Solved

Cisco IOS: can I use policy routing to redirect incoming traffic destined to the local address of the router?

Posted on 2010-09-10
6
489 Views
Last Modified: 2012-05-10
I have Cisco 827 router with IOS 12.4(17).

It has public IP address X.X.X.X on its Dialer 0 interface. From that IP address I establish IPSEC tunnel to Y.Y.Y.Y.

I would like IPSEC traffic to be handled by the router as it is now, but all other traffic (non-IPSEC being forwarded elsewhere). Is it possible at all or IOS does not consider policy routing for its own local addresses?
0
Comment
Question by:gremwell
  • 4
6 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33645027
it sounds as if you have the cryptomap set to have all trafic going over the tunnel, if you change it to just the subnets at the remote end, only that traffic will go over the link

this may be of use http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800f6d82.shtml

0
 
LVL 3

Author Comment

by:gremwell
ID: 33645116
Ok, I will ask simpler question. Pleaser forget about IPSEC for now.

I want UDP packets arriving to X.X.X.X on Dialer0 interface be rerouted to Y.Y.Y.Y. I am trying this:

----

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map ICMP-GOES-AWAY
 match ip address ICMP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any

----

It does not seem to work.

My question remains: Is it possible that IOS does not consider policy routing for its own local addresses?
0
 
LVL 3

Author Comment

by:gremwell
ID: 33645205
Sorry for the typos. Corrected version of the config above:

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map UDP-GOES-AWAY
 match ip address UDP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 3

Author Comment

by:gremwell
ID: 33645424
There seems to be a way to apply a policy routing to locally _generated_ traffic, but according to my tests ingress traffic to the local addresses is not affected by this command.

http://blog.ine.com/2008/02/13/tricks-with-local-policy-routing/
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 33653560
Unfortunately not.  I was doing some testing with some NAT workarounds in the lab last year and found that any IP address that is actually configured on the device will be answered by the device and processed before policy-based routing can come into play.  Essentially, the router answers any call that it perceives as being destined for itself as part of its control plane processing.

If you have more than one address available on the Dialer0 interface (possible with that 255.255.255.0 subnet mask, I suppose) then you can apply policy-based routing to any traffic that you have a NAT entry for, so long as the public IP isn't configured on the Dialer0 interface.  That may be an option.
0
 
LVL 3

Author Comment

by:gremwell
ID: 33654332
Thanks.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question