Solved

Cisco IOS: can I use policy routing to redirect incoming traffic destined to the local address of the router?

Posted on 2010-09-10
6
490 Views
Last Modified: 2012-05-10
I have Cisco 827 router with IOS 12.4(17).

It has public IP address X.X.X.X on its Dialer 0 interface. From that IP address I establish IPSEC tunnel to Y.Y.Y.Y.

I would like IPSEC traffic to be handled by the router as it is now, but all other traffic (non-IPSEC being forwarded elsewhere). Is it possible at all or IOS does not consider policy routing for its own local addresses?
0
Comment
Question by:gremwell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33645027
it sounds as if you have the cryptomap set to have all trafic going over the tunnel, if you change it to just the subnets at the remote end, only that traffic will go over the link

this may be of use http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800f6d82.shtml

0
 
LVL 3

Author Comment

by:gremwell
ID: 33645116
Ok, I will ask simpler question. Pleaser forget about IPSEC for now.

I want UDP packets arriving to X.X.X.X on Dialer0 interface be rerouted to Y.Y.Y.Y. I am trying this:

----

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map ICMP-GOES-AWAY
 match ip address ICMP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any

----

It does not seem to work.

My question remains: Is it possible that IOS does not consider policy routing for its own local addresses?
0
 
LVL 3

Author Comment

by:gremwell
ID: 33645205
Sorry for the typos. Corrected version of the config above:

interface Dialer 0
 ip address X.X.X.X 255.255.255.0
 ip policy route map UDP-GOES-AWAY

route map UDP-GOES-AWAY
 match ip address UDP-GOES-AWAY-ACL
 set ip next-hop Y.Y.Y.Y

access-list UDP-GOES-AWAY-ACL permit udp any any
access-list UDP-GOES-AWAY-ACL deny ip any any
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 3

Author Comment

by:gremwell
ID: 33645424
There seems to be a way to apply a policy routing to locally _generated_ traffic, but according to my tests ingress traffic to the local addresses is not affected by this command.

http://blog.ine.com/2008/02/13/tricks-with-local-policy-routing/
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 33653560
Unfortunately not.  I was doing some testing with some NAT workarounds in the lab last year and found that any IP address that is actually configured on the device will be answered by the device and processed before policy-based routing can come into play.  Essentially, the router answers any call that it perceives as being destined for itself as part of its control plane processing.

If you have more than one address available on the Dialer0 interface (possible with that 255.255.255.0 subnet mask, I suppose) then you can apply policy-based routing to any traffic that you have a NAT entry for, so long as the public IP isn't configured on the Dialer0 interface.  That may be an option.
0
 
LVL 3

Author Comment

by:gremwell
ID: 33654332
Thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question