Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco IOS: can I use policy routing to redirect incoming traffic destined to the local address of the router?

Posted on 2010-09-10
6
Medium Priority
?
493 Views
Last Modified: 2012-05-10
I have Cisco 827 router with IOS 12.4(17).

It has public IP address X.X.X.X on its Dialer 0 interface. From that IP address I establish IPSEC tunnel to Y.Y.Y.Y.

I would like IPSEC traffic to be handled by the router as it is now, but all other traffic (non-IPSEC being forwarded elsewhere). Is it possible at all or IOS does not consider policy routing for its own local addresses?
0
Comment
Question by:gremwell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33645027
it sounds as if you have the cryptomap set to have all trafic going over the tunnel, if you change it to just the subnets at the remote end, only that traffic will go over the link

this may be of use http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800f6d82.shtml

0
 
LVL 3

Author Comment

by:gremwell
ID: 33645116
Ok, I will ask simpler question. Pleaser forget about IPSEC for now.

I want UDP packets arriving to X.X.X.X on Dialer0 interface be rerouted to Y.Y.Y.Y. I am trying this:

----

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map ICMP-GOES-AWAY
 match ip address ICMP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any

----

It does not seem to work.

My question remains: Is it possible that IOS does not consider policy routing for its own local addresses?
0
 
LVL 3

Author Comment

by:gremwell
ID: 33645205
Sorry for the typos. Corrected version of the config above:

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map UDP-GOES-AWAY
 match ip address UDP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 3

Author Comment

by:gremwell
ID: 33645424
There seems to be a way to apply a policy routing to locally _generated_ traffic, but according to my tests ingress traffic to the local addresses is not affected by this command.

http://blog.ine.com/2008/02/13/tricks-with-local-policy-routing/
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 2000 total points
ID: 33653560
Unfortunately not.  I was doing some testing with some NAT workarounds in the lab last year and found that any IP address that is actually configured on the device will be answered by the device and processed before policy-based routing can come into play.  Essentially, the router answers any call that it perceives as being destined for itself as part of its control plane processing.

If you have more than one address available on the Dialer0 interface (possible with that 255.255.255.0 subnet mask, I suppose) then you can apply policy-based routing to any traffic that you have a NAT entry for, so long as the public IP isn't configured on the Dialer0 interface.  That may be an option.
0
 
LVL 3

Author Comment

by:gremwell
ID: 33654332
Thanks.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question