07-30-2008 03:08 AM - edited 03-06-2019 12:31 AM
Guys - could you take a quick look at this config and let me know what I'm missing out.
I've included the diag and config. Basically the 2821 is acting as a hub and 2 spokes ( 3 if you include the dsl connection when its configured )
The first spoke is connected to an existing Verizon network and the second spoke to the BT network
Customer wishes to send existing VPN traffic over Verizon, SMTP over BT and everything else over the DSL.
The issue that I have is that I cannot get the routing policy to do this, but I do see traffic going across the interfacesâ¦. Is there anything obvious that comes to mind ?
From the c2821 I have visibility of both devices when I sh cdp nei and ping the open interfaces. Verizon have blocked pings and some icmp traffic in their int. but the BT interfaces are open.
I also have visibility of both networks from the customer LAN behind the firewall
The 2821 has a HWIC-4ES - I cannot config them directly as routed interfaces without creating VLANs on the WAN side.
Any suggestions to what I might be missing would help me a lot - Thanks in Advance, S
07-30-2008 05:10 AM
Hi,
an excerpt from your config:
interface Vlan2
description **** Checkpoint FW and Internal LAN ****
no ip address
ip access-group 101 in
ip access-group 101 out
ip policy route-map BT_OR_VERIZON
shutdown
!
interface Vlan3
description *** FE to Verizon ***
ip address 195.217.166.61 255.255.255.192
ip access-group 101 in
ip access-group 101 out
ip policy route-map BT_OR_VERIZON
!
interface Vlan4
description *** FE to BT ***
ip address 81.145.134.226 255.255.255.224
ip access-group 101 in
ip access-group 101 out
!
ip classless
ip route 0.0.0.0 0.0.0.0 195.217.166.62
!
!
ip http server
no ip http secure-server
!
access-list 100 permit tcp any any eq smtp log
access-list 101 permit icmp any any echo log
access-list 101 permit udp any any eq echo
access-list 101 permit udp any any eq isakmp log
access-list 101 permit udp any any eq non500-isakmp log
access-list 101 permit esp any any log
route-map BT_OR_VERIZON permit 10
match ip address 100
set default interface Vlan4
!
Some remarks:
1) The ACL 100 should direct traffic, but this traffic is not allowed by ACL 101. So I assume you are dropping any packet entering Vlan3, which could be policy routed.
2) The Vlan2 interface does not have any IP address configured and is shutdown and thus IP traffic will be dropped.
3) Apply PBR on the interface receiving the traffic
4) Is this the whole config or did you cut out some portions?
Suggestion:
1) add an IP address to interface Vlan2
2) modify ACL 101 to allow SMTP traffic. As you are applying the ACL in both directions it likely should look like
access-list 101 permit icmp any any log
access-list 101 permit udp any any eq echo
access-list 101 permit udp any any eq isakmp log
access-list 101 permit udp any any eq non500-isakmp log
access-list 101 permit esp any any log
access-list 101 permit udp any eq echo any
access-list 101 permit udp any eq isakmp log any
access-list 101 permit udp any eq non500-isakmp log any
access-list 101 permit esp any any log
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any eq smtp any
2) Create per interface ACLs, because the traffic is different
3) set an explicit next hop in your route-map for PBR. Only pointing to a broadcast interface relies on proxy-arp being functional, which might or might not be the case.
4) Apply PBR on the interface receiving the traffic
Hope this helps! Please use the rating system.
Regards,
Martin
07-30-2008 10:07 AM
Hi Martin
Many Thanks for your response.
The config is very basic and nothing has been removed.
VLAN 2 is shutdown as it is not being used. I have put FE/0/0/3 ( incoming traffic from the FW )in VLAN 3 as it resides in the same subnet as the Verizon subnet ie 195.217.166.x subnet, so basically FE0/0/3 and FE0/0/0 ( spoke to Verizon router ) lie in the same subnet. I will modify the access-list 101 as you suggested see if that helps and explicitly set the next hop to 81.145.134.225, which hopefully allow the traffic to go via this link. The pbr is applied to the ingress port at the moment.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: