rtr1129MemberAug 04, 2009 at 3:06 pm #143576
In every example I have seen online, to implement policy based routing, a route-map is created, and then it is applied to an interface. Here is an example:
I have a Cisco 1700 that is configured with two ISPs. The intention is for all web traffic (TCP ports 80/443) to go to ISP B, and all other traffic to go through ISP A. However, instead of applying the route-map to the interfaces, the route-map has been “applied” to a NAT statement.
I have not been able to find any documentation on what tagging a route-map to an ip nat line is supposed to do. Can anyone explain how this is working? It is working as expected, but my gut feeling is that there is a cleaner way to configure this.
Should this be reconfigured by applying the route-map to the interface?
Does the traffic (80/443) need to be permitted in 111 AND denied in 112? Or is that redundant?
192.168.10.2 is a Cisco ASA, and the entire inside network is behind that. So it’s been setup in a double-NAT configuration.Code:interface Ethernet0
description ISPA Connection
ip address 126.96.36.199 255.255.255.224
ip nat outside
description ISPB Connection
ip address 188.8.131.52 255.255.255.248
ip nat outside
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip nat inside source static 192.168.10.2 184.108.40.206 route-map isp_a
ip nat inside source static 192.168.10.2 220.127.116.11 route-map isp_b
ip route 0.0.0.0 0.0.0.0 18.104.22.168
ip route 0.0.0.0 0.0.0.0 22.214.171.124 200
access-list 111 remark ACL sending specified traffic to ISP B
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 443
access-list 111 deny ip any any
access-list 112 remark ACL sending all other traffic to ISP A
access-list 112 deny tcp any any eq www
access-list 112 deny tcp any any eq 443
access-list 112 permit ip any any
route-map isp_b permit 10
match ip address 111
set ip next-hop 126.96.36.199
route-map isp_a permit 10
match ip address 112
set ip next-hop 188.8.131.52
You must be logged in to reply to this topic.