07-04-2008 12:30 AM - edited 03-03-2019 10:35 PM
Hello All,
I seem to hit the wall with something what should be pretty straight forward. We have 1 router and 2 ISP's connected to it.
I have configured PBR on the internal interface to forward some traffic to 2nd ISP and according to route-maps, the traffic gets policied.
But I'm unable to go anywhere beyond the gateways. If I put default gateway in place - traffic goes ok for the ISP where default gateway is set (and 2nd ISP doesn't go anywhere).
Am I missing something?
Thx, Serge.
07-04-2008 01:01 AM
try to use "set ip next-hop" instead of "set ip default next-hop"
route-map RM-PBR permit 10
match ip address ACL-PBR-isp2
set ip next-hop (default gateway of ISP2)
route-map RM-PBR permit 20
set ip next-hop (default gateway of ISP2)
07-04-2008 01:02 AM
Thanks for the quick replied. I tried set ip next-hop as well but it didn't make any difference. There's a typo in the config as well, sorry about that. The correct part is:
route-map RM-PBR permit 10
match ip address ACL-PBR-isp2
set ip next-hop (default gateway of ISP2)
route-map RM-PBR permit 20
set ip next-hop (default gateway of ISP1)
07-04-2008 01:15 AM
ip access-list extended ACL-NAT-isp2
permit ip host 10.100.12.161 any
ip access-list extended ACL-NAT-ips1
deny ip host 10.100.12.161 any
permit ip any any
07-04-2008 01:21 AM
Looks like my cut'n'paste skills aren't the best today. I missed the internal LAN in NAT in the original configuration. I'm not sure if permit ip any any would work with NAT, so here's the correct ACL. The reason for deny private IP's in the beginning - we do have a VPN going over isp2, so we don't need to NAT that traffic
ip access-list extended ACL-NAT-ips1
remark Do not NAT towards Private IP
deny ip any 127.0.0.0 0.255.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.168.0.0 0.0.255.255
remark Deny single hosts
deny ip host 10.100.12.161 any
permit ip 10.100.0.0 0.0.255.255 any
Thx, Serge.
07-04-2008 01:30 AM
07-04-2008 02:43 AM
So if I understand it correctly, PBR happens before NAT. Then how this suppose to look like?
Do I need to utilize default gateway somewhere? Without NAT PBR works like a charm but with NAT, it's not.
Thx, Serge.
07-04-2008 04:31 AM
I think it shoud be
ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/0 overload
but in you config you have
ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/1 overload
07-04-2008 04:32 AM
Yes, sorry about that. Noticed that as well in the config, but didn't update the posted one.
Still, it doesn't work. I removed all the extra NAT's, etc. Just want to PBR 1 host and it's not going anywhere beyond a default gateway.
07-04-2008 04:39 AM
:))
show the actual configuration.
07-04-2008 04:55 AM
07-04-2008 05:55 AM
I do not see any route for 10.100.12.161
sh ip route 10.100.12.161
07-04-2008 05:57 AM
#sh ip route 10.100.12.161
Routing entry for 10.100.0.0/16
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.100.11.254
Route metric is 0, traffic share count is 1
07-04-2008 06:04 AM
oops, sorry for this
could you try initiate traffic from the 10.100.12.161 and show the output "sh ip nat tr | i 10.100.12.161"
07-04-2008 07:00 AM
#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp x.x.x.x:512 10.100.12.161:512 213.73.255.52:512 213.73.255.52:512
tcp x.x.x.x:80 10.100.12.161:80 --- ---
As far as I can see the NAT is correctly set on the interface I want it go and not appearing on the default interface.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: