Thanks for the prompt reply. But still I want to know that whether a router will execute the route map if the destination ip address to be mathed in match command is the ip address of the router itself? Will it then send the packet to next hop defined in "set-ip-netxhop"? Thanks.

Hi,

I think the policy route behaves like static route therefore you cannot override the directly connected routes.

Krisztian

The order of processing the packets will be

directly connected

static route

route-map

so the route map will not work

Can anyone pls tell me that what can I do to forward traffic from router to another directly connected device if the traffic is destined for the same router from which I want to forward it to another device connected to another interface of the router?

Let me clarify it by example. Suppose that a packet arrives at an interface of a router. The destination ip address of the packet is 1.1.1.1 and this is the ip address of the router interface where it has arrived. I want that router on seeing such packet forward it to 2.2.2.2 which is also directly connected to it with another interface. Thanks.

Hi,

may i know why you want to accomplish this ?

can you put a simple diagram

Actually I am making a scenario of redundant internet. I have a web server connected to the DMZ interface of my firewall. I want two internet links from separate ISPs for redundancy. But I can't terminate both internet links directly on my firewall, that's why I have placed a router connected to the external interface of the firewall and two internet links are coming on the router. Now both interfaces of the router connected with the ISPs has public ip addresses on them. However the link between the router and the firewall has private ip addressing scheme on it. That's why I want that any traffic landing on the internet interfaces of the router to be forwarded to firewall.

You can also think here that why am I not terminating both internet links directly on the firewall. The reason being I have to keep track of the internet that whether its alive and shift on backup in case its donw. This can be done only on the router through several ways, like OER, Object Tracking, etc. Also I want to host the both poublic ip address of router interfaces in the DNS against a single domain. That's why I am not using single public ip address on firewall external interface.

The firewall I am using is SideWinder of SecureComputing. Thanks.

are both the ISPs supporting to route to your webserver ?

Usually this is possible only when they are running some kind of a routing protocol.

Or will your sidewinder firewall change the IP to the alternate ISP's IP when one ISP link goes down ?

Hi Anand,

The order of operation is first policy route (if the traffic matches the ACL) and then ip routing. Connected and static routes are all a part of ip routing table so policy route will be preferred first , then routing table and from routing table first connected route and then static route.

http://www.cisco.com/warp/public/556/5.html

Regards,

Ankur

Hi,

Sorry you are right.

Route-map takes priority over ip routing.

So the order is

Route-map

administrative distance

|

|

directly connected

|

static

|

EIGRP

|

EBGP

Hi,

Please find in attachment the output of "debug ip policy" that I have obtained on the router which is connected to the external interface of the firewall.

192.16.172.17 is the ip address of firewall external interface and 202.154.255.20 is the ip address of ISP's DNS.

Hi,

I've noticed this statement "But important thing to notice is that the destination ip address which I am trying to match is the ip address of the same interface where I am applying the route map".

Please correct me if i am wrong, if the destination to be matched is the same IP of the interface that you have configured the PBR, why would the router do PBR since it has already reached its destination.

Please elaborate further with your design and needs.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Thanks for replying. ACtually the webserver is behind the router wiht the private ip addressing scheme between router and the webserver. But Akhtar's advise has helped me to solve the issue through NAT. He deserves rating. Thanks Akhtar.