Help! Routing based on source and destination addresses

Unanswered Question
Oct 9th, 2007

This isn't a VPN question, just routing.

OK here's my situation, this is a good one...

My company is a group of banks. Endusers at these different banks access a federal banking website ( They access the Internet through the centralized datacenter, not locally.

To access the website, the federal bank requires that each bank go through a seperate VPN device that sets up a secure IPSec tunnel to the website. The INTERNAL IP addresses of those VPN devices are as follows:








Each bank has it's own subnet, like so:








SO....the goal is to route the packets going to the website ( to the right VPN device based on the subnet the packet is coming from. I also need to perserve the source and destination IPs in the packet (no NATing).

This can probably get done with some policy based routing but I'm not that smart, you guys are. Help a brother!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)


Yes it seems that PBR can be the solution indeed. All you have to do is to configure the inside interface (facing to the banks) with PBR.

Assuming that this interface is f0/0:

interface fastethernet0/0

ip address whatever

ip policy route-map vpn


route-map vpn 10

match address 101

set ip next-hop


route-map vpn 20

match address 102

set ip next-hop




access-list 101 permit ip host

access-list 102 permit ip host




You have to create the remaining route-maps and acls by analogy with aboves (i.e. to match the bank's subnet and set the next hop accordingly).

Hope it helps, rate if does


arriejones Wed, 10/10/2007 - 05:35

Thanks Krisztian for your reply.

Yes I did consider puting PBR on each interface facing each bank, the problem is there are many many interfaces on this router facing the different banks. Some come in on an ATM interface with about 30 subinterfaces, some are PTP on Serial interfaces, and others come in on the LAN through the Gig interface. I really don't want all that PBR out there as this can be CPU intensive and a management nightmare as you can imagine!

So the goal is to do this with one centralized PBR. An idea I had (that doesn't work) is to create a Loopback interface, route all traffic going to to the Loopback, then put a PBR on the Loopback to set next-hops based on the source subnet. This doesn't work for whatever reason, but maybe this can give someone else a better idea.

Thanks again, Arrie

luqmankondeth Wed, 10/10/2007 - 05:54

Not a nice idea, but i think this could work

Use 2 tunnel interfaces on the same router.

Shove all traffic down one and apply the pbr as it comes out the other. Points you will need to note,

1)the IP address assignment will conflict on the tunnel interfaces. Use different subnets, IP addresses dont really matter on tunnels, what matters is the source & destination being opposite at the other end of tunnel.

2) Are the packets destined to If , so you will have a slight problem. Because, you need to apply a static route pushing all traffic out to tunnel1 but when it comes out via tunnel2 any traffic not matching your pbr may loop. In such a case apply a default pbr policy pushing it to null0 or a default gateway where you woild like it to go.

Let me know if it works out .

pls rate post if useful

arriejones Wed, 10/10/2007 - 06:11

Wow thanks lugman! Now we're getting closer.

I am not experienced at all using tunnel interfaces. Could you take a sec and throw together a little sample config? Yes all traffic going to will match something in the PBR, no need for catch-all going to null I don't think.

luqmankondeth Wed, 10/10/2007 - 06:27

int lo1

ip address

int lo2

ip address

int tunnel 1

description route packets to this tunnel

ip address

tunnel source

tunnel destination

int tunnel2

ip address

tunnel source

tunnel destination

ip policy PBR

ip route tunnel 1

I am a bit sceptical about my own solution now. Its to do with the static route for pointing down the tunnel. Im hoping it works,

If this fails, you will need a spare router and then terminate the tunnel on this spare router and also move the link for the network onto this new router and apply all pbr over there.

Let me know how you get on. Ill try to find a solution for u


This Discussion