06-16-2003 08:24 AM - edited 03-02-2019 08:10 AM
we have a 2621 router one branch office connectivity(s0/0) and the other ISP connectivity (s0/1)....the default route for this setup is thru s0/1....for packets landing on s0/0 from branch office we need to have a different default gateway and not s0/1..we need packets from branch office to hit a proxy server in the LAN of the HO and not go out thru's0/1'(default route of the router).. basically we need the branch office guys to be authenticated at the proxy and not go out thru the router.......The router has two ethernet interface one having LAN ip in the same subnet as the proxy and the other ethernet having a wan IP TO WHICH THE the WAN card of the proxy is attached .. how can this be accomplished
Thanx and regards
06-16-2003 09:04 AM
I assume the Branch office will have two types of traffic,
1. traffic which is local, accessing servers, email etc residing on the main site for which, i assume there is no need for any authentication via proxy.
2. traffic destined to internet.
You can achieve your requirements using a route-map and policy routing
Define an access list that matches the following criteria
access-list 101 deny ip host x.x.x.x host y.y.y.y
access-list 101 permit ip host x.x.x.x any
route-map Route-to-Proxy permit 10
match ip address 101
match interface s0/0
set ip next-hop
route-map Route-to-Proxy permit 20
int s0/0
ip policy route-map Route-to-Proxy
x.x.x.x is the network address of the branch office
y.y.y.y is the network address of the main office
the first line in access list 101 denys traffic which is local. This is to route those traffic normally.
the second line in Access list 101 permits all those traffic which goes from the branch office and then goes to internet. This traffic is permitted, so that this traffic is policy routed.
Route-map Route-to-Proxy, routes all traffic coming on interface s0/0 matched by access-list 101 (traffic going to internet), towards the proxy server.
You can use a variety of commands such as
set ip next-hop
or
set interface
Either way you can achive this.
HTH
06-16-2003 09:49 AM
Hi,
Thanx
You assume correct...
1)what would the routes be in the far end branch office router and s0/0 in this end
im not sure about
set interface
because this ethernet interface is on the same router and the router has a default gateway pointing at s0/1 ???
Can you please explain "route-map Route-to-Proxy permit 20 " Permit 20 ???
Thanks for the effort
regards
06-16-2003 11:15 AM
route-map Route-to-Proxy permit 20 is an empty route map instance, which will match all those traffic that are not matched by instance route map instance 10. An empty route map instance allows policy routing to route normally, using the routing table the router has. So all traffic which is local is matched by second instance, and will be routed appropriately to the main site lan. Thats the reason why the empty instance has been created.
set interface command can also be used here,because, irrespective of whether there is a default route or not, policy routing overrides normal routing, once a match condition is satisfied.
at the far end branch office, you can just put a default route pointing to that routers serial interface. Also, configure a static route pointing to the lan of the branch office, on this 2600 router via s0/0.
HTH
06-16-2003 05:36 PM
"Also, configure a static route pointing to the lan of the branch office, on this 2600 router via s0/0. "
Wud that be necessary for the directly connected network
Wud the config change if i had another branch office connectivity on say s0/2 (coming up soon) AND which doesnt need to be routed thru the proxy at all
THANX and regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: