Solved

Access-List & Policy Routing Problem

Posted on 2008-06-19
11
664 Views
Last Modified: 2010-04-21
I am wanting to do some policy routing at my company and split internet traffic out two separate ISPs. I have an older internet circuit that I have about 10 public servers hosted on. This is what employees currently use for internet. I am wanting to route employees out bound internet traffic through a new internet provider but keep any traffic to and from my public servers synchronous. I've been able to do this from my gateway router using the route-map command and route all of the traffic from my public servers out the appropriate internet circuit. The problem that I am having is once I apply the route-map command to the Ethernet interface on my router any connections from my WAN are no longer able to access my public servers internally. Essentially, any requests from the WAN  to any servers in the ACL that the route-map uses are dropped at the interface that the route-map command applies too. Outside (internet) connections are accepted and obviously local LAN has no problems. The various sites in the WAN all connect to the same router that is doing the policy routing via serial interfaces. Here are the relevant parts of my config...

access-list 10 permit 10.0.2.24
access-list 10 permit 10.0.2.23
access-list 10 permit 10.0.2.22
access-list 10 permit 10.0.2.2
access-list 10 permit 10.0.2.1
access-list 10 permit 10.0.2.219
access-list 10 permit 10.0.2.217
access-list 10 permit 10.0.2.216
access-list 10 permit 10.0.2.215
access-list 10 permit 10.0.2.202
!
route-map public_servers permit 10
 match ip address 10
 set interface Ethernet0/0
 set ip next-hop 10.0.2.8
!
ip route 0.0.0.0 0.0.0.0 10.0.2.3


Here's the interface that is doing the policy routing.......

interface Ethernet0/0
 ip address 10.0.2.10 255.255.255.0
 no ip mroute-cache
 half-duplex
 no mop enabled
 ip policy route-map public_servers

Thanks in advance!
0
Comment
Question by:icarus004
  • 6
  • 5
11 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21822075
Change the route-map to set the default next hop instead so if the router doesn't have an explicit route to the destination (it will to the WAN sites), policy route the traffic.

route-map public_servers permit 10
 match ip address 10
no set interface Ethernet0/0
no set ip next-hop 10.0.2.8
set ip default next-hop 10.0.2.8
0
 
LVL 2

Author Comment

by:icarus004
ID: 21822434
Thanks. That seems to work great. This has been making me crazy. Just to expand on this some. I also have users that VPN into my network as well as public servers on other networks in the WAN. I've added them to the ACL to make sure that their back and forth route uses the same interface it came in on.

access-list 10 permit 10.0.3.22
access-list 10 permit 10.0.3.3
access-list 10 permit 10.0.4.24
access-list 10 permit 10.0.50.0 0.0.0.255

Problem I have is I can log in via VPN but am unable to ping anything once inside the network. That and my servers that I have made public in other networks on my WAN can not be connected to from the internet.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21822602
Well, keep in mind, your WAN sites do not adhere to the policy unless you apply the route-map to the serial interfaces.  The VPN subnet doesn't need to be added to the policy either as the router will only route to the public IP of the VPN endpoint (not the internal/private IP).
0
 
LVL 2

Author Comment

by:icarus004
ID: 21822766
So can I apply the same route-map policy to the serial interface for the appropriate WAN connection that the server is located or is it best to create a separate ACL with just the applicable IPs for that network and apply that?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21822836
You could use the same since you will never match on the entries that aren't sourced from the WAN but I would create a policy that is only relevant to each interface for clarity sake.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Closing Comment

by:icarus004
ID: 31468762
This worked perfectly. Thanks for the help!
0
 
LVL 2

Author Comment

by:icarus004
ID: 21823977
I just noticed something about VPN users. Once connected they are able to get to any of the the nodes that have an IP in one of the ACLs but they are unable to reach any internal IP that is not part of the ACL. This is the case with or without the acces-list I thought I needed for VPN users (access-list 10 permit 10.0.50.0 0.0.0.255).

Any help?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21824012
Does the VPN terminate on the router?
0
 
LVL 2

Author Comment

by:icarus004
ID: 21824106
No. On a Pix. It's the IP in the "set ip default next-hop 10.0.2.8" policy.

Internet 2600 ---  Pix 515 ---  LAN --- WAN 3600

Want me to open up a new question for this? You've been really helpful.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21824130
Sure, that would be great.
0
 
LVL 2

Author Comment

by:icarus004
ID: 21824174
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP Code 12 41
Interface VLAN dependencies 6 32
Is it possible to use 1 DNS server for Site to Site VPN and 1 for Internet traffic? 8 18
EIGRP STUB 19 31
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now