09-25-2008 01:52 PM - edited 03-06-2019 01:36 AM
Hi,
I have one router connected to 2 ISPs. One of the ISP is used for Internet connectivity&VPN with branch office A and the other for VPN with a branch office B. The IPSEC endpoint on this side is an ASA, which is behind of this router. (See the attached picture)
I don't have an AS/BGP so I tried to use policy routing on the router to redirect traffic to ISPB for the second tunnel and NAT to achieve symmetric routing.
router config:
ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable
route-map ISPB permit 10
match ip address 110
access-list 110 permit ip host 192.168.10.2 host 10.20.20.2
...
route-map ISPB_policy_route permit 10
match ip address 110
set ip next-hop 10.2.2.1
...
interface fastethernet 0
ip address 10.2.2.2 255.255.255.0
interface fastethernet 1
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip policy route-map SPB_policy_route
interface vlan1
ip address 10.1.1.1 255.255.255.0
ip nat outside
....
ip route 0.0.0.0 0.0.0.0 10.1.1.1
Although in the output of debug ip policy i see that the policy routing is working, on the branch B router I can see the packets coming from 10.2.2.3, the tunnel never comes up.
If I put a static route to the 10.20.20.2/32 via 10.2.2.1 the tunnel is going UP.
What could be the answer for this??
Thanks,
Oszkar
09-25-2008 03:22 PM
I know translation happens before routing... so working with that theory, give this a try
access-list 111 permit ip host 10.2.2.3 host 10.20.20.2
...
route-map ISPB_policy_route permit 10
match ip address 111
set ip next-hop 10.2.2.1
09-26-2008 11:06 AM
Hi merryllem,
Thanks for the reply.
I have modified the access-list as you said, but after this modification there was no more matching traffic for the route-map , eg no traffic arrived to the other endpoint.
As far as I know, both: policy routing and routing are before NAT.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
any other ideas?
Oszkar
09-26-2008 11:32 AM
Try using esp and udp in access-list.You might have to remove , fastswitching from the interfaces where you are doing policy routing : no ip route-cache
access-list 120 permit udp host 192.168.10.2 eq any host 10.20.20.2 eq any
access-list 120 permit esp host 192.168.10.2 host 10.20.20.2
route-map ISPB_policy_route permit 10
match ip address 120
set ip next-hop 10.2.2.1
HTH
Saju
09-26-2008 12:07 PM
Hi Saju,
I made the modifications on the ACL 120, and set the no ip route-cache on the FA1(policy route interface) but no result.
The tunnel is still in MM_NO_STATE...
What I observed and it looked strange was that the esp traffic never matched the ACL, only the UDP.
Here is the debug crypto isakmp output from the router on Branch B.
021901: *Sep 26 21:51:29.852 UTC: ISAKMP: received ke message (1/1)
021902: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
021903: *Sep 26 21:51:29.852 UTC: ISAKMP: Created a peer struct for 10.2.2.3, peer port 500
021904: *Sep 26 21:51:29.852 UTC: ISAKMP: New peer created peer = 0x448DDFA8 peer_handle = 0x80000087
021905: *Sep 26 21:51:29.852 UTC: ISAKMP: Locking peer struct 0x448DDFA8, IKE refcount 1 for isakmp_initiator
021906: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Setting client config settings 4496E270
021907: *Sep 26 21:51:29.852 UTC: ISAKMP: local port 500, remote port 500
021908: *Sep 26 21:51:29.852 UTC: ISAKMP: set new node 0 to CONF_ADDR
021909: *Sep 26 21:51:29.852 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 44955238
021910: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
021911: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.2.2.3 in default
021912: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): : success
021913: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.2.2.3
021914: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
021915: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
021916: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
021917: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
021918: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
021919: *Sep 26 21:51:29.856 UTC: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
021920: *Sep 26 21:51:29.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE
021922: *Sep 26 21:51:39.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
021923: *Sep 26 21:51:39.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
021924: *Sep 26 21:51:39.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE
021926: *Sep 26 21:51:49.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
021927: *Sep 26 21:51:49.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
021928: *Sep 26 21:51:49.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE
021929: *Sep 26 21:51:57.648 UTC: %CRYPTO-6-IKE_TED_BAD_REPLY: Received TED reply that did not correspond to a TED probe
021930: *Sep 26 21:51:59.852 UTC: ISAKMP: received ke message (1/1)
021931: *Sep 26 21:51:59.852 UTC: ISAKMP: set new node 0 to CONF_ADDR
021932: *Sep 26 21:51:59.852 UTC: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 10.20.20.2, remote 10.2.2.3)
021933: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
021934: *Sep 26 21:51:59.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
021935: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
021936: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE
Thx,
Oszkar
09-26-2008 12:12 PM
ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable
Can you explain what is this route-map ISPB?
try adding the "route-map ISPB_policy_route" to NAT static staement as shown below and then check . You do not need to apply policy route-map to inside interface of router . just apply it to Static NAT statement.
route-map ISPB_policy_route permit 10
match ip address 110
set ip next-hop 10.2.2.1
ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB_policy_route
HTH
Saju
09-26-2008 12:39 PM
Hi Saju,
I used two separate route-maps only because it was more easier to make changes without modifying the existing working config( route-map for nat and static route).
However I tried this too..
route-map ISPB_policy_route permit 10
match ip address 110
set ip next-hop 10.2.2.1
ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB_policy_route
..but same thing..without the static route the tunnel stays in MM_NO_STATE.
09-26-2008 12:44 PM
Hi Oszkar,
Did you clear Nat translations after you made change to Static Nat translation?
09-26-2008 01:14 PM
Yes, I did.
09-26-2008 12:12 PM
Hello Oszkar,
I think that using a specific static route for 10.20.20.2/32 is an acceptable solution in your scenario that removes the need for PBR and all the problems of PBR interaction with NAT.
I would suggest to use it and to remove PBR it satisfies your needs and it is a simpler configuration.
IF you still want to try to use PBR I would use two different ACLs in the two route-maps so that you can change one independently.
In that case you can try to implement the suggestions and you can understand who between PBR and NAT examines first the packets.
Hope to help
Giuseppe
09-26-2008 12:51 PM
Hi Giuseppe,
Initially I tried with policy routing but I could not make it work, so I had to put the static route..with the static route everything is fine but I try to figure out what went wrong with the policy routing.
Oszkar
09-26-2008 12:52 PM
hi
what guiseppe suggested is correct. In the given config i didnt understand the below interface configs.
interface fastethernet 1
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip policy route-map SPB_policy_route
interface vlan1
ip address 10.1.1.1 255.255.255.0
ip nat outside
your default route is pointing to 10.1.1.1 and its the ISP. How can u have the same vlan 1 with same IP and a NAT outside on it. Can you check on this?
Ullas
09-26-2008 01:02 PM
Hi Ullas,
Your observation is correct, i made a mistake here, fastethernet 1 IP is 192.168.10.1.
Here is the current correct configuration:
ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable
route-map ISPB permit 10
match ip address 110
route-map ISPB_policy_route permit 10
match ip address 111
set ip next-hop 10.2.2.1
...
access-list 110 permit ip host 192.168.10.2 host 10.20.20.2
access-list 111 permit udp host 192.168.10.2 host 10.20.20.2
access-list 111 permit esp host 192.168.10.2 host 10.20.20.2
...
interface Vlan1
ip address 10.2.2.2 255.255.255.0
ip nat outside
interface fastethernet 1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip policy route-map SPB_policy_route
interface Fastethernet 0
ip address 10.1.1.2 255.255.255.0
....
ip route 0.0.0.0 0.0.0.0 10.1.1.1
Thx,
Oszkar
09-26-2008 01:26 PM
09-26-2008 01:29 PM
Your current default route is to 10.1.1.1 , so all packets are going there.do you have any specific route to 10.20.20.0 ? If not you need that to send the packet there .You need to have a specific route for 10.20.20.2/32 to 10.2.2.1 in this scenario
Ullas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide