Solved

Cisco IOS: can I use policy routing to redirect incoming traffic destined to the local address of the router?

Posted on 2010-09-10
6
491 Views
Last Modified: 2012-05-10
I have Cisco 827 router with IOS 12.4(17).

It has public IP address X.X.X.X on its Dialer 0 interface. From that IP address I establish IPSEC tunnel to Y.Y.Y.Y.

I would like IPSEC traffic to be handled by the router as it is now, but all other traffic (non-IPSEC being forwarded elsewhere). Is it possible at all or IOS does not consider policy routing for its own local addresses?
0
Comment
Question by:gremwell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33645027
it sounds as if you have the cryptomap set to have all trafic going over the tunnel, if you change it to just the subnets at the remote end, only that traffic will go over the link

this may be of use http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800f6d82.shtml

0
 
LVL 3

Author Comment

by:gremwell
ID: 33645116
Ok, I will ask simpler question. Pleaser forget about IPSEC for now.

I want UDP packets arriving to X.X.X.X on Dialer0 interface be rerouted to Y.Y.Y.Y. I am trying this:

----

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map ICMP-GOES-AWAY
 match ip address ICMP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any

----

It does not seem to work.

My question remains: Is it possible that IOS does not consider policy routing for its own local addresses?
0
 
LVL 3

Author Comment

by:gremwell
ID: 33645205
Sorry for the typos. Corrected version of the config above:

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map UDP-GOES-AWAY
 match ip address UDP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 3

Author Comment

by:gremwell
ID: 33645424
There seems to be a way to apply a policy routing to locally _generated_ traffic, but according to my tests ingress traffic to the local addresses is not affected by this command.

http://blog.ine.com/2008/02/13/tricks-with-local-policy-routing/
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 33653560
Unfortunately not.  I was doing some testing with some NAT workarounds in the lab last year and found that any IP address that is actually configured on the device will be answered by the device and processed before policy-based routing can come into play.  Essentially, the router answers any call that it perceives as being destined for itself as part of its control plane processing.

If you have more than one address available on the Dialer0 interface (possible with that 255.255.255.0 subnet mask, I suppose) then you can apply policy-based routing to any traffic that you have a NAT entry for, so long as the public IP isn't configured on the Dialer0 interface.  That may be an option.
0
 
LVL 3

Author Comment

by:gremwell
ID: 33654332
Thanks.
0

Featured Post

Veeam gives away 10 full conference passes

Veeam is a VMworld 2017 US & Europe Platinum Sponsor. Enter the raffle to get the full conference pass. Pass includes the admission to all general and breakout sessions, VMware Hands-On Labs, Solutions Exchange, exclusive giveaways and the great VMworld Customer Appreciation Part

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month4 days, 11 hours left to enroll

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question