Solved: Policy Map Help

andypearce33 · ‎04-27-2009

Hi, I'm trying to set up a policy map to route all traffic out to an ADSL modem on the same subnet (192.168.15.2).

We have a VPN tunnel set to an external company.. I need to send traffic for network 203.102.137.156 to the atm 0.1 interface which is our shdsl link..

All incoming traffic needs to come in via the atn0.1 interface. We have NAT setup (see below)

Please see below config: Please can anyone advise if I have the policy map setup correctly to map all outgoing traffic to 192.168.15.2 and the VPN traffic to 203.102.137.156 via atm0.1. Also advise if this will effect incoming connections?

interface ATM0.1 point-to-point

ip address 125.255.65.226 255.255.255.252

ip nat outside

ip virtual-reassembly

atm route-bridged ip

pvc 1/32

encapsulation aal5snap

interface Vlan1

ip address 192.168.15.254 255.255.255.0

ip nat insideip policy route-map Webtraffic

ip route-cache policy

route-map Webtraffic permit 10

match address 111

set default interface atm 0.1

exit

route-map Webtraffic permit 20

match address 40

set ip default next-hop 192.168.15.2

access-list 40 permit any

access-list 111 deny ip 192.168.15.0 0.0.0.255 host 203.102.137.156

access-list 111 permit ip 192.168.15.0 0.0.0.255 any

ip nat inside source list 111 interface ATM0.1 overload

ip nat inside source static tcp 192.168.15.5 25 125.255.65.226 25 extendable

ip nat inside source static tcp 192.168.15.5 80 125.255.65.226 80 extendable

ip nat inside source static tcp 192.168.15.5 110 125.255.65.226 110 extendable

ip nat inside source static tcp 192.168.15.5 443 125.255.65.226 443 extendable

ip nat inside source static tcp 192.168.15.5 1723 125.255.65.226 1723 extendable

Laurent Aubert · ‎05-04-2009

Hi,

With your configuration, you can expect the following behavior:

- traffic to 203.102.137.156 which source is 192.168.15.x will be sent to 192.168.15.2. A deny in an ACL means check the next route-map entry

- Traffic which source is 192.168.15.x to everything else will be sent to atm0.1

- All other traffic will be sent to 192.168.15.2.

The match address 40 is not necessary.

If I understand you correctly, you want to send all the traffic received on Vlan 1 to 192.168.15.2 except the traffic which destination is 203.102.137.156.

In this case, this route-map should answer to your requirement:

access-list 101 permit ip 192.168.15.0 0.0.0.255 host 203.102.137.156

!

route-map Webtraffic permit 10

match address 101

set default interface atm 0.1

!

route-map Webtraffic permit 20

set ip default next-hop 192.168.15.2

!

HTH

Laurent.

View solution in original post

vkapoor5 · ‎05-04-2009

Verifying the Configuration of Policy Maps and Their Classes

To display the contents of a specific policy map, a specific class from a specific policy map, or all policy maps configured on an interface, use the following commands in EXEC mode

Router# show policy policy-map

Router# show policy policy-map class class-name

Router# show policy interface interface-name

Laurent Aubert · ‎05-04-2009

Hi,

With your configuration, you can expect the following behavior:

- traffic to 203.102.137.156 which source is 192.168.15.x will be sent to 192.168.15.2. A deny in an ACL means check the next route-map entry

- Traffic which source is 192.168.15.x to everything else will be sent to atm0.1

- All other traffic will be sent to 192.168.15.2.

The match address 40 is not necessary.

If I understand you correctly, you want to send all the traffic received on Vlan 1 to 192.168.15.2 except the traffic which destination is 203.102.137.156.

In this case, this route-map should answer to your requirement:

access-list 101 permit ip 192.168.15.0 0.0.0.255 host 203.102.137.156

!

route-map Webtraffic permit 10

match address 101

set default interface atm 0.1

!

route-map Webtraffic permit 20

set ip default next-hop 192.168.15.2

!

HTH

Laurent.