11-06-2008 06:11 AM - edited 03-04-2019 12:13 AM
I am looking at the following scenario.
2811
7204
2811 has point to point T1 connection to 7204. Right now all traffic between the 2 networks use this serial link. Both routers also have an ethernet WAN link. I am trying to create a vpn between the 2 routers using the WAN interfaces, but only want specific traffic to flow over the vpn. All other traffic will still use the serial connection.
I tried this last night using policy based routing at the 2811 end. The 2811 default gateway is the 7204 serial interace. I then directed any traffic destined for 172.24.157.225 and 172.24.157.226 out int fa0/1. This would not work, the only way I got traffic to flow over the vpn is if I changed the default gateway to the upstream neighbor on fa0/1. Is what I am trying to do possible?
2811
interface FastEthernet0/0
description Inside Network
ip address 172.24.154.1 255.255.254.0
ip policy route-map vpn_map
duplex auto
speed auto
interface Serial0/1/0
ip address 192.168.10.30 255.255.255.252
interface FastEthernet0/1
description $ES_LAN$
ip address 98.x.x.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
ip route 0.0.0.0 0.0.0.0 192.168.10.29
ip local policy route-map vpn_map
access-list 120 permit ip any host 172.24.157.225
access-list 120 permit ip any host 172.l24.157.226
route-map vpn_map permit 20
match ip address 120
set ip next-hop 98.x.x.1
Solved! Go to Solution.
11-06-2008 07:35 AM
Adam
There is no route to the peer address 66.x.x.1xx so the router does not know how to get there. That would also explain why when you tried to add a static route with that as the next-hop the router wouldn't add it.
Do you know where the 66.x.x.1xx peer is in relation to the next-hop IP of 98.x.x.1 ?
Jon
11-06-2008 06:14 AM
Adam
I am a little confused about this. The crypto map access-lists define what traffic is to be sent down the VPN tunnel so you shouldn't need PBR at all as far as i can see.
What am i missing ?
Jon
11-06-2008 06:18 AM
Jon, I'm confused too! Wish I knew more about routers. Anywho, I updated my first post with a little config. All the traffic currently flows over the serial connection. If I want specific traffic to flow over int fa0/1 instead, do I only need the crypto map acl? I don't need to do pbr?
11-06-2008 06:22 AM
That's my understanding. You've got me second-guessing myself now. I know for sure you don't need a route for VPN's on pix/asa or more specifically you don't need a route to the remote subnet(s) but you do to the remote peer.
As you have a P2P link your 2800 will know how to get to the peer address. Unfortunately i don't have any routers to test with but from memory i think it works the same way.
Edit - if you test and find this doesn't work this link may help - it's the order of operations on a router although i suspect you may have seen it already -
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Jon
11-06-2008 06:25 AM
I'll try this out later today and let you know how it goes.
11-06-2008 06:35 AM
2811
crypto map mymap 1 ipsec-isakmp
description Tunnel to Main Site
set peer 66.x.x.1xx
set transform-set ESP-3DES-MD5
set pfs group2
match address 120
access-list 120 permit ip host 172.24.154.1 host 172.24.157.225
access-list 120 permit ip host 172.24.154.1 host 172.24.157.226
2811#show ip route | inc 157
D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:27:45, Serial0/1/0
???
11-06-2008 06:38 AM
Is the 172.24.157.0 network meant to be reachable via the s0/1/0 link and you only want some of the traffic to go via the ethernet link ?
Jon
11-06-2008 06:41 AM
Yes.
11-06-2008 06:40 AM
Your original config had
set ip next-hop 98.x.x.1
but according to this config
set peer 66.x.x.1xx
Is this just a typo ?
Jon
11-06-2008 06:42 AM
98.x.x.1 is the next hop of interface fa0/1.
66.x.x.1xx is peer address on 7200.
Should I have the next hop be the peer address?
Even if I add a static route it doesn't show up?
ip route 172.24.157.226 255.255.255.255 66.x.x.1xx
Phil_Rtr#show ip route | inc 157
D 172.24.157.0/24 [90/2172416] via 192.168.10.29, 12:44:29, Serial0/1/0
11-06-2008 06:51 AM
"Should I have the next hop be the peer address?"
No, it's right as it is. I think the issue is as you have highlighted ie. you have a route for the the subnet pointing out a different interface (never done this before) and routing happens before crypto checks. So you could
1) Just add static routes for these 2 hosts on your 2800 so that they get routed to the right interface
OR
2) we can try and work out why PBR isn't working. PBR happens before routing (obviously !!). Let me have a reread of the entire post and see if there are any glaring things i've missed. By the way when you set up the PBR did you see any hits on your access-list ?
Jon
11-06-2008 06:53 AM
Thanks Jon. I added a little to my last post. I'll check the pbr acl for hits.
11-06-2008 06:56 AM
Adam
The route would have to be the next-hop out of fa0/1
ip route 172.24.157.226 255.255.255.255 98.x.x.1
By the way, do you have a route to 66.x.x.1xx in your routing table ?
Jon
11-06-2008 06:54 AM
Adam
Any reason you have the crypto map applied to fa0/0
shouldn't it be applied to fa0/1 ?
Jon
11-06-2008 07:06 AM
I don't know, but the vpn comes up.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: