Question on route-map

Answered Question
Feb 23rd, 2012

I have a 1941W that has a connection to my ISP (Gi0/1) and another connection to a remote lab (Gi0/0). Everything is working fine how it is setup. All my traffic from my internal networks can access the Internet and devices on the 192.168.201.0 /24 can access the Internet and the lab 10.89.0.0/16.

Now I want to have two devices (192.168.201.51 & .147) use Gi0/0 when accessing host 63.85.190.67. There is no route to this subnet since it reside in the remote lab. Here is what I have right now. How would I setup a PBR to have those two host use Gi0/0 when accessing 63.85.190.67

interface Vlan192

ip address 192.168.201.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface GigabitEthernet0/0

description LAB

ip address 10.89.67.170 255.255.255.192

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

description INTERNET_CONNECTION

ip address dhcp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip nat inside source list 103 interface GigabitEthernet0/0 overload

ip route 10.89.0.0 255.255.0.0 GigabitEthernet0/0

access-list 101 remark INSIDE_NETWORK

access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

access-list 103 remark LAB
access-list 103 permit ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

Gateway of last resort is 72.57.36.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 72.57.36.1

.

.

.

.

.
S 10.89.0.0/16 is directly connected, GigabitEthernet0/0
C 10.89.67.128/26 is directly connected, GigabitEthernet0/0
L 10.89.67.170/32 is directly connected, GigabitEthernet0/0
69.0.0.0/32 is subnetted, 1 subnets
S 69.252.202.6 [254/0] via 71.57.36.1, GigabitEthernet0/1
72.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 72.57.36.0/23 is directly connected, GigabitEthernet0/1
L 72.57.36.242/32 is directly connected, GigabitEthernet0/1
192.168.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.201.0/24 is directly connected, Vlan192
L 192.168.201.1/32 is directly connected, Vlan192

Thanks,

Scott

I have this problem too.
0 votes
Correct Answer by Richard Burts about 2 years 1 month ago

Scott

I would suggest a change in the route map that you are using for PBR. Instead of setting the interface

set interface GigabitEthernet0/0

I would suggest that you set the next hop address to be used instead of just setting the interface. If you set the interface then it forces the router to arp for the destination address. And if the next hop router does not respond to the arp request (proxy arp) then the traffic will fail.

HTH

Rick

Correct Answer by thotsaphon about 2 years 1 month ago

Hello,

     Let me change this ACL.  Please let me see the output of "show ip nat trans"

access-list 101 remark INSIDE_NETWORK

access-list 101 deny   ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 deny ip host 192.168.201.51 host 63.85.196.67

access-list 101 deny ip host 192.168.201.147 host 63.85.196.67

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 10.10.100.0 0.0.0.255 any

access-list 101 permit ip 10.10.200.0 0.0.0.255 any

access-list 101 permit ip 10.10.210.0 0.0.0.255 any

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

HTH,

Toshi

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
pjmonline Thu, 02/23/2012 - 18:39

Ip route 63.85.190.67 255.255.255.255 192.168.201.1 would route the whole subnet to be able to get to the ipaddress. If it is only needed on 2 devices you may want to add a static route to the computers. In windows you can do it via route add command.

Hth

Sent from Cisco Technical Support iPhone App

Scott Fella Thu, 02/23/2012 - 19:09

Thanks… just tried it and still no go. I do see hits on the route-map though. Since Gi0/0 requires Nat, is there something special I need to also do?

interface Vlan192

ip address 192.168.201.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map GotoGi0/0

ip access-list extended mytraffic

permit ip host 192.168.201.51 host 63.85.190.67

permit ip host 192.168.201.147 host 63.85.190.67

route-map GotoGi0/0 permit 10

match ip address mytraffic

set interface GigabitEthernet0/0

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip nat inside source list 103 interface GigabitEthernet0/0 overload

access-list 101 remark INSIDE_NETWORK

access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 10.10.100.0 0.0.0.255 any

access-list 101 permit ip 10.10.200.0 0.0.0.255 any

access-list 101 permit ip 10.10.210.0 0.0.0.255 any

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

access-list 103 remark LAB

access-list 103 permit ip host 192.168.201.51 host 63.85.190.67

access-list 103 permit ip host 192.168.201.147 host 63.85.190.67

access-list 103 permit ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

route-map GotoGi0/0, permit, sequence 10

Match clauses:

ip address (access-lists): mytraffic

Set clauses:

interface GigabitEthernet0/0

Policy routing matches: 241 packets, 33749 bytes

icmp 10.89.66.170:1 192.168.201.147:1 10.89.66.66:1 10.89.66.66:1

icmp 71.57.36.242:1 192.168.201.147:1 63.85.190.67:1 63.85.190.67:1

thotsaphon Thu, 02/23/2012 - 19:16

Hi,

   It always happens when you have 2 WAN links. To remedy this problem. You just try this.

F.e.

#Assuming that ACLs are correct.

!

route-map TrafficG0/0 permit 10

match ip address 101

match interface G0/0

!

route-map TrafficG0/1 permit 10

match ip address 103

match interface G0/1

!

ip nat inside source route-map TrafficG0/0 interface GigabitEthernet0/0 overload

ip nat inside source route-map TrafficG0/1 interface GigabitEthernet0/1 overload

!

HTH,

Toshi

Scott Fella Thu, 02/23/2012 - 19:31

Well no go yet☺

icmp 10.89.66.170:1 192.168.201.147:1 10.89.66.67:1 10.89.66.67:1

icmp 71.57.36.242:1 192.168.201.147:1 63.85.190.67:1 63.85.190.67:1

I had to move the rules around since it was switched around a bit.

route-map TrafficG0/0 permit 10

match ip address 103

match interface G0/0

!

route-map TrafficG0/1 permit 10

match ip address 101

match interface G0/1

!

ip nat inside source route-map TrafficG0/0 interface GigabitEthernet0/0 overload

ip nat inside source route-map TrafficG0/1 interface GigabitEthernet0/1 overload

IL-AUR-1941W#sh route-map all

STATIC routemaps

route-map TrafficG0/1, permit, sequence 10

Match clauses:

ip address (access-lists): 101

interface GigabitEthernet0/1

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map TrafficG0/0, permit, sequence 10

Match clauses:

ip address (access-lists): 103

interface GigabitEthernet0/0

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map GotoGi0/0, permit, sequence 10

Match clauses:

ip address (access-lists): mytraffic

Set clauses:

interface GigabitEthernet0/0

Policy routing matches: 145 packets, 10730 bytes

DYNAMIC routemaps

Current active dynamic routemaps = 0

Scott Fella Thu, 02/23/2012 - 19:15

Thanks… I did look at that link and other that are out there. I did have routes set in my windows, but wanted to get this working instead, because every time I reboot I have to add that route back.

It’s weird, because if I stop pining from host 192.168.201.147 to host 63.85.190.67, the counters on the route-map stops, so I know its hitting the route-map. Must be something with Nat, even though my other devices are fine getting to the other devices in the lab from Gi0/0.

Correct Answer
thotsaphon Thu, 02/23/2012 - 20:33

Hello,

     Let me change this ACL.  Please let me see the output of "show ip nat trans"

access-list 101 remark INSIDE_NETWORK

access-list 101 deny   ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 deny ip host 192.168.201.51 host 63.85.196.67

access-list 101 deny ip host 192.168.201.147 host 63.85.196.67

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 10.10.100.0 0.0.0.255 any

access-list 101 permit ip 10.10.200.0 0.0.0.255 any

access-list 101 permit ip 10.10.210.0 0.0.0.255 any

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

HTH,

Toshi

Scott Fella Thu, 02/23/2012 - 20:46

That worked:)

icmp 10.89.66.170:1       192.168.201.147:1     10.89.66.67:1         10.89.66.67:1

icmp 10.89.66.170:1       192.168.201.147:1     63.85.196.67:1        63.85.196.67:1

Correct Answer
Richard Burts Thu, 02/23/2012 - 20:52

Scott

I would suggest a change in the route map that you are using for PBR. Instead of setting the interface

set interface GigabitEthernet0/0

I would suggest that you set the next hop address to be used instead of just setting the interface. If you set the interface then it forces the router to arp for the destination address. And if the next hop router does not respond to the arp request (proxy arp) then the traffic will fail.

HTH

Rick

Scott Fella Thu, 02/23/2012 - 21:04

Rick,

Well that worked... i initially just looked at the nat translation without even trying to ping that address.  Well I'm able to ping it now.  Thanks for all the help guy's!

Actions

Login or Register to take actions

This Discussion

Posted February 23, 2012 at 4:48 PM
Stats:
Replies:12 Avg. Rating:5
Views:684 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
160
77
70
69
50