Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1392
Views
5
Helpful
6
Replies

How matters order of access-lists for different Gateway of last resort?

dese.co.uk
Level 1
Level 1

‎11-21-2011 05:19 AM - edited ‎03-07-2019 03:30 AM

Good afternoon,

I am currently trying to figure out if it is possible if a router has 4 different networks to assign a different gateway of last resort other than

0.0.0.0 0.0.0.0 Dialer 0 for one network.

e.g. Network 172.16.16.0/24 is configured on the router, but all traffic traffic to internet from this network should not go over dialer 0 but over another

network the router knows, eg. a VPN connection.

is that possible and if, how?

I tried to have this arranged with access-lists, say first blocking all traffic for the particular network:

     access-list 109 deny tcp 172.16.16.0 0.0.0.255 any

and then we allow it but only to a specific destination

     access-list 109 permit tcp 172.16.16.0 0.0.0.255 host xxx.xxx.xxx.xxx <<< outbound Gateway for 172.16.16.0/24

I have the following questions:

Must both rules be in the same access-list?

How is standard access list 1 considered in this case, must i allow, deny or simply not naming the 172.16.16.0/24 network in access-list 1?

How to make use of the above sample access-list 109

Thank you and all the best!

David.

Labels:
0 Helpful
6 Replies 6

NickNac79
Level 1
Level 1

‎11-21-2011 05:50 AM

Hi David,

Yes this is very easy to accomplish using Policy Based Routing.

You must use a route-map to first match the traffic that you want to do something with, then set the next hop for that traffic.

  • First - create an Access-list that defines what traffic is interesting to the route-map...

ip access-list extended USE_OTHER_GATEWAY

deny ip 172.16.16.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.16.16.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 172.16.16.0 0.0.0.255 172.16.0.0 0.15.255.255

permit ip 172.16.16.0 0.0.0.255 any

  • Now Create the Route-map

route-map PBR_OTHER_GATWAY permit 10

match ip address USE_OTHER_GATEWAY

set ip next-hop 10.20.30.1

!

route-map PBR_OTHER_GATWAY permit 20

!

  • Next apply the route-map to the router interface where the traffic will ENTER the router

Interface Fa0/0

ip policy route-map PBR_OTHER_GATWAY

Hope That Helps!

Nick

cadet alain
VIP Alumni
VIP Alumni
In response to NickNac79

‎11-21-2011 06:42 AM

Hi Nick,

in PBR ther's no need to configure a catch-all route-map statement because what is not matched  will be routed via FIB/RIB and not PBR'd automatically. so the

route-map PBR_OTHER_GATWAY permit 20 statement is not mandatory.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

NickNac79
Level 1
Level 1
In response to cadet alain

‎11-21-2011 06:44 AM

Hehe Righto - Force of habit using Route-maps with BGP ;-)

0 Helpful

dese.co.uk
Level 1
Level 1
In response to NickNac79

‎11-21-2011 06:52 AM

Hi Nick,

thanks for your reply.

For some reason the route-map is something I so far did not get running. Pls. see my previous quesion from another thread.

My problem is, that the traffic must go through a VPN tunnel which is fully functional already.

But I will give it one more try adapting your code.

Thanks & Regards,

David.

0 Helpful

NickNac79
Level 1
Level 1
In response to dese.co.uk

‎11-21-2011 07:58 AM

Hi David,

I've looked at your other thread regarding nest-hop recursive...  I don't think we have a proper understanding of what you are trying to do. 

Can you provide a simple network diagram?  We might be able to advise better.  Also, what device are you attempting this on?

Many Thanks,

Nick

0 Helpful

dese.co.uk
Level 1
Level 1
In response to NickNac79

‎11-21-2011 09:00 AM

Hi Nick,

thanks for your reply.

What I try to do is quite easy. From a customers site where several public WIFI-Nets for the teenants are running, the www-traffi only must in order to comply with local law be routeted through a proxy to log it.

So I managed to configure a Cisco 3640 box which makes a DSL-PPPoE Internet-Con and as well a VPN Tunnel to our ISP PoP.

The www-concerned traffic goes through the VPN to us, we log it and that's it.

For some magic and thanks to your post I get now the www-traffic and all other if I wish through the tunnel to our site.

What was missing was an ip nat inside on our site on the tunnel interface.

I never knew that this is possible as the traffic at this point is still encrypted.

Anyway, I am unable to finalize the last step:

On our site I too stupid to manage, that the www traffic we receive on the tun 0 interface goes straight to the port 80 of the squid proxy what is directly connected.

instead doning so, our router shots the traffic directly over our backbone into the internet.

I would much appreciate it if you could help me with this fiinal step.

Thanks in avance and all the best.

David.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card