route map over vpn

Unanswered Question
Apr 1st, 2009

I have a vpn to a remote site and I want to redirect traffic on port 80 to a host on that network. I tried doing a route map like this:

access-list 101 deny tcp any

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

route-map bluecoat permit 10

match ip address 101

set ip next-hop

set ip default next-hop

int Eth0/0

ip policy route-map bluecoat

Where Eth0/0 is the ingress port, but it doesn't appear to be applied, since hosts can still get to any web site.

The host is on the other side of a vpn. I can get to hosts on both sides of the vpn. I can't ping that host from the router though.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thotsaphon Wed, 04/01/2009 - 10:50


Please provide us a brief diagram.

Next-hop has to be a connected next-hop for that command.



zirkelad Wed, 04/01/2009 - 11:14

host -


router -




router -

| - static route to



content filter -

Again hosts on either side of the vpn can talk to each other. I'm trying to force traffic on the web ports to the conent filter.

thotsaphon Wed, 04/01/2009 - 11:21


Which device did you put those command on?

router - ? or The switch connected to Bluecoat


zirkelad Wed, 04/01/2009 - 12:22

those commands are on the first router,, where the clients are first passing through. Basically I want to re-direct all the web traffic going through to the content filter as described in the diagram.

thotsaphon Wed, 04/01/2009 - 12:31


That will not work. As I mentioned earlier. The first router will finally forward traffic based on the routing table. You may know that PBR doesn't change the destination IP address. It just re-write Destination MAC to send to the next-hop you configured.

Well, What I can recommend is as follows:

- Bluecoat is running as a proxy. Right? Can you force users to do somethings on internet browser. Such as Manually configuring or Automatic Detect.

- let's check the switch at the other side. Can it support PBR? If it can, Go configuring on it. I mean, Configuring PBR on the direction that packets coming from the first router.



zirkelad Wed, 04/01/2009 - 13:09

I see what you're saying now. The vpn isn't set up to pass all traffic through it, only traffic destined for the local lan, other outbound traffic is natd at the 196.1 router.

Maybe a proxy would be the best solution here. Would it be possible to do the forwarding with mac table entries? Is that possible for vpns? Do they have an interface name?

thotsaphon Wed, 04/01/2009 - 13:12


Would it be possible to do the forwarding with mac table entries? Is that possible for vpns? Do they have an interface name?

Sorry man,It's not possible. You may consider the switch at the far end to do PBR. It's just an option if the switch can do.




This Discussion