policy routing & nat on the same router

Unanswered Question
Sep 25th, 2008

Hi,

I have one router connected to 2 ISPs. One of the ISP is used for Internet connectivity&VPN with branch office A and the other for VPN with a branch office B. The IPSEC endpoint on this side is an ASA, which is behind of this router. (See the attached picture)

I don't have an AS/BGP so I tried to use policy routing on the router to redirect traffic to ISPB for the second tunnel and NAT to achieve symmetric routing.

router config:

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable

route-map ISPB permit 10

match ip address 110

access-list 110 permit ip host 192.168.10.2 host 10.20.20.2

...

route-map ISPB_policy_route permit 10

match ip address 110

set ip next-hop 10.2.2.1

...

interface fastethernet 0

ip address 10.2.2.2 255.255.255.0

interface fastethernet 1

ip address 10.1.1.2 255.255.255.0

ip nat inside

ip policy route-map SPB_policy_route

interface vlan1

ip address 10.1.1.1 255.255.255.0

ip nat outside

....

ip route 0.0.0.0 0.0.0.0 10.1.1.1

Although in the output of debug ip policy i see that the policy routing is working, on the branch B router I can see the packets coming from 10.2.2.3, the tunnel never comes up.

If I put a static route to the 10.20.20.2/32 via 10.2.2.1 the tunnel is going UP.

What could be the answer for this??

Thanks,

Oszkar

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
merryllem Thu, 09/25/2008 - 15:22

I know translation happens before routing... so working with that theory, give this a try

access-list 111 permit ip host 10.2.2.3 host 10.20.20.2

...

route-map ISPB_policy_route permit 10

match ip address 111

set ip next-hop 10.2.2.1

oszkari Fri, 09/26/2008 - 11:06

Hi merryllem,

Thanks for the reply.

I have modified the access-list as you said, but after this modification there was no more matching traffic for the route-map , eg no traffic arrived to the other endpoint.

As far as I know, both: policy routing and routing are before NAT.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

any other ideas?

Oszkar

singhsaju Fri, 09/26/2008 - 11:32

Try using esp and udp in access-list.You might have to remove , fastswitching from the interfaces where you are doing policy routing : no ip route-cache

access-list 120 permit udp host 192.168.10.2 eq any host 10.20.20.2 eq any

access-list 120 permit esp host 192.168.10.2 host 10.20.20.2

route-map ISPB_policy_route permit 10

match ip address 120

set ip next-hop 10.2.2.1

HTH

Saju

oszkari Fri, 09/26/2008 - 12:07

Hi Saju,

I made the modifications on the ACL 120, and set the no ip route-cache on the FA1(policy route interface) but no result.

The tunnel is still in MM_NO_STATE...

What I observed and it looked strange was that the esp traffic never matched the ACL, only the UDP.

Here is the debug crypto isakmp output from the router on Branch B.

021901: *Sep 26 21:51:29.852 UTC: ISAKMP: received ke message (1/1)

021902: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

021903: *Sep 26 21:51:29.852 UTC: ISAKMP: Created a peer struct for 10.2.2.3, peer port 500

021904: *Sep 26 21:51:29.852 UTC: ISAKMP: New peer created peer = 0x448DDFA8 peer_handle = 0x80000087

021905: *Sep 26 21:51:29.852 UTC: ISAKMP: Locking peer struct 0x448DDFA8, IKE refcount 1 for isakmp_initiator

021906: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Setting client config settings 4496E270

021907: *Sep 26 21:51:29.852 UTC: ISAKMP: local port 500, remote port 500

021908: *Sep 26 21:51:29.852 UTC: ISAKMP: set new node 0 to CONF_ADDR

021909: *Sep 26 21:51:29.852 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 44955238

021910: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

021911: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.2.2.3 in default

021912: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): : success

021913: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.2.2.3

021914: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

021915: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

021916: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

021917: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

021918: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

021919: *Sep 26 21:51:29.856 UTC: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

021920: *Sep 26 21:51:29.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

021922: *Sep 26 21:51:39.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

021923: *Sep 26 21:51:39.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

021924: *Sep 26 21:51:39.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

021926: *Sep 26 21:51:49.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

021927: *Sep 26 21:51:49.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

021928: *Sep 26 21:51:49.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

021929: *Sep 26 21:51:57.648 UTC: %CRYPTO-6-IKE_TED_BAD_REPLY: Received TED reply that did not correspond to a TED probe

021930: *Sep 26 21:51:59.852 UTC: ISAKMP: received ke message (1/1)

021931: *Sep 26 21:51:59.852 UTC: ISAKMP: set new node 0 to CONF_ADDR

021932: *Sep 26 21:51:59.852 UTC: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 10.20.20.2, remote 10.2.2.3)

021933: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

021934: *Sep 26 21:51:59.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

021935: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

021936: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

Thx,

Oszkar

singhsaju Fri, 09/26/2008 - 12:12

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable

Can you explain what is this route-map ISPB?

try adding the "route-map ISPB_policy_route" to NAT static staement as shown below and then check . You do not need to apply policy route-map to inside interface of router . just apply it to Static NAT statement.

route-map ISPB_policy_route permit 10

match ip address 110

set ip next-hop 10.2.2.1

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB_policy_route

HTH

Saju

oszkari Fri, 09/26/2008 - 12:39

Hi Saju,

I used two separate route-maps only because it was more easier to make changes without modifying the existing working config( route-map for nat and static route).

However I tried this too..

route-map ISPB_policy_route permit 10

match ip address 110

set ip next-hop 10.2.2.1

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB_policy_route

..but same thing..without the static route the tunnel stays in MM_NO_STATE.

singhsaju Fri, 09/26/2008 - 12:44

Hi Oszkar,

Did you clear Nat translations after you made change to Static Nat translation?

Giuseppe Larosa Fri, 09/26/2008 - 12:12

Hello Oszkar,

I think that using a specific static route for 10.20.20.2/32 is an acceptable solution in your scenario that removes the need for PBR and all the problems of PBR interaction with NAT.

I would suggest to use it and to remove PBR it satisfies your needs and it is a simpler configuration.

IF you still want to try to use PBR I would use two different ACLs in the two route-maps so that you can change one independently.

In that case you can try to implement the suggestions and you can understand who between PBR and NAT examines first the packets.

Hope to help

Giuseppe

oszkari Fri, 09/26/2008 - 12:51

Hi Giuseppe,

Initially I tried with policy routing but I could not make it work, so I had to put the static route..with the static route everything is fine but I try to figure out what went wrong with the policy routing.

Oszkar

ullasupendran Fri, 09/26/2008 - 12:52

hi

what guiseppe suggested is correct. In the given config i didnt understand the below interface configs.

interface fastethernet 1

ip address 10.1.1.2 255.255.255.0

ip nat inside

ip policy route-map SPB_policy_route

interface vlan1

ip address 10.1.1.1 255.255.255.0

ip nat outside

your default route is pointing to 10.1.1.1 and its the ISP. How can u have the same vlan 1 with same IP and a NAT outside on it. Can you check on this?

Ullas

oszkari Fri, 09/26/2008 - 13:02

Hi Ullas,

Your observation is correct, i made a mistake here, fastethernet 1 IP is 192.168.10.1.

Here is the current correct configuration:

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable

route-map ISPB permit 10

match ip address 110

route-map ISPB_policy_route permit 10

match ip address 111

set ip next-hop 10.2.2.1

...

access-list 110 permit ip host 192.168.10.2 host 10.20.20.2

access-list 111 permit udp host 192.168.10.2 host 10.20.20.2

access-list 111 permit esp host 192.168.10.2 host 10.20.20.2

...

interface Vlan1

ip address 10.2.2.2 255.255.255.0

ip nat outside

interface fastethernet 1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip policy route-map SPB_policy_route

interface Fastethernet 0

ip address 10.1.1.2 255.255.255.0

....

ip route 0.0.0.0 0.0.0.0 10.1.1.1

Thx,

Oszkar

ullasupendran Fri, 09/26/2008 - 13:29

Your current default route is to 10.1.1.1 , so all packets are going there.do you have any specific route to 10.20.20.0 ? If not you need that to send the packet there .You need to have a specific route for 10.20.20.2/32 to 10.2.2.1 in this scenario

Ullas

oszkari Fri, 09/26/2008 - 14:04

This is exactly my question..:)

Why the policy routing isn't working without a route to the 10.20.20.0 network.

If I put this static route:

ip route 10.20.20.2 255.255.255.255 10.2.2.1

everything is OK, but the policy routing becomes completely needless.

Actions

This Discussion