03-22-2006 06:10 AM
Hi, a bit of a weird setup here. We have four sites, which we'd ideally all like to go to one central site for web blocking/proxying. We're using route-maps to redirect the traffic to a squid server in the central site.
It works fine in the central site, but no other site's traffic is being redirected. All of the 837 routers are using NAT, and the next-hop address in the route-map is to a NATed address on the central site - could this be the problem? Or am I asking too much of the route-map facility?
Here's a sample of the access-list and routemap setup:
interface Ethernet0
ip address 10.0.1.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip inspect myfw in
ip tcp adjust-mss 1350
ip policy route-map proxy
no cdp enable
hold-queue 100 out
!
access-list 10 remark Admin Networks
access-list 10 permit 10.0.4.2
access-list 100 permit esp host central host xxx
access-list 100 permit udp host central host xxx eq isakmp
access-list 100 permit gre host central host xxx
access-list 100 permit tcp host central host xxx eq 15868
access-list 100 permit tcp host central host xxx eq www
access-list 100 permit ip 10.0.4.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit icmp 10.0.4.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit icmp any any echo-reply
access-list 100 permit ip any any
access-list 101 remark NAT information
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 122 permit ip 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255
access-list 122 permit icmp 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255
access-list 190 permit tcp any any eq www
dialer-list 1 protocol ip permit
route-map proxy permit 10
match ip address 190
set ip next-hop 10.0.4.207
!
(access-list 100 is applied to Dialer1 coming in, ccess-list 122 goes over a VPN tunnel).
I'm rather new to Cisco routers; these configs weren't set up by me, so be gentle ;). Thanks!
03-28-2006 07:45 AM
The "next-hop" address must be the address reachable by the central site. NATed IP address as next-hop does not make any sense to me. NATed address is only for the user traffic travelling between the NAT interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide