Solved

Cisco Routing Rules

Posted on 2014-03-26
8
384 Views
Last Modified: 2014-04-07
Hi -

I am trying to route all my http/https traffic to a different router(internet connection).

I created an access list:

Extended IP access list 102
    10 deny tcp any 0.0.0.0 255.255.255.0 eq www
    20 deny tcp any 0.0.0.0 255.255.255.0 eq 443
    30 permit tcp any any eq www
    40 permit tcp any any eq 443

Then a: route-map, matched to the access-list and set next hop.

Everything seems to work well and the http traffic is going out the proper way.

The only issue I have is that we have internal intranet sites that are in a different office.
I am not able to get to the sites.
Think it is just an access-list issue.
The intranet site is located on network 10.0.50.0 and I am on 10.0.20.0

Any help would be appreciated
0
Comment
Question by:doctor069
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 

Author Comment

by:doctor069
ID: 39957951
Basically, I think I just need to add exception on the access list so the http traffic for 10.0.50.0 passes though
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39959007
Yeah, just add

to the acl where http and ssl is destined for 10.0.50.0 0.0.0.255

I don't understand your two first lines.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39959216
You're access list is weird. I would delete the first two lines and add this line which will prevent internal traffic from getting redirected.

10 deny tcp any 10.0.0.0 255.0.0.0
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:doctor069
ID: 39962464
Hi my access list looks like this now:

access-list 102 deny tcp any 10.0.0.0 255.0.0.0
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443

But i still cant hit internal http traffic on a different subnet
0
 

Author Comment

by:doctor069
ID: 39962575
Tried this but no luck... an i getting close?

Testing with 10.0.10.17...

access-list 101 permit tcp 10.0.10.17 255.255.255.255 10.0.50.0 255.255.255.0 eq 80

access-list 102 permit tcp 10.0.10.17 255.255.255.255 any eq 80

route-map WebRoute permit 10

match ip address 101

set ip next-hop 10.0.20.3

route-map WebRoute permit 20

match ip address 102

set ip next-hop 172.16.10.2



ip policy route-map WebRoute
0
 

Accepted Solution

by:
doctor069 earned 0 total points
ID: 39962855
Got it, But... I said in the access list only computers between 10.0.10.100 and 10.0.10.255 should use this routing policy, but all computers are using it. eg. 10.0.10.60 is routing through here as well.

access-list 101 permit tcp 10.0.10.100 0.0.0.255 10.0.50.0 0.0.0.255 eq 80

access-list 102 permit tcp 10.0.10.100 0.0.0.255 any eq 80

route-map WebRoute permit 10

match ip address 101

set ip next-hop 10.0.20.3

route-map WebRoute permit 20

match ip address 102

set ip next-hop 172.16.10.2
0
 

Author Closing Comment

by:doctor069
ID: 39982569
was able to solve issue
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39982656
Your access lists in your last post are not what they appear to be.  10.0.10.100 mask 0.0.0.255 really is 10.0.10.X, where X is from 0 to 255. To get 10.0.10.100-255 takes many statements because of the way masking works with binary numbers. If you can adjust your range to 10.0.10.128-255, that is easily accomplished via 10.0.10.128 0.0.0.128
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question