From: HangaS on 7 May 2008 08:15 Hi, I'm trying to replace this Linux GW with a Cisco 877 however I'm having a bit of an hard time implementing Policy Based Routing together in NAT depending on the policy. I'll explain: This was the previsous setup: | | | Linux GW | ---> Network 1 ADSLoISDN | cisco 836 | ------> | IP Tables | ---> Network 2 | | | | ---> Network 3 The linuxGW routed all the three networks among them and to the ADSLoISDN There are some policies on the internal routing but all can use the default GW on the linuxGW which is the cisco 836. Now I just got a new cisco 877 and an extra ADSL2+ access and want that some of the internal networks use one connection and other to use the other. I wanted even to make it possible that a particular host on the internal network or that a particular destination use a specific network. Basicly I want to be able to choose with WAN access to use depending on either source, destination or some other policy. So this is my intended setup to begin with IPoATM -------------------------------\ v | | | | ---> Network 1 (VLAN x) ADSLoISDN | cisco 836 | ------> | cisco 877 | ---> Network 2 (VLAN y) | | | | ---> Network 3 (VLAN z) The 836 already does the NAT of what's routed to it. Now I wanted to let's say be able to route network 1 to the c386, so it can do the NAT to its WAN or directly nat network 2 to the WAN of the 877 This is what I'm trying now: interface Vlan1 ip address 192.168.200.2 255.255.255.0 no ip redirects ip route-cache flow ! interface Vlan11 description SECURE-LAN ip address 192.168.1.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface Vlan12 description DEVEL-LAN ip address 192.168.2.254 255.255.255.0 no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface Vlan13 description SECURE-LAN ip address 192.168.3.254 255.255.255.0 no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface BVI1 ip address dhcp ip nat outside ip virtual-reassembly access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.2.0 0.0.0.255 any access-list 102 permit ip 0.0.0.0 255.255.255.0 any ip nat inside source route-map internet interface BVI1 overload route-map internet permit 10 match ip address 101 ! # This gives me NAT on hosts connected to the networks of VLAN 11 and VLAN 12 as expected # Now I was expecting that the next part would route me every thing to the c836 route-map internet permit 20 match ip address 102 set ip default next-hop 192.168.200.1 I can ping the 836 from the 877 I also tried to use just plain routing of everything to the 836 and it also works Now want I wanted is to route some thing and NAT others depending on source or destination What path should I take? I considered creating a sort of virtual interface in the 877 and route things to the virtual interface or the 836 depending on policies I would then remove the 'ip nat inside' of the VLAN interfaces and move it to that virtual interface. Does this looks feasable or there a simpler way?
From: HangaS on 7 May 2008 09:27 One more thing. I also tried another thing: keep only the route-map internet permit 10 match ip address 101 So that it only NATs the networks in the access list. But what happens to the packets that are not permited to NAT don't they proceed to routing "layer"? Cos I tried to set up a global default GW with ip default-gateway 192.168.200.1 hoping that the "not permited" packets would then follow on this bucket. But that doesn't happen. This is maybe an trivial issue, but I'm not very familiar with the IOS inner workings. As I said I was an IPTables guy.:)
From: HangaS on 7 May 2008 12:27 I got it to work. I was just not appling the route-map to the VLAN interfaces So I removed all static route entries and applied a route map to the interface. I have one route map for the NAT and other for the routing. If the routing related route-map does not permit it, then the packet proceeds to the routing. I was not sure how was the order of operations within NAT but I got a clue from http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml Hope this may help someone. Cheers
|
Pages: 1 Prev: Logging issue in CiscoSecure ACS 4.2 Next: Error unsupported TCAM value size |