Policy Based Routing

Discussion in 'Cisco' started by Scot, Apr 6, 2005.

  1. Scot

    Scot Guest

    Setup:



    T1 Cable Modem
    | |
    | |
    |-----------------------------------|
    | S0/0 Fa0/1 |
    |172.16.10.30 192.168.10.10 |
    | |
    | Cisco 2621 |
    | |
    | |
    | Fa0/0 10.10.10.8 |
    |-----------------------------------|
    |
    |

    Internal Network


    Everything routes out of the T1 currently. I was assigned a dynamic
    reserved address from the cable modem. So I get the following information
    from the ISP of the cable modem, I am able to ping the default gateway and
    see the packet count go up by that number of packets on the Fa0/1 interface,
    so I know the added directly connected route is working:

    IP Address: 192.168.10.10
    Subnet Mask: 255.255.255.0
    Def. Gateway: 192.168.10.1

    I tried the following Policy-Based Routing setup and thought this would
    work, but I must have something wrong somewhere. I only want to send HTTP
    traffic out the cable modem for now, then figure out other steps later.
    With this PBR in place, all traffic to websites stop, everything else
    continues to function.

    Changes to Config:

    access-list 131 permit tcp any any eq www

    route-map Websurfers permit 45
    match ip address 131
    set ip next-hop 192.168.10.1

    (interface Fa0/0)
    ip policy route-map Websurfers
    ip route-cache policy



    Can anyone see an issue with this, or where I may have made a mistake?

    Thanks,

    Scott
    Scot, Apr 6, 2005
    #1
    1. Advertising

  2. Scot

    Greg Miller Guest

    Scot wrote:
    > Setup:
    >
    >
    >
    > T1 Cable Modem
    > | |
    > | |
    > |-----------------------------------|
    > | S0/0 Fa0/1 |
    > |172.16.10.30 192.168.10.10 |
    > | |
    > | Cisco 2621 |
    > | |
    > | |
    > | Fa0/0 10.10.10.8 |
    > |-----------------------------------|
    > |
    > |
    >
    > Internal Network
    >
    >
    > Everything routes out of the T1 currently. I was assigned a dynamic
    > reserved address from the cable modem. So I get the following information
    > from the ISP of the cable modem, I am able to ping the default gateway and
    > see the packet count go up by that number of packets on the Fa0/1 interface,
    > so I know the added directly connected route is working:
    >
    > IP Address: 192.168.10.10
    > Subnet Mask: 255.255.255.0
    > Def. Gateway: 192.168.10.1
    >
    > I tried the following Policy-Based Routing setup and thought this would
    > work, but I must have something wrong somewhere. I only want to send HTTP
    > traffic out the cable modem for now, then figure out other steps later.
    > With this PBR in place, all traffic to websites stop, everything else
    > continues to function.
    >
    > Changes to Config:
    >
    > access-list 131 permit tcp any any eq www
    >
    > route-map Websurfers permit 45
    > match ip address 131
    > set ip next-hop 192.168.10.1
    >
    > (interface Fa0/0)
    > ip policy route-map Websurfers
    > ip route-cache policy
    >
    >
    >
    > Can anyone see an issue with this, or where I may have made a mistake?
    >
    > Thanks,
    >
    > Scott
    >
    >


    What about your NAT configuration?

    Greg
    Greg Miller, Apr 6, 2005
    #2
    1. Advertising

  3. Scot

    Scot Guest

    No NAT until you get behind the firewall protecting the internal network.

    I also tried in the route-map section setting "set interface
    FastEthernet0/1" instead of the "set ip next-hop".


    "Greg Miller" <> wrote in message
    news:d30tof$1np$...
    > Scot wrote:
    >> Setup:
    >>
    >>
    >>
    >> T1 Cable Modem
    >> | |
    >> | |
    >> |-----------------------------------|
    >> | S0/0 Fa0/1 |
    >> |172.16.10.30 192.168.10.10 |
    >> | |
    >> | Cisco 2621 |
    >> | |
    >> | |
    >> | Fa0/0 10.10.10.8 |
    >> |-----------------------------------|
    >> |
    >> |
    >>
    >> Internal Network
    >>
    >>
    >> Everything routes out of the T1 currently. I was assigned a dynamic
    >> reserved address from the cable modem. So I get the following
    >> information from the ISP of the cable modem, I am able to ping the
    >> default gateway and see the packet count go up by that number of packets
    >> on the Fa0/1 interface, so I know the added directly connected route is
    >> working:
    >>
    >> IP Address: 192.168.10.10
    >> Subnet Mask: 255.255.255.0
    >> Def. Gateway: 192.168.10.1
    >>
    >> I tried the following Policy-Based Routing setup and thought this would
    >> work, but I must have something wrong somewhere. I only want to send
    >> HTTP traffic out the cable modem for now, then figure out other steps
    >> later. With this PBR in place, all traffic to websites stop, everything
    >> else continues to function.
    >>
    >> Changes to Config:
    >>
    >> access-list 131 permit tcp any any eq www
    >>
    >> route-map Websurfers permit 45
    >> match ip address 131
    >> set ip next-hop 192.168.10.1
    >>
    >> (interface Fa0/0)
    >> ip policy route-map Websurfers
    >> ip route-cache policy
    >>
    >>
    >>
    >> Can anyone see an issue with this, or where I may have made a mistake?
    >>
    >> Thanks,
    >>
    >> Scott

    >
    > What about your NAT configuration?
    >
    > Greg
    Scot, Apr 6, 2005
    #3
  4. In article <>,
    "Scot" <pats1776athotpopdotcom> wrote:

    > No NAT until you get behind the firewall protecting the internal network.
    >
    > I also tried in the route-map section setting "set interface
    > FastEthernet0/1" instead of the "set ip next-hop".


    The problem is that you're sending this traffic out with 10.10.10.x
    source addresses, but the cable ISP is probably configured only to route
    192.168.10.10 back to your connection. You need to enable NAT on the
    router so that traffic going out fa0/1 will be translated to this
    address.

    >
    >
    > "Greg Miller" <> wrote in message
    > news:d30tof$1np$...
    > > Scot wrote:
    > >> Setup:
    > >>
    > >>
    > >>
    > >> T1 Cable Modem
    > >> | |
    > >> | |
    > >> |-----------------------------------|
    > >> | S0/0 Fa0/1 |
    > >> |172.16.10.30 192.168.10.10 |
    > >> | |
    > >> | Cisco 2621 |
    > >> | |
    > >> | |
    > >> | Fa0/0 10.10.10.8 |
    > >> |-----------------------------------|
    > >> |
    > >> |
    > >>
    > >> Internal Network
    > >>
    > >>
    > >> Everything routes out of the T1 currently. I was assigned a dynamic
    > >> reserved address from the cable modem. So I get the following
    > >> information from the ISP of the cable modem, I am able to ping the
    > >> default gateway and see the packet count go up by that number of packets
    > >> on the Fa0/1 interface, so I know the added directly connected route is
    > >> working:
    > >>
    > >> IP Address: 192.168.10.10
    > >> Subnet Mask: 255.255.255.0
    > >> Def. Gateway: 192.168.10.1
    > >>
    > >> I tried the following Policy-Based Routing setup and thought this would
    > >> work, but I must have something wrong somewhere. I only want to send
    > >> HTTP traffic out the cable modem for now, then figure out other steps
    > >> later. With this PBR in place, all traffic to websites stop, everything
    > >> else continues to function.
    > >>
    > >> Changes to Config:
    > >>
    > >> access-list 131 permit tcp any any eq www
    > >>
    > >> route-map Websurfers permit 45
    > >> match ip address 131
    > >> set ip next-hop 192.168.10.1
    > >>
    > >> (interface Fa0/0)
    > >> ip policy route-map Websurfers
    > >> ip route-cache policy
    > >>
    > >>
    > >>
    > >> Can anyone see an issue with this, or where I may have made a mistake?
    > >>
    > >> Thanks,
    > >>
    > >> Scott

    > >
    > > What about your NAT configuration?
    > >
    > > Greg


    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Apr 6, 2005
    #4
  5. Scot

    Scot Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <>,
    > "Scot" <pats1776athotpopdotcom> wrote:
    >
    >> No NAT until you get behind the firewall protecting the internal network.
    >>
    >> I also tried in the route-map section setting "set interface
    >> FastEthernet0/1" instead of the "set ip next-hop".

    >
    > The problem is that you're sending this traffic out with 10.10.10.x
    > source addresses, but the cable ISP is probably configured only to route
    > 192.168.10.10 back to your connection. You need to enable NAT on the
    > router so that traffic going out fa0/1 will be translated to this
    > address.



    hmmm..

    would it be something as simple as, ip nat inside on the fa0/0 interface and
    ip nat outside on the fa0/1 interface?

    would this screw up my already working routing of fa0/0 to s0/0 by default?

    thanks,

    scott
    Scot, Apr 7, 2005
    #5
  6. In article <>,
    "Scot" <pats1776athotpopdotcom> wrote:

    > "Barry Margolin" <> wrote in message
    > news:...
    > > In article <>,
    > > "Scot" <pats1776athotpopdotcom> wrote:
    > >
    > >> No NAT until you get behind the firewall protecting the internal network.
    > >>
    > >> I also tried in the route-map section setting "set interface
    > >> FastEthernet0/1" instead of the "set ip next-hop".

    > >
    > > The problem is that you're sending this traffic out with 10.10.10.x
    > > source addresses, but the cable ISP is probably configured only to route
    > > 192.168.10.10 back to your connection. You need to enable NAT on the
    > > router so that traffic going out fa0/1 will be translated to this
    > > address.

    >
    >
    > hmmm..
    >
    > would it be something as simple as, ip nat inside on the fa0/0 interface and
    > ip nat outside on the fa0/1 interface?


    You also need to configure a NAT pool that translates to the outside
    interface's IP.

    >
    > would this screw up my already working routing of fa0/0 to s0/0 by default?


    No. If there's no "ip nat outside" on s0/0, then any traffic routed out
    this interface will be unaffected by NAT.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Apr 7, 2005
    #6
  7. Scot

    Scot Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <>,
    > "Scot" <pats1776athotpopdotcom> wrote:
    >
    >> "Barry Margolin" <> wrote in message
    >> news:...
    >> > In article <>,
    >> > "Scot" <pats1776athotpopdotcom> wrote:
    >> >
    >> >> No NAT until you get behind the firewall protecting the internal
    >> >> network.
    >> >>
    >> >> I also tried in the route-map section setting "set interface
    >> >> FastEthernet0/1" instead of the "set ip next-hop".
    >> >
    >> > The problem is that you're sending this traffic out with 10.10.10.x
    >> > source addresses, but the cable ISP is probably configured only to
    >> > route
    >> > 192.168.10.10 back to your connection. You need to enable NAT on the
    >> > router so that traffic going out fa0/1 will be translated to this
    >> > address.

    >>
    >>
    >> hmmm..
    >>
    >> would it be something as simple as, ip nat inside on the fa0/0 interface
    >> and
    >> ip nat outside on the fa0/1 interface?

    >
    > You also need to configure a NAT pool that translates to the outside
    > interface's IP.
    >
    >>
    >> would this screw up my already working routing of fa0/0 to s0/0 by
    >> default?

    >
    > No. If there's no "ip nat outside" on s0/0, then any traffic routed out
    > this interface will be unaffected by NAT.



    Okay, I think I'm going down the right track. Here are the changes that I
    added to my config:

    Fa0/0
    -------
    ip nat inside

    Fa0/1
    -------
    ip nat outside

    General Config
    ----------------
    ip nat inside source route-map Websurfers interface FastEthernet0/1 overload


    It didn't seem to work, but wouldn't this essentially be what I am looking
    for instead of an access-list based nat pool? since I'm looking to only
    send policy-based traffic out that interface with the cable modem attached?

    Thanks again,

    Scott
    Scot, Apr 8, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CHANGE USERNAME TO westes
    Replies:
    6
    Views:
    1,063
    CHANGE USERNAME TO westes
    Dec 17, 2003
  2. prosthetic head
    Replies:
    3
    Views:
    3,543
    Hansang Bae
    Mar 5, 2004
  3. Ivana

    policy based routing problem

    Ivana, Mar 22, 2005, in forum: Cisco
    Replies:
    11
    Views:
    4,102
    Ivan OstreŇ°
    Mar 24, 2005
  4. Cen
    Replies:
    1
    Views:
    2,217
    Christoph Gartmann
    Oct 24, 2005
  5. A-Network-Guy

    HSRP and Policy based Routing

    A-Network-Guy, Oct 27, 2005, in forum: Cisco
    Replies:
    3
    Views:
    2,951
    kelvincheung
    Jul 27, 2006
Loading...

Share This Page