6

Ive got 2 sites with an IPSEC connection between them. Each site has a 2921 on the edge.

Site A 2921 (gi0/1) ---> <--- (gi0/1) 2921 Site B

I am adding a second WAN connection to site A via the third interface on the 2921 (gi0/2).

10.12.x.x Site A 2921 (gi0/1) ---> <--- (gi0/1) 2921 Site B 10.4.x.x
          Site A 2921 (gi0/2) --->  0.0.0.0

Ideally I would like to use PBR to send users behind Site A's 2921 out the gi0/2 interface unless they are destined for an address in Site B. I am also hosting a mail server from Site A on the gi0/1 interface's IP address.

I've done PBR before, but the VPN (I think) is throwing in some complexities for me.

When I set the interface overload commands and apply the route map to the interface, it just stops working. If I just remove the PBR and set gi0/1 back to the default route, everything works just fine.

Thanks for the help!

Site A Configuration

interface GigabitEthernet0/0
 description Inside
 ip address 10.12.x.x 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip policy route-map internet
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

interface GigabitEthernet0/1
 description TO SITE B
 ip address a.a.a.a 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip verify unicast source reachable-via rx allow-default 100
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect OutsideFirewall out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 crypto map S2S_VPN

interface GigabitEthernet0/2
 description TO 0.0.0.0
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip verify unicast source reachable-via rx allow-default 100
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect OutsideFirewall out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 no mop enabled

ip nat inside source route-map NAT interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.12.x.10 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 10.12.x.10 995 interface GigabitEthernet0/1 995
ip nat inside source static tcp 10.12.x.10 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 10.12.x.10 443 interface GigabitEthernet0/1 443
ip nat inside source list NAT interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 192.x.x.x      (gi0/2 gateway)

ip access-list extended NAT
 deny   ip any 10.4.x.x 0.0.0.255
 permit ip any any

ip access-list extended to_gi01
 permit ip 10.12.x.10 0.0.0.0 any
 permit ip 10.12.x.x 0.0.0.255 10.4.x.x 0.0.0.255 
 deny   ip any any

route-map internet permit 10
 match ip address to_gi01
 set ip next-hop a.a.a.a           (gi0/1 gateway)

Site A Crypto Section

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto ipsec transform-set S2S_SET esp-3des esp-md5-hmac 
 mode tunnel

crypto isakmp key blahblah address x.siteB.x.x

crypto map S2S_VPN 1 ipsec-isakmp 
 description S2S VPN
 set peer x.siteB.x.x
 set transform-set S2S_SET 
 set pfs group1
 match address siteB_ACL

ip access-list extended siteB_ACL
 permit ip 10.12.x.0 0.0.0.255 10.4.x.0 0.0.0.255

Simple Network Drawing

network diagram

Ryan Foley
  • 5,479
  • 4
  • 23
  • 43
Charles
  • 121
  • 6
  • 1
    I don't see any of the IPSEC configuration. Can you add that too? – Ron Trunk Apr 10 '14 at 10:09
  • I don't see route-map NAT that you apply to on the NAT statement. Can you provide it. Also i think you need a route to 10.4.x.x pointing to the other end of the tunnel. – mihai Apr 10 '14 at 13:12
  • @mihai I'll definately add that NAT statement, looks like I AM missing that. I could just use the 'internet' route map right? – Charles Apr 10 '14 at 16:55
  • @mihai Also, doesnt pbr take care of that routing issue? Isn't the point of this to throw different data based on source out a different pipe? – Charles Apr 10 '14 at 16:57
  • @Charles Can you expand on your packet-flow requirements a little more? I'm inclined to take [Jeff McAdams' view on PBR](http://networkengineering.stackexchange.com/questions/76/better-enterprise-multihoming/78#78), there is usually a better way to handle packet flow; look at PBR as a last-ditch effort. – Ryan Foley Apr 10 '14 at 19:10
  • @Fizzle I am trying to just add a second WAN connection to throw *most* of my user bandwidth out of. Its pretty simple I think. I just want to make sure that the mail server, and the VPN traffic gets routed through the IPSEC tunnels. While having the other traffic head out the gi0/2 connection. I read the mentioned article. I can understand why PBR can be a rough solution. Any other recommendations based on my packet flow? – Charles Apr 11 '14 at 16:34
  • @Charles What does your RIB look like? What routing protocol are you using? – Ryan Foley Apr 11 '14 at 16:52
  • @Fizzle again, pretty simple. Were using OSPF internally, and a static route for the default route. That answer your question? – Charles Apr 11 '14 at 17:02
  • @Charles I'm trying to read this and understand where PBR fits, but I'm having a hard time. Site B has one exit, Site A. Site A has one neighboring network (Site B) and one default route. Site A and B should communicate via the IPSEC Tunnel. Is this all correct? – Ryan Foley Apr 11 '14 at 17:22
  • @Fizzle Yeah, thats correct. PBR came into play because I want all traffic not designated for Site B to go out gi0/2 *and* I want the mail server always go out gi0/1. So from what I understand, PBR is a way to achieve routing based on source rather than destination. PBR would allow me to say, based on the Site A source (the 10.12.x.x network) the packets would go out to gi0/2 *unless* the traffic is destined for Site B or originates from the mail server (10.12.x.10). That make sense as to why I'm doing PBR here? Thanks for the help! – Charles Apr 11 '14 at 18:25
  • @Charles It looks like your PBR requirement is completely about your mail server. Everything else is handled via standard routing protocols and default routes. Perhaps [chat] might be a good place to discuss this in more detail, you will need 20 rep to talk there. Maybe a more elaborate network diagram would net you enough rep to get in there. – Ryan Foley Apr 12 '14 at 08:18
  • @Fizzle Ok, ill write one up, and get it posted here. Thanks for the help! – Charles Apr 12 '14 at 19:39
  • Attached here is the diagram. [Network Diagram](https://docs.google.com/drawings/d/1ucYvyltFEgJ5gwQ_sgJwTPueYsON_mAnRXvN_X3vxqU/pub?w=481&h=485) – Charles Apr 14 '14 at 21:30
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. – Ron Maupin Jan 05 '21 at 01:35

2 Answers2

3

So I found my solution. It has to do with the NAT statements.

I am using this in the above example:
ip nat inside source route-map NAT interface GigabitEthernet0/1 overload
ip nat inside source list NAT interface GigabitEthernet0/2 overload

To resolve the problem, I set this:

ip nat inside source route-map Gi02 interface GigabitEthernet0/1 overload
ip nat inside source route-map Gi02 interface GigabitEthernet0/2 overload

with these NAT ACL's:

ip access-list extended Gi01_NAT
 deny ip any 10.4.x.0 0.0.0.255
 permit ip any any
ip access-list extended Gi02_NAT
 permit ip any any

Once I set those NAT statements properly it worked. Apparently the device didn't like me mixing the route-map NAT with the source list NAT statements- although I could find no documentation saying that I cant mix these.

Charles
  • 121
  • 6
0

Policy-based routing is primarily used for routing packets using something other than destination IP. If you configure a static route pointing your mail server's IP address towards the WAN, the router will find a longer netmask match for the mail server and not send it according to the default route. Depending on your requirements, Cisco can even track to make sure the WAN is still there before inserting the route into the route table.

PBR would be used if you wanted to route based on something non-standard, such as by source IP instead. I've used that when I want one source IP to use one link and another source IP to go somewhere else. But in this case, I think traditional methods should work better.

Magic Man
  • 121
  • 3