Policy based routing

Answered Question
Mar 15th, 2010
User Badges:

Hi,


I want to configure PBR on cisco router. That router is connected to 2 cisco ASA with 2 different ISP's.


FW1          FW2

  |_________|

          |

         RO

          |

      Server



Default route for router is FW1. Various vlans are configured and inter-vlan routing working on that router.


I want if any request comes for server from 100.20.15.5 IP (outside traffic) via FW2, respose should be sent back to same route i.e. via FW2.


Currently request is coming from FW2 to server but as the default route is FW1 so outside user is not getting any response from the server. I have configured policy routing but it's not working, below is the configuration:


interface GigabitEthernet0/0.14
description "Server VLAN"

encapsulation dot1Q 14
ip address 172.16.14.254 255.255.255.0
ip policy route-map t_mob
!
interface GigabitEthernet0/1.18
description "Connected to FW2"
encapsulation dot1Q 18
ip address 10.2.2.6 255.255.255.248
!
ip access-list extended t_mob_routemap
description "Outside user IP"

permit ip host 100.20.15.5 any
deny   ip any any
!
route-map t_mob permit 10
match ip address t_mob_routemap
set interface GigabitEthernet0/1.18
!

Pls. suggest what's the problem.


Thanks,

Pawan

Correct Answer by ernest.zhamkochian about 7 years 1 month ago

Hi,


Jon is right, you have to change the access list.

But also you can forget about policy based routing and just put the static route


ip route 100.20.15.5 255.255.255.255 FW2IP


and all the traffic with destination 100.20.15.5 will go through FW2.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 03/15/2010 - 13:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pawan


ip access-list extended t_mob_routemap
description "Outside user IP"

permit ip host 100.20.15.5 any
deny   ip any any


is 100.20.15.5 a user on the Internet ? If so you need to modify the above acl to


permit ip host host 100.20.15.5


Jon

Correct Answer
ernest.zhamkochian Mon, 03/15/2010 - 21:44
User Badges:

Hi,


Jon is right, you have to change the access list.

But also you can forget about policy based routing and just put the static route


ip route 100.20.15.5 255.255.255.255 FW2IP


and all the traffic with destination 100.20.15.5 will go through FW2.

Jon Marshall Tue, 03/16/2010 - 03:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ernest


But also you can forget about policy based routing and just put the static route

ip route 100.20.15.5 255.255.255.255 FW2IP


Good point I was so busy looking at the PBR config i overlooked the obvious !


Jon

Actions

This Discussion