Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

route map over vpn

I have a vpn to a remote site and I want to redirect traffic on port 80 to a host on that network. I tried doing a route map like this:

access-list 101 deny tcp any 172.17.16.0 0.0.0.255

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

route-map bluecoat permit 10

match ip address 101

set ip next-hop 172.17.16.45

set ip default next-hop 172.17.16.45

int Eth0/0

ip policy route-map bluecoat

Where Eth0/0 is the ingress port, but it doesn't appear to be applied, since hosts can still get to any web site.

The 172.17.16.45 host is on the other side of a vpn. I can get to hosts on both sides of the vpn. I can't ping that host from the router though.

7 REPLIES

Re: route map over vpn

Andy,

Please provide us a brief diagram.

Next-hop has to be a connected next-hop for that command.

HTH,

Toshi

New Member

Re: route map over vpn

host - 172.17.196.0/24

|

router - 172.17.196.1

|

VPN

|

router - 10.0.1.2

| - static route to 172.17.16.0/24

switch

|

content filter - 172.17.16.45

Again hosts on either side of the vpn can talk to each other. I'm trying to force traffic on the web ports to the conent filter.

Re: route map over vpn

Andy,

Which device did you put those command on?

router - 10.0.1.2 ? or The switch connected to Bluecoat

Toshi

New Member

Re: route map over vpn

those commands are on the first router, 172.17.196.1, where the clients are first passing through. Basically I want to re-direct all the web traffic going through 172.17.196.1 to the content filter 172.17.16.45 as described in the diagram.

Re: route map over vpn

Andy,

That will not work. As I mentioned earlier. The first router will finally forward traffic based on the routing table. You may know that PBR doesn't change the destination IP address. It just re-write Destination MAC to send to the next-hop you configured.

Well, What I can recommend is as follows:

- Bluecoat is running as a proxy. Right? Can you force users to do somethings on internet browser. Such as Manually configuring or Automatic Detect.

- let's check the switch at the other side. Can it support PBR? If it can, Go configuring on it. I mean, Configuring PBR on the direction that packets coming from the first router.

HTH,

Toshi

New Member

Re: route map over vpn

I see what you're saying now. The vpn isn't set up to pass all traffic through it, only traffic destined for the local lan, other outbound traffic is natd at the 196.1 router.

Maybe a proxy would be the best solution here. Would it be possible to do the forwarding with mac table entries? Is that possible for vpns? Do they have an interface name?

Re: route map over vpn

Andy,

Would it be possible to do the forwarding with mac table entries? Is that possible for vpns? Do they have an interface name?

Sorry man,It's not possible. You may consider the switch at the far end to do PBR. It's just an option if the switch can do.

HTH,

Toshi

144
Views
0
Helpful
7
Replies
CreatePlease to create content