From: HangaS on
Hi,

I'm trying to replace this Linux GW with a Cisco 877
however I'm having a bit of an hard time implementing Policy Based
Routing together in NAT
depending on the policy.


I'll explain:

This was the previsous setup:


| | | Linux GW | ---> Network 1
ADSLoISDN | cisco 836 | ------> | IP Tables | ---> Network 2
| | | | ---> Network 3


The linuxGW routed all the three networks among them and to the
ADSLoISDN
There are some policies on the internal routing but all can use the
default GW
on the linuxGW which is the cisco 836.

Now I just got a new cisco 877 and an extra ADSL2+ access and want
that some of the
internal networks use one connection and other to use the other.
I wanted even to make it possible that a particular host on the
internal network
or that a particular destination use a specific network.

Basicly I want to be able to choose with WAN access to use depending
on either source, destination
or some other policy.



So this is my intended setup to begin with


IPoATM -------------------------------\
v
| | | | ---> Network 1 (VLAN x)
ADSLoISDN | cisco 836 | ------> | cisco 877 | ---> Network 2 (VLAN y)
| | | | ---> Network 3 (VLAN z)


The 836 already does the NAT of what's routed to it.
Now I wanted to let's say

be able to route network 1 to the c386, so it can do the NAT to its
WAN
or directly nat network 2 to the WAN of the 877



This is what I'm trying now:


interface Vlan1
ip address 192.168.200.2 255.255.255.0
no ip redirects
ip route-cache flow
!

interface Vlan11
description SECURE-LAN
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan12
description DEVEL-LAN
ip address 192.168.2.254 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan13
description SECURE-LAN
ip address 192.168.3.254 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!

interface BVI1
ip address dhcp
ip nat outside
ip virtual-reassembly


access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 0.0.0.0 255.255.255.0 any

ip nat inside source route-map internet interface BVI1 overload


route-map internet permit 10
match ip address 101
!

# This gives me NAT on hosts connected to the networks of VLAN 11 and
VLAN 12 as expected
# Now I was expecting that the next part would route me every thing to
the c836

route-map internet permit 20
match ip address 102
set ip default next-hop 192.168.200.1


I can ping the 836 from the 877

I also tried to use just plain routing of everything to the 836 and it
also works
Now want I wanted is to route some thing and NAT others depending on
source or destination


What path should I take?

I considered creating a sort of virtual interface in the 877 and
route
things to the virtual interface or the 836 depending on policies

I would then remove the 'ip nat inside' of the VLAN interfaces
and move it to that virtual interface. Does this looks feasable or
there a
simpler way?



From: HangaS on
One more thing.


I also tried another thing:

keep only the

route-map internet permit 10
match ip address 101

So that it only NATs the networks in the access list.
But what happens to the packets that are not permited to NAT
don't they proceed to routing "layer"?

Cos I tried to set up a global default GW with

ip default-gateway 192.168.200.1

hoping that the "not permited" packets would then follow on this
bucket. But that doesn't
happen.


This is maybe an trivial issue, but I'm not very familiar with the IOS
inner workings. As I said I was an IPTables guy.:)
From: HangaS on
I got it to work.

I was just not appling the route-map to the VLAN interfaces

So I removed all static route entries and applied a route map to the
interface.

I have one route map for the NAT and other for the routing. If the
routing related route-map does not permit it, then the packet proceeds
to the routing.

I was not sure how was the order of operations within NAT but I got a
clue from

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Hope this may help someone.
Cheers