Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Source AND destination routing

Hi.

I need to apply source AND destination routing on my 29XX router.

In genereal the scenario is as follows:

- a TCP SYN comes from Internet to a public address in the pool I owe.

- I need to route this packet (and the rest of communication) to one of my internal servers based on: srcIP and port, dstIP and port.

- public dstIP of TCP SYN can be used by many external hosts

- srcIP is static (I know it before it sends any packet and it won't change)

An ideal solution would be routing based on extended ACL but as far as I know I can only route based on:

A) destination IP (classic routing)

B) source IP (policy routing)

Makeing long story short: I need A + B.

Example:

     TCP SYN s=1.1.1.1.64543 d=9.9.9.9.80 ==> s=1.1.1.1.64543 d=172.16.250.1.23

     TCP SYN s=1.1.1.1.44543 d=9.9.9.9.69 ==> s=1.1.1.1.44543 d=172.16.250.100.53

     TCP SYN s=2.2.2.2.34943 d=9.9.9.9.80 ==> s=2.2.2.2.34943 d=172.16.250.200.22

where values in brown are known before connection.

Note: I tried PAT but I was not able to use '1.1.1.1' for multiple rules. I cannot invert inside and outside NAT interfaces (so Internet would be my inside) because I need to use a 'normal' NAT for other services (located on the same subnet).

Note: In example I used well-known ports but I mean to use a solution for different service.

Any advice would be welcomed.

Thanks.

Everyone's tags (3)
2 REPLIES

Re: Source AND destination routing

An ideal solution would be routing based on extended ACL but as far as I know I can only route based on:

Are you familiar with the concept of policy based routing (PBR)?

You can create an (extended) ACL to define the interesting traffic and based on that you can overwirte the next-hop for the default route or for a particular route of the local routing table.

Is this what your're looking for?

Best regards

Rolf

P.S.. Not sure if that works in combination with NAT, never tried that so far.

Re: Source AND destination routing

Rolf.

I already tried it - it was my initial approach.

You can apply extended access list to policy routing but only source part of it is processed - destination IP address in ACL is ignored. In additon I do not know source TCP port :/

Regarding NAT and policy routing: it works as long as you keep in mind NAT order of operation (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml).

Thanks for post.

W.

543
Views
4
Helpful
2
Replies
CriarFaça o para criar o conteúdo