cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1339
Views
5
Helpful
6
Replies

How matters order of access-lists for different Gateway of last resort?

dese.co.uk
Level 1
Level 1

Good afternoon,

I am currently trying to figure out if it is possible if a router has 4 different networks to assign a different gateway of last resort other than

0.0.0.0 0.0.0.0 Dialer 0 for one network.

e.g. Network 172.16.16.0/24 is configured on the router, but all traffic traffic to internet from this network should not go over dialer 0 but over another

network the router knows, eg. a VPN connection.

is that possible and if, how?

I tried to have this arranged with access-lists, say first blocking all traffic for the particular network:

     access-list 109 deny tcp 172.16.16.0 0.0.0.255 any

and then we allow it but only to a specific destination

     access-list 109 permit tcp 172.16.16.0 0.0.0.255 host xxx.xxx.xxx.xxx <<< outbound Gateway for 172.16.16.0/24

I have the following questions:

Must both rules be in the same access-list?

How is standard access list 1 considered in this case, must i allow, deny or simply not naming the 172.16.16.0/24 network in access-list 1?

How to make use of the above sample access-list 109

Thank you and all the best!

David.

6 Replies 6

NickNac79
Level 1
Level 1

Hi David,

Yes this is very easy to accomplish using Policy Based Routing.

You must use a route-map to first match the traffic that you want to do something with, then set the next hop for that traffic.

  • First - create an Access-list that defines what traffic is interesting to the route-map...

ip access-list extended USE_OTHER_GATEWAY

deny ip 172.16.16.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.16.16.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 172.16.16.0 0.0.0.255 172.16.0.0 0.15.255.255

permit ip 172.16.16.0 0.0.0.255 any

  • Now Create the Route-map

route-map PBR_OTHER_GATWAY permit 10

match ip address USE_OTHER_GATEWAY

set ip next-hop 10.20.30.1

!

route-map PBR_OTHER_GATWAY permit 20

!

  • Next apply the route-map to the router interface where the traffic will ENTER the router

Interface Fa0/0

ip policy route-map PBR_OTHER_GATWAY

Hope That Helps!

Nick

Hi Nick,

in PBR ther's no need to configure a catch-all route-map statement because what is not matched  will be routed via FIB/RIB and not PBR'd automatically. so the

route-map PBR_OTHER_GATWAY permit 20 statement is not mandatory.

Regards.

Alain

Don't forget to rate helpful posts.

Hehe Righto - Force of habit using Route-maps with BGP ;-)

Hi Nick,

thanks for your reply.

For some reason the route-map is something I so far did not get running. Pls. see my previous quesion from another thread.

My problem is, that the traffic must go through a VPN tunnel which is fully functional already.

But I will give it one more try adapting your code.

Thanks & Regards,

David.

Hi David,

I've looked at your other thread regarding nest-hop recursive...  I don't think we have a proper understanding of what you are trying to do. 

Can you provide a simple network diagram?  We might be able to advise better.  Also, what device are you attempting this on?

Many Thanks,

Nick

Hi Nick,

thanks for your reply.

What I try to do is quite easy. From a customers site where several public WIFI-Nets for the teenants are running, the www-traffi only must in order to comply with local law be routeted through a proxy to log it.

So I managed to configure a Cisco 3640 box which makes a DSL-PPPoE Internet-Con and as well a VPN Tunnel to our ISP PoP.

The www-concerned traffic goes through the VPN to us, we log it and that's it.

For some magic and thanks to your post I get now the www-traffic and all other if I wish through the tunnel to our site.

What was missing was an ip nat inside on our site on the tunnel interface.

I never knew that this is possible as the traffic at this point is still encrypted.

Anyway, I am unable to finalize the last step:

On our site I too stupid to manage, that the www traffic we receive on the tun 0 interface goes straight to the port 80 of the squid proxy what is directly connected.

instead doning so, our router shots the traffic directly over our backbone into the internet.

I would much appreciate it if you could help me with this fiinal step.

Thanks in avance and all the best.

David.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: