Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing problem

Hello, I have two routers that each have 2 connections: Internet and a point to point connecting to each other. I am trying to route from our 10.0.1.0 lan to a new private network: 192.168.10.0. This new network branches off the firewall on 10.0.0.0 and is not directly attached to either router. The policy below was already in place...

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

I tried adding a simple route statement as follows:

ip route 192.168.10.0 255.255.255.0 10.0.0.0

For some reason unknown to me this caused traffic to go through the firewall at 10.0.1.254 which I don't want. The problem is the traffic shows up at the destination firewall as coming from the outside interface of the other firewall and gets dumped as an ip spoof.

Tracing route to ftp01 [192.168.10.6]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.1.253

2 1 ms 28 ms 32 ms 10.1.1.1

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

I tried to add a new policy:

access-list 197 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

route-map ToSonicwall permit 5

match ip address 197

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

This did not help - it just sends 192 traffic to the Internet.

Any help would be appreciated, Thanks!

1 REPLY
Hall of Fame Super Bronze

Re: routing problem

The route-map (PBR) will take precedence over any dynamic or static routing implemented.

You have ACL 198 in the first example that states any traffic from 10.0.1.0/24 to any destination use gateway 10.0.1.254

If you don't want 10.0.1.0/24 to go via this gateway when trying to reach 192.168.10.0/24 network, you must create a deny in ACL 198

access-list 198 deny ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

HTH,

104
Views
5
Helpful
1
Replies