policy based routing

What about your NAT configuration?

Greg

No NAT until you get behind the firewall protecting the internal network.

I also tried in the route-map section setting "set interface FastEthernet0/1" instead of the "set ip next-hop".

The problem is that you're sending this traffic out with 10.10.10.x source addresses, but the cable ISP is probably configured only to route

192.168.10.10 back to your connection. You need to enable NAT on the router so that traffic going out fa0/1 will be translated to this address.

hmmm..

would it be something as simple as, ip nat inside on the fa0/0 interface and ip nat outside on the fa0/1 interface?

would this screw up my already working routing of fa0/0 to s0/0 by default?

thanks,

scott

You also need to configure a NAT pool that translates to the outside interface's IP.

No. If there's no "ip nat outside" on s0/0, then any traffic routed out this interface will be unaffected by NAT.

Okay, I think I'm going down the right track. Here are the changes that I added to my config:

Fa0/0

------- ip nat inside

Fa0/1

------- ip nat outside

General Config

---------------- ip nat inside source route-map Websurfers interface FastEthernet0/1 overload

It didn't seem to work, but wouldn't this essentially be what I am looking for instead of an access-list based nat pool? since I'm looking to only send policy-based traffic out that interface with the cable modem attached?

Thanks again,

Scott

Hi

Is it possible to route traffic from one interface only to routes that are advertised to the router with BGP protocol? For example supose that "sh ip route" output is like this:

B 1.1.1.0/24 [200/1] via 4.4.4.4, 1d20h B 2.2.2.0/24 [200/1] via 4.4.4.4, 4d15h B 3.3.3.0/24 [200/0] via 4.4.4.4, 3d21h S* 0.0.0.0/0 [1/0] via 5.5.5.5

What I would like to set up is, if the client on interface FE0/0 wants to go to networks 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 his traffic would be routed. But if he tries to go somewhere else (destination network is in this case 0.0.0.0) the packets would be dropped.

What kind of match rule should I use???

Thanks for help

Igor

You can't use a match in this way, but if you reverse your logic you could remove the default and use 'set ip default next-hop' on interfaces that are allowed to use it to achieve the same end result.

Andy

Something along the lines of: ! route-map TEST permit 10 match ip address 101 set interface Null0 ! access-list 101 deny ip 1.1.1.0 0.0.0.255 access-list 101 deny ip 2.2.2.0 0.0.0.255 access-list 101 deny ip 3.3.3.0 0.0.0.255 access-list 101 permit ip any ! interface FastEthernet0/0 ip policy route-map TEST ! HTH Cheers Alex

If the default route is removed it will affect ALL users on the box, not only those who come from Fa0/0. HTH Cheers Alex

I can't do this because those networks could change. And there is much more networks not only three as I showed in the example. The networks are learnd from another box. So I need to set up something like this on my router:

If you want to go to routes I learnd with BGP you are allowed. If you want to go somewhere else your packets would be dropped.

Igor

Hence the use of PBR and 'set ip default next-hop x.x.x.x' for all other interfaces that need to use the default... It's an ass-backwards kludge, but I can't see any way of doing it that doesn't involve hard-coding BGP prefixes into the PBR policy-map (which kinda defeats the purpose of using BGP in the first place, I would think)

Andy

You could automate this with script running off UNIX box: script should periodically RSH into the Cisco router in question , get the list of BGP routes then complile/change the access-list. HTH Cheers Alex

Be very careful with just how much you help people as the results may be catastrophic.