PBR problem

Dear All,

i have a problem on configuring a PBR to let a server use as next hop a remote site connected by a GRE tunnel.

The layout is:

LAN ---- (vlan1) Router1 (Tunnel624) ---------GRE---------(Tunnel624) Router2

---- Internet

The objective is to PAT a server ( located in my LAN on Router2 using his data line.

Router 1 config is:

interface Tunnel624

ip address

tunnel source FastEthernet0/0

tunnel destination "public R2 IP address"

interface Vlan1

ip address

ip nat inside

ip virtual-reassembly

ip policy route-map PBR

ip access-list extended PBR

permit ip host any log

route-map PBR permit 10

match ip address PBR

set ip next-hop


On Router2 the configuration is the following:

interface Tunnel624

ip address

ip nat inside

tunnel source Loopback0

tunnel destination "public R1 IP address"



interface FastEthernet0/0

ip address "public R2 IP address"

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable


ip route

ip nat inside source static tcp 80 "public R2 IP address" 80 extendable

R2 and the server LAN can communicate perfectly.

The problem is that no requests are received by the server if they comes from the "public R2 IP address".

On R1 a "debug ip packets" gives the following "access denied" even if no access lists on the involved interfaces are configured.

*May 7 12:03:35.683: IP: tableid=0, s="My Public IP" (Tunnel624), d= (Vlan1), routed via FIB

*May 7 12:03:35.687: IP: s="My Public IP" (Tunnel624), d= (Vlan1), len 48, access denied

*May 7 12:03:35.687: TCP src=50359, dst=80, seq=1253016140, ack=0, win=8192 SYN

Have you any idea?



Reply to
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.