Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Policy based routing on ports

I have a need to configure PBR on my network but I only want to use it for two ports, 80 and 443, the rest of the traffic should follow the normal routing rules. I have two networks the voice 10.10.x.x network and data 192.168.x.x network. I want all voice traffic to go accross the WAN while all data traffic goes through a VPN connection. All of this is working fine except when a PC wants to access a web page that is on the 10.10.1.x network. It goes accross the WAN from the remote branch because the routers know about the 10.10.1.x network but when the server on the 10.10.1.x network respons back it is being sent over the VPN connection because the routers do not know how to get to the 192.168.7.x network so it sends it to the firewall. I have configured PBR on the network now but I can only seem to get it to work when I specify the whole network range. I want to use PBR for port 80 and 443 only. Here is my working config and what I want to do.

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 10.10.1.250 255.255.255.0

ip policy route-map ccm-web

access-list 162 permit ip host 10.10.1.10 192.168.2.0 0.0.0.255

access-list 162 permit ip host 10.10.1.11 192.168.2.0 0.0.0.255

access-list 163 permit ip host 10.10.1.10 192.168.3.0 0.0.0.255

access-list 163 permit ip host 10.10.1.11 192.168.3.0 0.0.0.255

access-list 164 permit ip host 10.10.1.10 192.168.4.0 0.0.0.255

access-list 164 permit ip host 10.10.1.11 192.168.4.0 0.0.0.255

access-list 165 permit ip host 10.10.1.10 192.168.5.0 0.0.0.255

access-list 165 permit ip host 10.10.1.11 192.168.5.0 0.0.0.255

access-list 167 permit ip host 10.10.1.10 192.168.7.0 0.0.0.255

access-list 167 permit ip host 10.10.1.11 192.168.7.0 0.0.0.255

!

route-map ccm-web permit 12

match ip address 162

set ip next-hop 192.168.20.2

!

route-map ccm-web permit 13

match ip address 163

set ip next-hop 192.168.30.2

!

route-map ccm-web permit 14

match ip address 164

set ip next-hop 192.168.40.2

!

route-map ccm-web permit 15

match ip address 165

set ip next-hop 192.168.50.2

!

route-map ccm-web permit 17

match ip address 167

set ip next-hop 192.168.70.2

What I tried was:

access-list 161 permit tcp host 10.10.1.10 eq www 192.168.7.0 0.0.0.255 eq www

access-list 161 permit tcp host 10.10.1.10 eq 443 192.168.7.0 0.0.0.255 eq 443

and so on but it did not work for me. Is what I am trying to do possible? what am I doing incorectly?

  • WAN Routing and Switching
1 REPLY
Purple

Re: Policy based routing on ports

Try the following ACL instead of what you used initially:

access-list 161 permit tcp host 10.10.1.10 eq www 192.168.7.0 0.0.0.255

access-list 161 permit tcp host 10.10.1.10 eq 443 192.168.7.0 0.0.0.255

Only the web-server will be using the www/443 ports. Your clients will be using a random port > 1023.

Hope that helps - pls rate the post if it does.

Paresh

114
Views
0
Helpful
1
Replies
This widget could not be displayed.