• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 528
  • Last Modified:

Cisco IOS: can I use policy routing to redirect incoming traffic destined to the local address of the router?

I have Cisco 827 router with IOS 12.4(17).

It has public IP address X.X.X.X on its Dialer 0 interface. From that IP address I establish IPSEC tunnel to Y.Y.Y.Y.

I would like IPSEC traffic to be handled by the router as it is now, but all other traffic (non-IPSEC being forwarded elsewhere). Is it possible at all or IOS does not consider policy routing for its own local addresses?
0
gremwell
Asked:
gremwell
  • 4
1 Solution
 
ArneLoviusCommented:
it sounds as if you have the cryptomap set to have all trafic going over the tunnel, if you change it to just the subnets at the remote end, only that traffic will go over the link

this may be of use http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800f6d82.shtml

0
 
gremwellAuthor Commented:
Ok, I will ask simpler question. Pleaser forget about IPSEC for now.

I want UDP packets arriving to X.X.X.X on Dialer0 interface be rerouted to Y.Y.Y.Y. I am trying this:

----

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map ICMP-GOES-AWAY
 match ip address ICMP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any

----

It does not seem to work.

My question remains: Is it possible that IOS does not consider policy routing for its own local addresses?
0
 
gremwellAuthor Commented:
Sorry for the typos. Corrected version of the config above:

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map UDP-GOES-AWAY
 match ip address UDP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
gremwellAuthor Commented:
There seems to be a way to apply a policy routing to locally _generated_ traffic, but according to my tests ingress traffic to the local addresses is not affected by this command.

http://blog.ine.com/2008/02/13/tricks-with-local-policy-routing/
0
 
Jody LemoineNetwork ArchitectCommented:
Unfortunately not.  I was doing some testing with some NAT workarounds in the lab last year and found that any IP address that is actually configured on the device will be answered by the device and processed before policy-based routing can come into play.  Essentially, the router answers any call that it perceives as being destined for itself as part of its control plane processing.

If you have more than one address available on the Dialer0 interface (possible with that 255.255.255.0 subnet mask, I suppose) then you can apply policy-based routing to any traffic that you have a NAT entry for, so long as the public IP isn't configured on the Dialer0 interface.  That may be an option.
0
 
gremwellAuthor Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now