVERLOAD permit 10
match ip address ACL_GE01_OVERLOAD