Route-Map

burbankmarcburbankmarc Member Posts: 460
Anyone know why this route-map isn't working?

route-map policy-route, permit, sequence 10
Match clauses:
ip address (access-lists): 50 85
Set clauses:
ip next-hop 192.168.20.26
Policy routing matches: 423 packets, 117419 bytes
route-map policy-route, permit, sequence 20
Match clauses:
ip address (access-lists): 112
Set clauses:
ip next-hop 192.168.26.10
Policy routing matches: 0 packets, 0 bytes


Extended IP access list 112
10 permit tcp host 172.16.25.90 any eq ftp log


The permit sequence 10 works fine but sequence 20 doesn't want to work.

Comments

  • brocbroc Member Posts: 167
    Can you post your access-lists 50 and 85?
    "Not everything that counts can be counted, and not everything that can be counted counts.”
  • burbankmarcburbankmarc Member Posts: 460
    Standard IP access list 50
    20 permit 172.16.25.4 (21 matches)
    30 permit 172.16.25.14
    40 permit 172.16.25.23 (4 matches)
    Standard IP access list 85
    70 permit 172.16.26.22(6 matches)
    50 permit 172.16.26.20
  • brocbroc Member Posts: 167
    Can you post the complete access-list as it is written in your router? My guess is the problem comes from the host 172.16.25.90 being matched in either the access-list 50 or 85 which is why it is not considered by the second statement in your route-map.

    If you can post the complete syntax for both access-lists 50 and 85, we should be able to verify that.
    "Not everything that counts can be counted, and not everything that can be counted counts.”
  • jason_lundejason_lunde Member Posts: 567
    So when you initiate an FTP session from 172.16.25.90 to something outside of its subnet your not getting a policy match?
  • burbankmarcburbankmarc Member Posts: 460
    sh access-l 50
    Standard IP access list 50
    10 permit 172.16.17.177
    70 permit 172.16.25.150
    20 permit 172.16.25.4 (21 matches)
    30 permit 172.16.25.14
    40 permit 172.16.25.23 (4 matches)
    50 permit 172.16.48.75
    60 permit 172.16.19.88
    sh access-l 85
    Standard IP access list 85
    70 permit 172.16.26.22
    50 permit 172.16.26.20
    60 permit 172.16.26.21
    40 permit 172.16.26.102
    10 permit 172.16.26.100
    20 permit 172.16.26.101
    30 permit 172.16.17.101
    So when you initiate an FTP session from 172.16.25.90 to something outside of its subnet your not getting a policy match?

    Yeah, that seems to be the case. I have the policy map applied to a 3560 which is on the outside of my ASA, the ASA has a default route to the 3560 so all exiting traffic has to go through the 3560.
  • jason_lundejason_lunde Member Posts: 567
    sh access-l 50
    Yeah, that seems to be the case. I have the policy map applied to a 3560 which is on the outside of my ASA, the ASA has a default route to the 3560 so all exiting traffic has to go through the 3560.

    What interface/port do you have it applied on?
  • burbankmarcburbankmarc Member Posts: 460
    What interface/port do you have it applied on?


    The one connected to the ASA.
  • ilcram19-2ilcram19-2 Banned Posts: 436
    The one connected to the ASA.

    are you applying the route map to an interface?
  • burbankmarcburbankmarc Member Posts: 460
    Ok, so here's how it works. I have 2 ASAs working in failover mode. Those are connected to 2 3560 using HSRP. Then it goes to 2 2811s. The interfaces the ASAs connect to are in a VLAN, the route-map is applied to the SVI for the VLAN.
  • jason_lundejason_lunde Member Posts: 567
    Ok, so here's how it works. I have 2 ASAs working in failover mode. Those are connected to 2 3560 using HSRP. Then it goes to 2 2811s. The interfaces the ASAs connect to are in a VLAN, the route-map is applied to the SVI for the VLAN.

    Is the ASA doing any natting that might affect that particular ip?

    You could do like a debug ip packet 112 to debug that part. access-list to see if you are even hitting it.
  • burbankmarcburbankmarc Member Posts: 460
    There's no NAT for that IP on the ASA.

    I moved the route-map from the 3560 to my ISR which is directly connected to the internet. The route-map was getting matches but it wasn't forwarding the FTP traffic to my transparent FTP server.

    I guess I have some other problem going on.
  • jason_lundejason_lunde Member Posts: 567
    stupid question but is that router...192.168.26.10...an adjacent router for the 3560?
  • burbankmarcburbankmarc Member Posts: 460
    stupid question but is that router...192.168.26.10...an adjacent router for the 3560?

    No it's not, which I assume is the problem. I remember doing it this way a long time ago though, maybe my memory is failing me.
Sign In or Register to comment.