cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1192
Views
0
Helpful
15
Replies

policy routing & nat on the same router

oszkari
Level 1
Level 1

Hi,

I have one router connected to 2 ISPs. One of the ISP is used for Internet connectivity&VPN with branch office A and the other for VPN with a branch office B. The IPSEC endpoint on this side is an ASA, which is behind of this router. (See the attached picture)

I don't have an AS/BGP so I tried to use policy routing on the router to redirect traffic to ISPB for the second tunnel and NAT to achieve symmetric routing.

router config:

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable

route-map ISPB permit 10

match ip address 110

access-list 110 permit ip host 192.168.10.2 host 10.20.20.2

...

route-map ISPB_policy_route permit 10

match ip address 110

set ip next-hop 10.2.2.1

...

interface fastethernet 0

ip address 10.2.2.2 255.255.255.0

interface fastethernet 1

ip address 10.1.1.2 255.255.255.0

ip nat inside

ip policy route-map SPB_policy_route

interface vlan1

ip address 10.1.1.1 255.255.255.0

ip nat outside

....

ip route 0.0.0.0 0.0.0.0 10.1.1.1

Although in the output of debug ip policy i see that the policy routing is working, on the branch B router I can see the packets coming from 10.2.2.3, the tunnel never comes up.

If I put a static route to the 10.20.20.2/32 via 10.2.2.1 the tunnel is going UP.

What could be the answer for this??

Thanks,

Oszkar

15 Replies 15

merryllem
Level 1
Level 1

I know translation happens before routing... so working with that theory, give this a try

access-list 111 permit ip host 10.2.2.3 host 10.20.20.2

...

route-map ISPB_policy_route permit 10

match ip address 111

set ip next-hop 10.2.2.1

Hi merryllem,

Thanks for the reply.

I have modified the access-list as you said, but after this modification there was no more matching traffic for the route-map , eg no traffic arrived to the other endpoint.

As far as I know, both: policy routing and routing are before NAT.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

any other ideas?

Oszkar

Try using esp and udp in access-list.You might have to remove , fastswitching from the interfaces where you are doing policy routing : no ip route-cache

access-list 120 permit udp host 192.168.10.2 eq any host 10.20.20.2 eq any

access-list 120 permit esp host 192.168.10.2 host 10.20.20.2

route-map ISPB_policy_route permit 10

match ip address 120

set ip next-hop 10.2.2.1

HTH

Saju

Hi Saju,

I made the modifications on the ACL 120, and set the no ip route-cache on the FA1(policy route interface) but no result.

The tunnel is still in MM_NO_STATE...

What I observed and it looked strange was that the esp traffic never matched the ACL, only the UDP.

Here is the debug crypto isakmp output from the router on Branch B.

021901: *Sep 26 21:51:29.852 UTC: ISAKMP: received ke message (1/1)

021902: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

021903: *Sep 26 21:51:29.852 UTC: ISAKMP: Created a peer struct for 10.2.2.3, peer port 500

021904: *Sep 26 21:51:29.852 UTC: ISAKMP: New peer created peer = 0x448DDFA8 peer_handle = 0x80000087

021905: *Sep 26 21:51:29.852 UTC: ISAKMP: Locking peer struct 0x448DDFA8, IKE refcount 1 for isakmp_initiator

021906: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Setting client config settings 4496E270

021907: *Sep 26 21:51:29.852 UTC: ISAKMP: local port 500, remote port 500

021908: *Sep 26 21:51:29.852 UTC: ISAKMP: set new node 0 to CONF_ADDR

021909: *Sep 26 21:51:29.852 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 44955238

021910: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

021911: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Looking for a matching key for 10.2.2.3 in default

021912: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): : success

021913: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.2.2.3

021914: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

021915: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

021916: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

021917: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

021918: *Sep 26 21:51:29.852 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

021919: *Sep 26 21:51:29.856 UTC: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

021920: *Sep 26 21:51:29.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

021922: *Sep 26 21:51:39.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

021923: *Sep 26 21:51:39.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

021924: *Sep 26 21:51:39.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

021926: *Sep 26 21:51:49.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

021927: *Sep 26 21:51:49.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

021928: *Sep 26 21:51:49.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

021929: *Sep 26 21:51:57.648 UTC: %CRYPTO-6-IKE_TED_BAD_REPLY: Received TED reply that did not correspond to a TED probe

021930: *Sep 26 21:51:59.852 UTC: ISAKMP: received ke message (1/1)

021931: *Sep 26 21:51:59.852 UTC: ISAKMP: set new node 0 to CONF_ADDR

021932: *Sep 26 21:51:59.852 UTC: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 10.20.20.2, remote 10.2.2.3)

021933: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

021934: *Sep 26 21:51:59.856 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

021935: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

021936: *Sep 26 21:51:59.856 UTC: ISAKMP:(0:0:N/A:0): sending packet to 10.2.2.3 my_port 500 peer_port 500 (I) MM_NO_STATE

Thx,

Oszkar

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable

Can you explain what is this route-map ISPB?

try adding the "route-map ISPB_policy_route" to NAT static staement as shown below and then check . You do not need to apply policy route-map to inside interface of router . just apply it to Static NAT statement.

route-map ISPB_policy_route permit 10

match ip address 110

set ip next-hop 10.2.2.1

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB_policy_route

HTH

Saju

Hi Saju,

I used two separate route-maps only because it was more easier to make changes without modifying the existing working config( route-map for nat and static route).

However I tried this too..

route-map ISPB_policy_route permit 10

match ip address 110

set ip next-hop 10.2.2.1

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB_policy_route

..but same thing..without the static route the tunnel stays in MM_NO_STATE.

Hi Oszkar,

Did you clear Nat translations after you made change to Static Nat translation?

Yes, I did.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Oszkar,

I think that using a specific static route for 10.20.20.2/32 is an acceptable solution in your scenario that removes the need for PBR and all the problems of PBR interaction with NAT.

I would suggest to use it and to remove PBR it satisfies your needs and it is a simpler configuration.

IF you still want to try to use PBR I would use two different ACLs in the two route-maps so that you can change one independently.

In that case you can try to implement the suggestions and you can understand who between PBR and NAT examines first the packets.

Hope to help

Giuseppe

Hi Giuseppe,

Initially I tried with policy routing but I could not make it work, so I had to put the static route..with the static route everything is fine but I try to figure out what went wrong with the policy routing.

Oszkar

hi

what guiseppe suggested is correct. In the given config i didnt understand the below interface configs.

interface fastethernet 1

ip address 10.1.1.2 255.255.255.0

ip nat inside

ip policy route-map SPB_policy_route

interface vlan1

ip address 10.1.1.1 255.255.255.0

ip nat outside

your default route is pointing to 10.1.1.1 and its the ISP. How can u have the same vlan 1 with same IP and a NAT outside on it. Can you check on this?

Ullas

Hi Ullas,

Your observation is correct, i made a mistake here, fastethernet 1 IP is 192.168.10.1.

Here is the current correct configuration:

ip nat inside source static 192.168.10.2 10.2.2.3 route-map ISPB extendable

route-map ISPB permit 10

match ip address 110

route-map ISPB_policy_route permit 10

match ip address 111

set ip next-hop 10.2.2.1

...

access-list 110 permit ip host 192.168.10.2 host 10.20.20.2

access-list 111 permit udp host 192.168.10.2 host 10.20.20.2

access-list 111 permit esp host 192.168.10.2 host 10.20.20.2

...

interface Vlan1

ip address 10.2.2.2 255.255.255.0

ip nat outside

interface fastethernet 1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip policy route-map SPB_policy_route

interface Fastethernet 0

ip address 10.1.1.2 255.255.255.0

....

ip route 0.0.0.0 0.0.0.0 10.1.1.1

Thx,

Oszkar

I reanalyzed the network map too, and Vlan1 was switched with FA0, sorry.. I was tired...

Your current default route is to 10.1.1.1 , so all packets are going there.do you have any specific route to 10.20.20.0 ? If not you need that to send the packet there .You need to have a specific route for 10.20.20.2/32 to 10.2.2.1 in this scenario

Ullas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco