I'm trying to replace this Linux GW with a Cisco 877 however I'm having a bit of an hard time implementing Policy Based Routing together in NAT depending on the policy.
This was the previsous setup:
| | | Linux GW | ---> Network 1 ADSLoISDN | cisco 836 | ------> | IP Tables | ---> Network 2 | | | | ---> Network 3
The linuxGW routed all the three networks among them and to the ADSLoISDN There are some policies on the internal routing but all can use the default GW on the linuxGW which is the cisco 836.
Now I just got a new cisco 877 and an extra ADSL2+ access and want that some of the internal networks use one connection and other to use the other. I wanted even to make it possible that a particular host on the internal network or that a particular destination use a specific network.
Basicly I want to be able to choose with WAN access to use depending on either source, destination or some other policy.
So this is my intended setup to begin with
IPoATM -------------------------------\\ v | | | | ---> Network 1 (VLAN x) ADSLoISDN | cisco 836 | ------> | cisco 877 | ---> Network 2 (VLAN y) | | | | ---> Network 3 (VLAN z)
The 836 already does the NAT of what's routed to it. Now I wanted to let's say
be able to route network 1 to the c386, so it can do the NAT to its WAN or directly nat network 2 to the WAN of the 877
This is what I'm trying now:
interface Vlan1 ip address 192.168.200.2 255.255.255.0 no ip redirects ip route-cache flow !
interface Vlan11 description SECURE-LAN ip address 192.168.1.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface Vlan12 description DEVEL-LAN ip address 192.168.2.254 255.255.255.0 no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface Vlan13 description SECURE-LAN ip address 192.168.3.254 255.255.255.0 no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow !
interface BVI1 ip address dhcp ip nat outside ip virtual-reassembly
access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.2.0 0.0.0.255 any access-list 102 permit ip 0.0.0.0 255.255.255.0 any
ip nat inside source route-map internet interface BVI1 overload
route-map internet permit 10 match ip address 101 !
# This gives me NAT on hosts connected to the networks of VLAN 11 and VLAN 12 as expected # Now I was expecting that the next part would route me every thing to the c836
route-map internet permit 20 match ip address 102 set ip default next-hop 192.168.200.1
I can ping the 836 from the 877
I also tried to use just plain routing of everything to the 836 and it also works Now want I wanted is to route some thing and NAT others depending on source or destination
What path should I take?
I considered creating a sort of virtual interface in the 877 and route things to the virtual interface or the 836 depending on policies
I would then remove the 'ip nat inside' of the VLAN interfaces and move it to that virtual interface. Does this looks feasable or there a simpler way?