Announcement

Collapse
No announcement yet.

Cisco policy based routing question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco policy based routing question

    In every example I have seen online, to implement policy based routing, a route-map is created, and then it is applied to an interface. Here is an example:

    http://www.petri.com/how-to-use-cisc...g-features.htm

    I have a Cisco 1700 that is configured with two ISPs. The intention is for all web traffic (TCP ports 80/443) to go to ISP B, and all other traffic to go through ISP A. However, instead of applying the route-map to the interfaces, the route-map has been "applied" to a NAT statement.

    I have not been able to find any documentation on what tagging a route-map to an ip nat line is supposed to do. Can anyone explain how this is working? It is working as expected, but my gut feeling is that there is a cleaner way to configure this.

    Should this be reconfigured by applying the route-map to the interface?

    Does the traffic (80/443) need to be permitted in 111 AND denied in 112? Or is that redundant?

    192.168.10.2 is a Cisco ASA, and the entire inside network is behind that. So it's been setup in a double-NAT configuration.

    Code:
    interface Ethernet0
     description ISPA Connection
     ip address 1.2.3.226 255.255.255.224
     ip nat outside
     half-duplex
    !
    interface Ethernet1
     description ISPB Connection
     ip address 4.5.6.42 255.255.255.248
     ip nat outside
     full-duplex
    !
    interface FastEthernet0
     ip address 192.168.10.1 255.255.255.0
     ip nat inside
     speed auto
    !
    
    ip nat inside source static 192.168.10.2 1.2.3.226 route-map isp_a
    ip nat inside source static 192.168.10.2 4.5.6.42 route-map isp_b
    
    ip route 0.0.0.0 0.0.0.0 1.2.3.225
    ip route 0.0.0.0 0.0.0.0 4.5.6.41 200
    
    access-list 111 remark ACL sending specified traffic to ISP B
    access-list 111 permit tcp any any eq www
    access-list 111 permit tcp any any eq 443
    access-list 111 deny   ip any any
    access-list 112 remark ACL sending all other traffic to ISP A
    access-list 112 deny   tcp any any eq www
    access-list 112 deny   tcp any any eq 443
    access-list 112 permit ip any any
    
    route-map isp_b permit 10
     match ip address 111
     set ip next-hop 4.5.6.41
    !
    route-map isp_a permit 10
     match ip address 112
     set ip next-hop 1.2.3.225
    !
Working...
X