[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1152
  • Last Modified:

problem with PBR. static routes

problem with policy based routing- urgent please !Bookmark:Question:
Dear Experts

i need your advise andexperties on tyhefollwiong issue
as showon on the figure ,
- the network addresses 10.232.100.0/22 10.232.104.0/22 are configured as primay and secondary  address on the

lan

network of BAZ router
- on the other hand , the networks 10.232.0.0/22 and 10.232.4.0/22 has been configured as primary and secondary

network on the TAS router
- i have configure an extended access list to allow onlythe primary  network addresses of 10.232.0.0/22 and

10.232.100.0/22 to see each other and deny them from accessing the secondary address networks of 10.232.4.0/22

and

10.232.104.0/22 and vice versa as per  below :
           

ON BAZ router
-=-=-=-=-=
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.232.104.1 255.255.252.0 secondary
 ip address 10.232.100.1 255.255.252.0
 ip access-group block_lan in
 duplex auto
 speed auto


ip access-list extended block_lan
 deny   ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
 deny   ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
 permit ip any any


interface Serial0/3/0:0
 ip address 10.254.1.130 255.255.255.252
 ip access-group block out
 encapsulation ppp


ip classless
ip route 0.0.0.0 0.0.0.0 10.254.1.129
ip route 10.232.0.0 255.255.252.0 10.254.1.129
ip route 10.232.4.0 255.255.252.0 10.254.1.129
ip route 192.168.1.0 255.255.255.0 10.254.1.129

p access-list extended block
 deny   ip 10.232.100.0 0.0.3.255 10.232.4.0 0.0.3.255
 deny   ip 10.232.104.0 0.0.3.255 10.232.0.0 0.0.3.255
 permit ip 10.232.104.0 0.0.3.255 10.232.4.0 0.0.3.255
 permit ip any any


ip access-list extended block_lan
 deny   ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
 deny   ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
 permit ip any any
-============

on   TAS router :
-=======
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.232.4.1 255.255.252.0 secondary
 ip address 10.232.0.1 255.255.252.0
 ip access-group block_lan in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.232.8.1 255.255.252.0
 duplex auto
 speed auto
!
interface Serial0/3/0:0
 ip address 10.254.1.129 255.255.255.252
 ip access-group block out
 encapsulation ppp
 
 
!
ip access-list extended block
 deny   ip 10.232.0.0 0.0.3.255 10.232.104.0 0.0.3.255
 deny   ip 10.232.4.0 0.0.3.255 10.232.100.0 0.0.3.255
 permit ip any any
ip access-list extended block_lan
 deny   ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255
 deny   ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255
 permit ip any any
-=====================
the above has been tested on lab and confirmed ok


however, i need to separate them as well from accessing internet meaning i want to route the primary networks

through an internet router from TAS router and route the secondary networks through a diffrent internet router

from TAS router as well, the first internet gateway should be an ISA server while the second one is a pix

firewall

but lets consider them as if they are routers

- the primary network addresses should be routed to the internet through the LAN 10.232.0.15 of the internet

router while the secondary network addresses should be routed to a different gatway through the lan interface

10.232.4.10 of the internet gateway

- i configured a policy based routing on the TAS router and applied the policy on the gig0/0 interface as per

below

on TAS

access-list 10 permit   10.232.0.0 0.0.3.255
access-list 10 permit   10.232.100.0 0.0.3.255
access-list 20 permit   10.232.4.0 0.0.3.255
access-list 20 permit   10.232.104.0 0.0.3.255

route-map internet permit 10
match ip address 10
set ip default next-hop 10.232.0.15
route-map internet permit 20
match ip address 20
set ip default next-hop 10.232.4.10


interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.232.4.1 255.255.252.0 secondary
 ip address 10.232.0.1 255.255.252.0
 ip access-group block_lan in
 ip policy route-map internet <<<<<<<<<<<<<<<<<<<<<<<<<<<< 
 duplex auto
 speed auto
-=======================

after implementing the PBR, the networks 10.232.4.0 and 10.232.104.0 can ping the LAN interface 10.232.4.10 of

the internet gateway  

the network 10.232.4.0 ( secondary address of TAS) is able to ping the wan interface 192.168.1.100 and the

internet host 192.168.1.103

the network 10.232.104.0/22 ( secondary address of BAZ router) cannot ping the WAN interface 192.168.1.100 of the

internet gateway , its because the network has 2 traverse 2 hops in order to reach the internet, once i add the

static route " ip route 0.0.0.0 0.0.0.0 10.232.4.10,

howeveri dont want to add the static route because in this case i will have to add 2 static routes
ip route 0.0.0.0 0.0.0.0 10.232.4.10 >>> to route networks 10.232.0.0/22 and 10.232.100.0/22
ip route 0.0.0.0 0.0.0.0 10.232.0.15 >>> to route networks 10.232.4.0/22 and 10.232.104.0/22

and of course it is not logic to add the public interface as a destination network in static route to allow these networks to pass through!

there should be a way to let the network 10.232.104.0/22 access the internet , kindly advise a solution for this
lab.jpg
0
oelolemy
Asked:
oelolemy
  • 8
  • 7
1 Solution
 
JFrederick29Commented:
Your PBR config looks fine.

The TAS router has a route to 10.232.104.0/22 via the BAS router, right?

ip route 10.232.104.0 255.255.252.0 10.254.1.130

ISP router 1 has a route back to 10.232.104.0/22 via the TAS router (10.232.4.1), right?
0
 
JFrederick29Commented:
Oh, oops, you need to add the PBR route-map to the Serial also for the 104 subnet.

On TAS router:

int s0/3/0:0
ip policy route-map internet
0
 
oelolemyAuthor Commented:
i will apply that on the serial interface and ill give you my feedback , however on ISP router, there is a default route pointing to the 10.232.0.0/16 ( ip route 10.232.0.0 255.255..0.0 10.232.4.10 ) so it should accept all 10.232.0.0/16 networks
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
JFrederick29Commented:
On ISP router1, the route should be:

ip route 10.232.0.0 255.255.0.0 10.232.4.1
                                                                  ^

0
 
oelolemyAuthor Commented:
ive added the route , and the network  10.232.104.0//22  can ping the ISP router without the PBR being applied , however , with the PBR applied on the gig0/0 of TASLUJA router,  the networks 10.232.4.0 and 10.232.104.0 cannot ping  each other !! , this is weird , even when i applied the PBR on the serial interface of TAS, there was no effect atll, i removed the PBR on the GIG0/0 and left the one on the serial interface and the networks 10.232.0.0/22 can reach the ISP gateway1  through th LAN interface 10.232.4.10 instead of going through the otherway to ISP gateway 2 !!! , there should be some confilict between the access list or the PBR applied or maybe i should say that the PBR is configured or applied on the worong direction , kindly advise
0
 
JFrederick29Commented:
Can you post the full config from the TAS and BAZ router?
0
 
oelolemyAuthor Commented:
Hi ferdrick

please refer to the configuration file attached , waiting for feedback
TAS-router.txt
BAZ-router.txt
0
 
JFrederick29Commented:
Here is a problem on the TAS router.  This is why it broke 10.232.4.0 and 10.232.104.0 communication.  Also, shouldn't the next hop be 10.232.4.10?

route-map internet permit 10
 match ip address 10
 set ip next-hop 10.232.4.15
          ^^^^                         ^^

This should be:

route-map internet permit 10
 match ip address 10
 set ip default next-hop 10.232.4.10
           ^^^^^^                                ^^

The default keyword tells the route-map to only set the next hop for destinations not in the table.
0
 
oelolemyAuthor Commented:
the 10.232.4.10 has been set  as per above , but iam still getting the same results , the reason i set to default next hop because the network 10.232.104.0 only traverses through the TAS router when it is configured in that way, one more thing i need to add, is that the ISP router are on the same segment with the TAS router, do you think that this might be the issue since applying PBR on the LAN interface of GIG0/0 on TAS affects the incoming traffic or do you think that the access list configured on the LAN interface might be the issue ?
0
 
JFrederick29Commented:
The next-hop without the default keyword is the issue between LAN's because it sets the next hop to 10.232.4.10 for all traffic (not just traffic that isn't in the routing table).  So, when 10.232.4.x makes a connection to 10.232.104.x using just the next-hop in the route-map, the traffic is sent to 10.232.4.10 instead of properly being routed to 10.254.1.130.  The router being on the same subnet is not the issue.

For the local LAN (10.232.0.0/22 and 10.232.4.0/22), why not just set the gateways appropriately and make sure the ISP routers have the appropriate routes to the internal subnets via the router?

Then you would only need to apply the route-map to the serial on the TAS router and only specify the 10.232.100.0/22 and 10.232.104.0/22 subnets.
0
 
oelolemyAuthor Commented:
i removed the PBR from the gig interface of the TAS router and left the other on the serial interface of TAS and now, networks 10.232.104.0/22 of BAS cannot raech the LAN interface 10.232.4.5 of he ISP and also network 10.232.4.0 can ping the LAN 10.232.4.10 but cannot access the internet anyway,  so i applied it back on the gig0/0 , now what happens is that the network 10.232.4.0/22 cannot ping 10.232.104.0 but the network 10.232.104.0 can ping 10.232.4.0 and 10.232.4.5 !! there must be a way to fix this
0
 
JFrederick29Commented:
What is 10.232.4.5? Or did you mean 10.232.4.15?  The picture shows 10.232.4.10 ,which one is it?
0
 
oelolemyAuthor Commented:
fredrick, its 10.232.4.15, appologies for the mistake , please ignore the picture now , i just need to know why am i getting this ?
0
 
JFrederick29Commented:
Okay, so the route-map should look like this then:

route-map internet permit 10
 match ip address 10
 set ip default next-hop 10.232.4.15
!
route-map internet permit 20
 match ip address 20
 set ip default next-hop 10.232.0.15

I only meant to apply it to the serial interface on TAS if you set the 10.232.4.0/22 hosts default gateway was changed to 10.232.4.15 and the 10.232.0/22 hosts default gateway set to 10.232.0.15.  This though requires routing on the 10.232.4.15 and 10.232.0.15 routers.  If not changing the hosts default gateways, apply the route-map to both the gig and serial interfaces.

Once you update the route-map on TAS, please post the two configs again.
0
 
oelolemyAuthor Commented:
Dear fredrick,setting ip default next hop on 10.232.4.15 and applying it on both serial and lan interfaces of TAS router has fixed the isssue , many thanks for your effort
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now