help with Policy Based Routing on VPN Router

mjsully · ‎08-02-2006

I have a Cisco 3600 series router that serves as a vpn gateway for multiple ipsec tunnel. It's outside interface (F0/0) is where the peer vpn's terminate and it is where the crypto map is applied. I'm having an issue with a recent vpn peer addition. The access-list defining the interesting traffic for this vpn is permitting a single host from the remote end to connect to any 10.x.x.x address on our network, which should get routed through the routers inside interface (F0/1). The problem is there are routes on this router that take some 10.x.x.x addresses and ships it out one of the other tunnels, rather than inside to our network. I was thinking of defining a route map that will route any incoming vpn traffic from that single host through the inside interface of the router to the inside network. What I am unsure is will this route map work considering that when the packet first arrives on the outside interface, it is still encrypted? I don't know which takes place first. Here is the route-map, please tell me if this will work or if there is a better way:

access-list 50 permit ip 192.168.100.10

interface F0/0 (outside interface-crypto map applied here)

ip policy route-map inside

route-map inside permit 10

match ip address 50

set ip next-hop 10.x.x.x

mheusinger · ‎08-03-2006

Hi,

why not to exclude this host/source from interesting traffic on those other tunnels? Just put a deny statement in front of your ACL describing interesting traffic for the other tunnels.

Something like

access-list 100 deny ip host 192.168.100.10 10.1.0.0 0.0.255.255

access-list 100 permit ip any 10.1.0.0 0.0.255.255

Regards, Martin