Policy Based Routing and/or NAT

Discussion in 'Cisco' started by HangaS, May 7, 2008.

  1. HangaS

    HangaS Guest

    Hi,

    I'm trying to replace this Linux GW with a Cisco 877
    however I'm having a bit of an hard time implementing Policy Based
    Routing together in NAT
    depending on the policy.


    I'll explain:

    This was the previsous setup:


    | | | Linux GW | ---> Network 1
    ADSLoISDN | cisco 836 | ------> | IP Tables | ---> Network 2
    | | | | ---> Network 3


    The linuxGW routed all the three networks among them and to the
    ADSLoISDN
    There are some policies on the internal routing but all can use the
    default GW
    on the linuxGW which is the cisco 836.

    Now I just got a new cisco 877 and an extra ADSL2+ access and want
    that some of the
    internal networks use one connection and other to use the other.
    I wanted even to make it possible that a particular host on the
    internal network
    or that a particular destination use a specific network.

    Basicly I want to be able to choose with WAN access to use depending
    on either source, destination
    or some other policy.



    So this is my intended setup to begin with


    IPoATM -------------------------------\
    v
    | | | | ---> Network 1 (VLAN x)
    ADSLoISDN | cisco 836 | ------> | cisco 877 | ---> Network 2 (VLAN y)
    | | | | ---> Network 3 (VLAN z)


    The 836 already does the NAT of what's routed to it.
    Now I wanted to let's say

    be able to route network 1 to the c386, so it can do the NAT to its
    WAN
    or directly nat network 2 to the WAN of the 877



    This is what I'm trying now:


    interface Vlan1
    ip address 192.168.200.2 255.255.255.0
    no ip redirects
    ip route-cache flow
    !

    interface Vlan11
    description SECURE-LAN
    ip address 192.168.1.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    !
    interface Vlan12
    description DEVEL-LAN
    ip address 192.168.2.254 255.255.255.0
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    !
    interface Vlan13
    description SECURE-LAN
    ip address 192.168.3.254 255.255.255.0
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    !

    interface BVI1
    ip address dhcp
    ip nat outside
    ip virtual-reassembly


    access-list 101 permit ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit ip 192.168.2.0 0.0.0.255 any
    access-list 102 permit ip 0.0.0.0 255.255.255.0 any

    ip nat inside source route-map internet interface BVI1 overload


    route-map internet permit 10
    match ip address 101
    !

    # This gives me NAT on hosts connected to the networks of VLAN 11 and
    VLAN 12 as expected
    # Now I was expecting that the next part would route me every thing to
    the c836

    route-map internet permit 20
    match ip address 102
    set ip default next-hop 192.168.200.1


    I can ping the 836 from the 877

    I also tried to use just plain routing of everything to the 836 and it
    also works
    Now want I wanted is to route some thing and NAT others depending on
    source or destination


    What path should I take?

    I considered creating a sort of virtual interface in the 877 and
    route
    things to the virtual interface or the 836 depending on policies

    I would then remove the 'ip nat inside' of the VLAN interfaces
    and move it to that virtual interface. Does this looks feasable or
    there a
    simpler way?
     
    HangaS, May 7, 2008
    #1
    1. Advertising

  2. HangaS

    HangaS Guest

    One more thing.


    I also tried another thing:

    keep only the

    route-map internet permit 10
    match ip address 101

    So that it only NATs the networks in the access list.
    But what happens to the packets that are not permited to NAT
    don't they proceed to routing "layer"?

    Cos I tried to set up a global default GW with

    ip default-gateway 192.168.200.1

    hoping that the "not permited" packets would then follow on this
    bucket. But that doesn't
    happen.


    This is maybe an trivial issue, but I'm not very familiar with the IOS
    inner workings. As I said I was an IPTables guy.:)
     
    HangaS, May 7, 2008
    #2
    1. Advertising

  3. HangaS

    HangaS Guest

    I got it to work.

    I was just not appling the route-map to the VLAN interfaces

    So I removed all static route entries and applied a route map to the
    interface.

    I have one route map for the NAT and other for the routing. If the
    routing related route-map does not permit it, then the packet proceeds
    to the routing.

    I was not sure how was the order of operations within NAT but I got a
    clue from

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

    Hope this may help someone.
    Cheers
     
    HangaS, May 7, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CHANGE USERNAME TO westes
    Replies:
    6
    Views:
    1,153
    CHANGE USERNAME TO westes
    Dec 17, 2003
  2. prosthetic head
    Replies:
    3
    Views:
    3,622
    Hansang Bae
    Mar 5, 2004
  3. Ivana

    policy based routing problem

    Ivana, Mar 22, 2005, in forum: Cisco
    Replies:
    11
    Views:
    4,189
    Ivan Ostreš
    Mar 24, 2005
  4. Sied@r
    Replies:
    3
    Views:
    8,636
    Sied@r
    Oct 20, 2005
  5. A-Network-Guy

    HSRP and Policy based Routing

    A-Network-Guy, Oct 27, 2005, in forum: Cisco
    Replies:
    3
    Views:
    3,162
    kelvincheung
    Jul 27, 2006
Loading...

Share This Page