ip local policy weirdness

Unanswered Question

I have a policy enabled, and it works for ping and isakmp packets. It does not work for ESP packets. Is this a known issue?


I am looking to have crypto map configs working on 2 interfaces, with each having an internet connection. My ip local policy is to use PBR to have the reply traffic from the secondary connection go out that interface, versus the default route).



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Richard Burts Tue, 04/24/2007 - 18:21

Matt


I am not aware of an issue with this. I wonder if there is an order of operations aspect to be considered.


Perhaps you could share some details of the config?


HTH


Rick

interface GigabitEthernet0/0.1

description $FW_INSIDE$

encapsulation dot1Q 9

ip address x.y.z.1 255.255.255.252

ip access-group 103 in

ip nat inside

ip inspect XXXX in

ip virtual-reassembly

ip policy route-map mailmojo



interface GigabitEthernet0/1.1

description $FW_OUTSIDE$

encapsulation dot1Q 7

ip address a.b.c.d 255.255.255.248

ip access-group 105 in

ip nat outside

ip inspect XXXX out

ip virtual-reassembly

no cdp enable

crypto map SDM_CMAP_1




route-map localPBR permit 10

match ip address acl_localPBR

set interface GigabitEthernet0/1.1

set ip default next-hop a.b.c.e


route-map mailmojo permit 10

match ip address 125

set ip default next-hop a.b.c.e

!

route-map mailmojo permit 20

match ip address secondaryVPN

set interface GigabitEthernet0/1.1

set ip default next-hop a.b.c.e

!





sh access-list acl_localPBR

Extended IP access list acl_localPBR

5 permit esp host a.b.c.d any

10 permit ip host a.b.c.d any (1112 matches)

20 deny ip any any (432007 matches)


sh access-list 125

Extended IP access list 125

10 deny ip host 10.10.10.2 host 10.10.10.255 (3908 matches)

20 deny tcp host 10.10.10.2 any eq 135

30 permit ip host 10.10.10.2 any (7613579 matches)


sh access-list secondaryVPN

Extended IP access list secondaryVPN

10 permit ip x.y.t.0 0.0.0.255 192.168.6.0 0.0.0.255 (154756 matches)

20 permit ip x.y.r.0 0.0.0.255 192.168.6.0 0.0.0.255

30 permit ip x.y.s.0 0.0.0.255 192.168.6.0 0.0.0.255 (18 matches)

40 permit ip x.y.u.0 0.0.0.255 192.168.6.0 0.0.0.255 (3 matches)

50 deny ip any any (7057282 matches)







A.b.c.d is the IP address of the subint for the secondary ISP connection. A.b.c.e is the default gateway for that connection.


I have played with darn near every permuation of route-map commands to try to get this to work, but the ESP packets go out g0/1.2. I put 5 permit ESP.... in the list as a testing tool. I have g0/1 spanning to a box running wireshark, and I see the isakmp packets going to the right MAC addr, but not the ESP packets, even though the source/destination IP addresses are the same.


ACL 125 is to PBR some traffic for a statically natted service to an IP on the secondary ISP connection.


ACL seconaadryVPN is to PBR the traffic to the vpn ip pool out the g0/1.1 interface to which those vpn clients are connected.

Actions

This Discussion