cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
878
Views
0
Helpful
14
Replies

route-map not working

agcastle2000
Level 1
Level 1

Hi,

Can somebody help me why PBR on my configuration below doesn't work?

I can ping 20.20.20.1 from router but for some reason PBR just doesn't work.

20.20.20.1 is what I assigned to the Ethernet int. of ADSL modem/router (Aztech ADSL Ethernet Hub (DSL600EU)) which it's connected to 20.20.20.2 of fa0/1

221.221.221.73 is the PAT address from the ASA which is behind the router.

I don't know if the Aztech has something to do with it.

interface FastEthernet0/0

ip address 221.221.221.70 255.255.255.248

ip policy route-map ADSL

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.20.20.2 255.255.255.0

duplex auto

speed auto

interface Serial0/0/0

ip address 221.221.50.50 255.255.255.252

!

ip classless

ip route 0.0.0.0 0.0.0.0 221.221.96.241

access-list 110 permit ip host 221.221.221.73 any

route-map ADSL permit 10

match ip address 110

set ip next-hop 20.20.20.1

Anything that can point me to resolve the issue is much appreciated.

Thx, Archie

14 Replies 14

Does this router know how to get to 221.221.221.73. 221.221.221.70/29, configured on f0/0 int, doesn't cover 221.221.221.73 hence, you need to have a route for this address to be forwarded to your ASA. What's the IP address of ASA and how is it connected to this device?

Thanks for your reply.

What do you exactly mean by "Does this router know how to get to 221.221.221.73"

In my ASA I have these lines if this is what you're trying to ask:

global (outside) 1 221.221.221.73

nat (inside) 1 10.10.10.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 221.221.221.70 1

Basically, Internet is working from the inside private network with the Serial interface. For example, when the line below is removed from the F0/0 of the router: "ip policy route-map ADSL" Internet is working again.

Please shed more light to what you said - "221.221.221.70/29, configured on f0/0 int, doesn't cover 221.221.221.73 hence, you need to have a route for this address to be forwarded to your ASA." I would have thought that the route command in the ASA as mentioned above should cover that.

ASA is behind the 2811 router and behind the ASA is the private network. Outside int of the ASA has the same range of address from ISP - 221.221.221.71 255.255.255.248

I'm not quite sure though if I have to assign a static IP on the F0/1 of the router and the Eth of the ADSL.

20.20.20.1 of the ADSL and 20.20.20.2 of F0/1are just IPs that I assigned.

I'm desperate to get the ADSL up and running. If necessary, I can change access-list 110 such it will be only for www, ftp, https, ftp-data

can you pls provide the show version and show ip route output here ?

What Sundar means the 221.221.221.70/29 that belongs to 221.221.221.64/29 subnet and the 221.221.221.73 belongs to 221.221.221.72/29 which is not the same subnet between two devices.

So the ACL 110 does not work due to mismatch subnet.

Can you try to ping between ASA and the router ?

Moreover, where the router is using /29 mask but the ASA is using /24 mask. I suggest to make them the same mask and within the same subnet.

Hope this helps.

agcastle2000
Level 1
Level 1

Hi,

I put dummy IPs without paying attention on subnetting and my apologies if this has caused confusion. Yes ASA can ping 83.111.124.73 which is the inside int. of the router. Attached is the config with the real IP addresses of the fa0/0, fa0/1 and 83.111.124.75 in the Access-list 100. 83.111.124.75 is also a real IP in the "global (outside) 1 83.111.124.75" command of the ASA.

83.111.124.75 and 83.111.124.73 are IPs assigned to us by the ISP.

Thanks for your input.

Regards, Archie

Sorry I can't find the problem and verify myself. However, according to the configuration, what I assume you want the traffic of host 83.111.124.75 from FE0/0 will be forwarded to the 20.20.20.1.

If it is the case, you can simplify the configuration as below :

no access-list 110

no route-map ADSL permit 10

access-list 1 permit ip 83.111.124.75

route-map ADSL permit 10

match ip address 1

set ip next-hop 20.20.20.1

interface FastEthernet0/0

ip policy route-map ADSL

The above suggestion mean when the source is 83.111.124.75, the next-hop should be 20.20.20.1. Please try it and advise the result.

Hope this helps.

Thanks. I tried what you suggested and it still didn't work. Could it be possible that the issue could be related to the Aztech ADSL modem/router?

In another branch which is connected to the same ISP, I added "ip policy route-map...." (just to test) in the inside int. of the router and the rest of the cmd lines required for PRB and Internet continue to work. The only difference in that branch office is that ADSL is the only connection to Internet (no Serial int.), it's connected to an plain Linksys ADSL2 Modem and no PIX/ASA behind the router. I'm trying to explain to give you hint where the problem could be.

Anyway, I already ordered another Linksys modem and we'll see if it will resolve the issue.

Thanks.

if you issue the commands:

show ip access-list 110

show route-map ADSL

Do you see any matches against the ACL or the Route-map? Anything has been policed?

Please let me know your feedback,

Regards,

Also, try debug ip policy it will tells you exactly why it is or not the policy did apply.

If you want send me the debug and I will check it for you.

Regards,

I don't think it is related to the external device. Can you also provide the trace route result from that host to outside ?

Keep us posted with the progress.

Regards,

Hi,

I have now the Linksys modem and it still is not working. You're right, it has nothing to do with the external device.

There are hits in show access-l and sh route-map ADSL.

In route-map ADSL permit 10 line, I already tried set interface fa0/1, set ip next-hop and 20.20.20.1 and both don't work.

My basic knowledge of PBR tells me that the best place to put the ip policy is in the inside router which in this case is the fa0/0.

Did I miss anything as far as routing is concern? I don't have any Cisco cert and I learn CLI only through experience.

Please don't lose your patience with me.

Regards,

Archie

Don't worry, we will try our best to help. It is not related to Certified or not. It is related to the hearts of people that willing to share knowledge to others.

Your concept is partially correct that the PBR should be applied to the interface which the traffic from this interface will be redirected to a IP / interface which is not following the routing table. In your case, yes, you are correct to apply it at FE0/0.

PBR will not work if the next-hop is not available. However, whenever your FE 0/1 is up, it will always work.

Could you please try to ping 20.20.20.1 from your router and the host at FE 0/0 ? I suspect the remote end may not have proper route to return the traffic via 20.20.20.2.

If there is no retun path, you may add PBR at remote or add below static route. It depends on the situation and requirement.

ip route 83.111.98.241 255.255.255.255 20.20.20.2

Could you please provide the routing protocol part in the 20.20.20.1 router ?

If still not able to find the problem, please debug the IP Policy. Please check below link for the debug command forward.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

Hope this helps.

Did you trace route to see how the traffic is being routed? All I can see that outgoing traffic traffic for this particular IP is being sent to the interface you want. However, the problem is from the hop after your router. Therefore, you have no problem. I can advise you to do a trace route and it will show you that PBR is working fine and the problem is on the other end.

Let me know how it goes,

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco