Tunnel over WAN to route specific traffic

willem.vanwyk · ‎10-24-2009

Hello

I have a 5 site WAN. The Head Office is supposed to receive all the http(s) traffic and route that to the internet.

I have tried to configure a route-map from one of the sites but am unsuccesful.

Attached is a diagram with my network layout as well as the config for the router with the route-map and the Head Office router config.

TIA

wvw

simontibbitts · ‎10-25-2009

Hello Willem.

So are you trying to force all web traffic that enters f0/1 of site1 towards your head office? On your site1 configuration I can see you have policy routing configured but on your WAN interface so this will only affect traffic inbound from the head office.

From what I understand I think you need something like this?

interface FastEthernet0/1

ip policy route-map WWW

!

access-list 140 permit tcp any host 192.168.1.254 eq www

!

route-map WWW permit 10

match ip address 140

set ip next-hop x.x.x.x

This configuration will forward all WWW traffic destined to 192.168.1.254 that arrives on f0/1 of site1 to the next hop x.x.x.x

Is that what you are after?

Kind Regards,

Simon

willem.vanwyk · ‎10-26-2009

Hello Simon

Thanks for your help! :)

"So are you trying to force all web traffic that enters f0/1 of site1 towards your head office?"

That is exactly what I am trying to do.

All port 80 traffic from Site1 needs to go to the Head Office router to hit 192.168.1.254.

From your example, I will configure the router and let you know how it works.

Thanks

willemvw

willem.vanwyk · ‎10-26-2009

Hi Simon

I have changed the config on site 1's router to the following:

Int F0/1

ip address 192.168.5.100 255.255.255.0

ip policy route-map WWW

Running Config:

access-list 140 permit tcp any host 192.168.1.254 eq www

access-list 140 permit tcp any host 192.168.1.254 eq 443

queue-list 1 protocol ip 1 list 140

route-map WWW permit 10

match ip address 140

set ip next-hop 192.168.1.200

I have changed the config on Head Office's router to the following:

interface FastEthernet0/0

ip policy route-map WWW

interface FastEthernet0/1

ip policy route-map WWW

access-list 140 permit tcp any host 192.168.1.254 eq www

access-list 140 permit tcp any host 192.168.1.254 eq 443

route-map WWW permit 10

match ip address 140

set ip next-hop 192.168.1.254

This according to the customer is still not working in that he cannot browse.

I think this could be due to the route-map WWW applied to only LAN interface on the Site 1 router and also the next-hop IP Addresses. Can you please confirm whether I should make the next-hop IP Addresses 192.168.1.200 (Head Office LAN) or should I make it the 192.168.1.254 (WWW Gateway server at Head Office)

Regards

willemvw

simontibbitts · ‎10-27-2009

Hi Willem.

I think you need to change your ACL 140. Currently the policy routing only capture HTTP and HTTPS traffic which is destined to 192.168.1.254.

I think you want ALL HTTP and HTTPS traffic to be SENT to 192.168.1.254, so I think you need to delete ACL 140 on both routers and create it as:

access-list 140 permit tcp any any eq www

access-list 140 permit tcp any any eq 443

Kind Regards,

Simon