Cisco Support Community
Community Member

PBR of local traffic with NAT

I have a router with a cable modem uplink (static /32 IP -- but I could ask for a second IP), which has a VPN (GRE) to a colocated router that provides Internet connectivity (full table/default route).

For guest wifi, and other RFC1918 type needs, I PBR most of that to take the cable modem interface (is NAT'd).  The RFC1918 can also be NAT'd over the GRE, which is the default destination based routing path. The majority of traffic is the public IP space, routed over the GRE, hence this routing policy logic.  The cable modem interface also NAT's my public IP's, in case the GRE is lost (yes, the public IP space cannot be reached inbound, but the hosts can get out at least).  This all works fine and as designed.  I don't figure anyone needs to see the configs.

My problem... the cable modem interface cannot be reached from anything except the GRE interface (when up = when the full table/default route exists over that path).  I'd want to be able to ping the interface from the outside.  How?

What happens is the ping reply is sourced from the interface, but egresses out the GRE (Internet route), and fails RPF check (actually my ACL before that) because it's sourced from IP space not valid to that provider.  Sure, I can add a static route (to take the cable modem next hop) to the host I want to connect, but that has other issues (and doesn't scale -- I may want to ping/connect from random hosts).

can I have a local PBR policy say that anything sourced from that IP address (interface) must exit that interface?  (eg, ping echo reply -- is that considered lcoally originated traffic?)  I haven't figured out the PBR logic to acomplish this.

Everyone's tags (3)
CreatePlease to create content