• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

Cisco Routing Rules

Hi -

I am trying to route all my http/https traffic to a different router(internet connection).

I created an access list:

Extended IP access list 102
    10 deny tcp any 0.0.0.0 255.255.255.0 eq www
    20 deny tcp any 0.0.0.0 255.255.255.0 eq 443
    30 permit tcp any any eq www
    40 permit tcp any any eq 443

Then a: route-map, matched to the access-list and set next hop.

Everything seems to work well and the http traffic is going out the proper way.

The only issue I have is that we have internal intranet sites that are in a different office.
I am not able to get to the sites.
Think it is just an access-list issue.
The intranet site is located on network 10.0.50.0 and I am on 10.0.20.0

Any help would be appreciated
0
doctor069
Asked:
doctor069
  • 5
  • 2
1 Solution
 
doctor069Author Commented:
Basically, I think I just need to add exception on the access list so the http traffic for 10.0.50.0 passes though
0
 
SouljaCommented:
Yeah, just add

to the acl where http and ssl is destined for 10.0.50.0 0.0.0.255

I don't understand your two first lines.
0
 
kevinhsiehCommented:
You're access list is weird. I would delete the first two lines and add this line which will prevent internal traffic from getting redirected.

10 deny tcp any 10.0.0.0 255.0.0.0
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
doctor069Author Commented:
Hi my access list looks like this now:

access-list 102 deny tcp any 10.0.0.0 255.0.0.0
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443

But i still cant hit internal http traffic on a different subnet
0
 
doctor069Author Commented:
Tried this but no luck... an i getting close?

Testing with 10.0.10.17...

access-list 101 permit tcp 10.0.10.17 255.255.255.255 10.0.50.0 255.255.255.0 eq 80

access-list 102 permit tcp 10.0.10.17 255.255.255.255 any eq 80

route-map WebRoute permit 10

match ip address 101

set ip next-hop 10.0.20.3

route-map WebRoute permit 20

match ip address 102

set ip next-hop 172.16.10.2



ip policy route-map WebRoute
0
 
doctor069Author Commented:
Got it, But... I said in the access list only computers between 10.0.10.100 and 10.0.10.255 should use this routing policy, but all computers are using it. eg. 10.0.10.60 is routing through here as well.

access-list 101 permit tcp 10.0.10.100 0.0.0.255 10.0.50.0 0.0.0.255 eq 80

access-list 102 permit tcp 10.0.10.100 0.0.0.255 any eq 80

route-map WebRoute permit 10

match ip address 101

set ip next-hop 10.0.20.3

route-map WebRoute permit 20

match ip address 102

set ip next-hop 172.16.10.2
0
 
doctor069Author Commented:
was able to solve issue
0
 
kevinhsiehCommented:
Your access lists in your last post are not what they appear to be.  10.0.10.100 mask 0.0.0.255 really is 10.0.10.X, where X is from 0 to 255. To get 10.0.10.100-255 takes many statements because of the way masking works with binary numbers. If you can adjust your range to 10.0.10.128-255, that is easily accomplished via 10.0.10.128 0.0.0.128
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now