Hi, a bit of a weird setup here. We have four sites, which we'd ideally all like to go to one central site for web blocking/proxying. We're using route-maps to redirect the traffic to a squid server in the central site.
It works fine in the central site, but no other site's traffic is being redirected. All of the 837 routers are using NAT, and the next-hop address in the route-map is to a NATed address on the central site - could this be the problem? Or am I asking too much of the route-map facility?
Here's a sample of the access-list and routemap setup:
ip address 10.0.1.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip inspect myfw in
ip tcp adjust-mss 1350
ip policy route-map proxy
no cdp enable
hold-queue 100 out
access-list 10 remark Admin Networks
access-list 10 permit 10.0.4.2
access-list 100 permit esp host central host xxx
access-list 100 permit udp host central host xxx eq isakmp
access-list 100 permit gre host central host xxx
access-list 100 permit tcp host central host xxx eq 15868
access-list 100 permit tcp host central host xxx eq www
access-list 100 permit ip 10.0.4.0 0.0.0.255 10.0.1.0 0.0.0.255
The "next-hop" address must be the address reachable by the central site. NATed IP address as next-hop does not make any sense to me. NATed address is only for the user traffic travelling between the NAT interfaces.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...