Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

Cisco Routing Rules

Hi -

I am trying to route all my http/https traffic to a different router(internet connection).

I created an access list:

Extended IP access list 102
    10 deny tcp any 0.0.0.0 255.255.255.0 eq www
    20 deny tcp any 0.0.0.0 255.255.255.0 eq 443
    30 permit tcp any any eq www
    40 permit tcp any any eq 443

Then a: route-map, matched to the access-list and set next hop.

Everything seems to work well and the http traffic is going out the proper way.

The only issue I have is that we have internal intranet sites that are in a different office.
I am not able to get to the sites.
Think it is just an access-list issue.
The intranet site is located on network 10.0.50.0 and I am on 10.0.20.0

Any help would be appreciated
0
doctor069
Asked:
doctor069
  • 5
  • 2
1 Solution
 
doctor069Author Commented:
Basically, I think I just need to add exception on the access list so the http traffic for 10.0.50.0 passes though
0
 
SouljaCommented:
Yeah, just add

to the acl where http and ssl is destined for 10.0.50.0 0.0.0.255

I don't understand your two first lines.
0
 
kevinhsiehCommented:
You're access list is weird. I would delete the first two lines and add this line which will prevent internal traffic from getting redirected.

10 deny tcp any 10.0.0.0 255.0.0.0
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
doctor069Author Commented:
Hi my access list looks like this now:

access-list 102 deny tcp any 10.0.0.0 255.0.0.0
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443

But i still cant hit internal http traffic on a different subnet
0
 
doctor069Author Commented:
Tried this but no luck... an i getting close?

Testing with 10.0.10.17...

access-list 101 permit tcp 10.0.10.17 255.255.255.255 10.0.50.0 255.255.255.0 eq 80

access-list 102 permit tcp 10.0.10.17 255.255.255.255 any eq 80

route-map WebRoute permit 10

match ip address 101

set ip next-hop 10.0.20.3

route-map WebRoute permit 20

match ip address 102

set ip next-hop 172.16.10.2



ip policy route-map WebRoute
0
 
doctor069Author Commented:
Got it, But... I said in the access list only computers between 10.0.10.100 and 10.0.10.255 should use this routing policy, but all computers are using it. eg. 10.0.10.60 is routing through here as well.

access-list 101 permit tcp 10.0.10.100 0.0.0.255 10.0.50.0 0.0.0.255 eq 80

access-list 102 permit tcp 10.0.10.100 0.0.0.255 any eq 80

route-map WebRoute permit 10

match ip address 101

set ip next-hop 10.0.20.3

route-map WebRoute permit 20

match ip address 102

set ip next-hop 172.16.10.2
0
 
doctor069Author Commented:
was able to solve issue
0
 
kevinhsiehCommented:
Your access lists in your last post are not what they appear to be.  10.0.10.100 mask 0.0.0.255 really is 10.0.10.X, where X is from 0 to 255. To get 10.0.10.100-255 takes many statements because of the way masking works with binary numbers. If you can adjust your range to 10.0.10.128-255, that is easily accomplished via 10.0.10.128 0.0.0.128
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now