Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

How matters order of access-lists for different Gateway of last resort?

Good afternoon,

I am currently trying to figure out if it is possible if a router has 4 different networks to assign a different gateway of last resort other than

0.0.0.0 0.0.0.0 Dialer 0 for one network.

e.g. Network 172.16.16.0/24 is configured on the router, but all traffic traffic to internet from this network should not go over dialer 0 but over another

network the router knows, eg. a VPN connection.

is that possible and if, how?

I tried to have this arranged with access-lists, say first blocking all traffic for the particular network:

     access-list 109 deny tcp 172.16.16.0 0.0.0.255 any

and then we allow it but only to a specific destination

     access-list 109 permit tcp 172.16.16.0 0.0.0.255 host xxx.xxx.xxx.xxx <<< outbound Gateway for 172.16.16.0/24

I have the following questions:

Must both rules be in the same access-list?

How is standard access list 1 considered in this case, must i allow, deny or simply not naming the 172.16.16.0/24 network in access-list 1?

How to make use of the above sample access-list 109

Thank you and all the best!

David.

Everyone's tags (5)
6 REPLIES
Bronze

Re: How matters order of access-lists for different Gateway of l

Hi David,

Yes this is very easy to accomplish using Policy Based Routing.

You must use a route-map to first match the traffic that you want to do something with, then set the next hop for that traffic.

  • First - create an Access-list that defines what traffic is interesting to the route-map...

ip access-list extended USE_OTHER_GATEWAY

deny ip 172.16.16.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 172.16.16.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 172.16.16.0 0.0.0.255 172.16.0.0 0.15.255.255

permit ip 172.16.16.0 0.0.0.255 any

  • Now Create the Route-map

route-map PBR_OTHER_GATWAY permit 10

match ip address USE_OTHER_GATEWAY

set ip next-hop 10.20.30.1

!

route-map PBR_OTHER_GATWAY permit 20

!

  • Next apply the route-map to the router interface where the traffic will ENTER the router

Interface Fa0/0

ip policy route-map PBR_OTHER_GATWAY

Hope That Helps!

Nick

Purple

How matters order of access-lists for different Gateway of last

Hi Nick,

in PBR ther's no need to configure a catch-all route-map statement because what is not matched  will be routed via FIB/RIB and not PBR'd automatically. so the

route-map PBR_OTHER_GATWAY permit 20 statement is not mandatory.

Regards.

Alain

Don't forget to rate helpful posts.
Bronze

Re: How matters order of access-lists for different Gateway of l

Hehe Righto - Force of habit using Route-maps with BGP ;-)

New Member

How matters order of access-lists for different Gateway of last

Hi Nick,

thanks for your reply.

For some reason the route-map is something I so far did not get running. Pls. see my previous quesion from another thread.

My problem is, that the traffic must go through a VPN tunnel which is fully functional already.

But I will give it one more try adapting your code.

Thanks & Regards,

David.

Bronze

Re: How matters order of access-lists for different Gateway of l

Hi David,

I've looked at your other thread regarding nest-hop recursive...  I don't think we have a proper understanding of what you are trying to do. 

Can you provide a simple network diagram?  We might be able to advise better.  Also, what device are you attempting this on?

Many Thanks,

Nick

New Member

How matters order of access-lists for different Gateway of last

Hi Nick,

thanks for your reply.

What I try to do is quite easy. From a customers site where several public WIFI-Nets for the teenants are running, the www-traffi only must in order to comply with local law be routeted through a proxy to log it.

So I managed to configure a Cisco 3640 box which makes a DSL-PPPoE Internet-Con and as well a VPN Tunnel to our ISP PoP.

The www-concerned traffic goes through the VPN to us, we log it and that's it.

For some magic and thanks to your post I get now the www-traffic and all other if I wish through the tunnel to our site.

What was missing was an ip nat inside on our site on the tunnel interface.

I never knew that this is possible as the traffic at this point is still encrypted.

Anyway, I am unable to finalize the last step:

On our site I too stupid to manage, that the www traffic we receive on the tun 0 interface goes straight to the port 80 of the squid proxy what is directly connected.

instead doning so, our router shots the traffic directly over our backbone into the internet.

I would much appreciate it if you could help me with this fiinal step.

Thanks in avance and all the best.

David.

807
Views
5
Helpful
6
Replies
CreatePlease to create content