07-24-2006 06:33 AM - edited 03-03-2019 04:12 AM
I seem to be missing something here:
Here is the setup:
3750G-24-TS 12.2(25)SEA
I want to route ports 80,443 out 1 gateway and all other traffic out another gateway. Currently, all traffic goes out the 2nd gateway including ports 80,443. What am I missing?
Thanks
interface GigabitEthernet1/0/9
no switchport
ip address 192.168.20.6 255.255.255.0
!
interface GigabitEthernet1/0/10
no switchport
ip address 192.168.48.1 255.255.255.0
ip policy route-map WEB-TRaffic
access-list 100 permit tcp any eq 443 any
access-list 100 permit tcp any eq www any
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
access-list 101 permit ip any any
route-map WEB-Traffic permit 10
match ip address 100
set ip next-hop 192.168.20.4
!
route-map WEB-Traffic permit 20
match ip address 101
set ip next-hop 192.168.20.10
ip route 0.0.0.0 0.0.0.0 192.168.20.10
sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
(switch has been reloaded since)
sh ip route
<snip>
Gateway of last resort is 192.168.20.10 to network 0.0.0.0
172.20.0.0/24 is subnetted, 1 subnets
C 172.30.12.0 is directly connected, Vlan17
C 192.168.20.0/24 is directly connected, GigabitEthernet1/0/9
C 192.168.48.0/24 is directly connected, GigabitEthernet1/0/10
S* 0.0.0.0/0 [1/0] via 192.168.20.10
sh route-map
route-map WEB-Traffic, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 192.168.20.4
Policy routing matches: 0 packets, 0 bytes
route-map WEB-Traffic, permit, sequence 20
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop 192.168.20.10
Policy routing matches: 0 packets, 0 bytes
sh access-lists
Extended IP access list 100
10 permit tcp any eq 443 any
20 permit tcp any eq www any
30 permit tcp any any eq www
40 permit tcp any any eq 443
Extended IP access list 101
10 permit ip any any
Solved! Go to Solution.
07-24-2006 09:44 AM
Eric
I see that typo now that I look carefully - too bad we did not notice it before. While Cisco IOS is not case sensitive about most commands there are a few things, including passwords, names of access lists, and names of route maps where it is case sensitive. I have been bit by that before and now so have you. This is how we learn many of our best lessons.
Congratulations on finding your problem.
HTH
Rick
07-24-2006 06:56 AM
Eric
You have provided information about the platform and the version information but have not indicated which feature set of the code you are running. I have looked at the Cisco Feature Navigator on the Cisco web site and it looks like Policy Based Routing is not supported in the SMI image but is supported in the EMI image. So which image are you running?
As a side note the configuration looks ok. There is one optimization that I might suggest. You do not need access list 101 and the second instance of the route map can be written this way:
route-map WEB-Traffic permit 20
set ip next-hop 192.168.20.10
a route map instance with no match clause will match everything and the set will be performed.
HTH
Rick
07-24-2006 07:27 AM
I believe it is the standard ip-services
System image file is "flash:c3750-i5-mz.122-25.SEA/c3750-i5-mz.122-25.SEA.bin.
07-24-2006 07:35 AM
Eric
That image name should be the EMI image and the Feature Navigator says that Policy Based Routing should be supported in that image.
So we need to look for something else to explain why Policy Based Routing is not working. Can you supply a bit more detail about the topology of the network? Is the ip policy route-map configured on the interface where the traffic is entering the 3750?
HTH
Rick
07-24-2006 08:32 AM
client PC (192.168.48.25) --> gateway 192.168.48.1 {3750 switch}
3750 switch: gig 1/0/10 192.168.48.1 -- gig 1/0/9 192.168.20.6 route 0.0.0.0 0.0.0.0 192.168.20.10[pix]
pix: dmz3_20 192.168.20.10
global (outside) 20 198.204.205.20
nat (dmz3_20) 20 0.0.0.0 0.0.0.0
So the client traffic enters thru gig 1/0/10 (192.168.48.1) which has the policy-map applied
interface GigabitEthernet1/0/10
no switchport
ip address 192.168.48.1 255.255.255.0
ip policy route-map WEB-TRaffic
07-24-2006 09:17 AM
Ok. I fixed a typo. the policy had WEB-TRaffic instead
of WEB-Traffic, although I was not aware that IOS was case sensitive in some areas - good to know! I am about halfway there.
Web traffic is now being directed towards 192.168.20.4
and all other traffic is being pushed thru the firewall. 192.168.20.4 is a BSD based Web splash page server. Looking at the logs on a vpn device, I see successful incoming connections from the test pc behind
the 3750 with the routing policies with the correct global address from the PIX (192.168.20.10) and not from the other gateway (192.168.20.4) Now, I just have to tweak the splash server
07-24-2006 09:44 AM
Eric
I see that typo now that I look carefully - too bad we did not notice it before. While Cisco IOS is not case sensitive about most commands there are a few things, including passwords, names of access lists, and names of route maps where it is case sensitive. I have been bit by that before and now so have you. This is how we learn many of our best lessons.
Congratulations on finding your problem.
HTH
Rick
07-24-2006 10:47 AM
A quick add for tcp port 8000 for the portal redirect page to access-list 100 and it works like a champ. All
http & https traffic gets pushed thru the splash page server so clients see the acceptible usage policy and all other traffic gets pushed thru a PIX. The reason for all this effort is the simple fact that it is much easier to allow for multiple vpn connections to originate from networks behind a PIX nat than iptables nat.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: