Route-Map
burbankmarc
Member Posts: 460
in CCNP
Anyone know why this route-map isn't working?
route-map policy-route, permit, sequence 10
Match clauses:
ip address (access-lists): 50 85
Set clauses:
ip next-hop 192.168.20.26
Policy routing matches: 423 packets, 117419 bytes
route-map policy-route, permit, sequence 20
Match clauses:
ip address (access-lists): 112
Set clauses:
ip next-hop 192.168.26.10
Policy routing matches: 0 packets, 0 bytes
Extended IP access list 112
10 permit tcp host 172.16.25.90 any eq ftp log
The permit sequence 10 works fine but sequence 20 doesn't want to work.
route-map policy-route, permit, sequence 10
Match clauses:
ip address (access-lists): 50 85
Set clauses:
ip next-hop 192.168.20.26
Policy routing matches: 423 packets, 117419 bytes
route-map policy-route, permit, sequence 20
Match clauses:
ip address (access-lists): 112
Set clauses:
ip next-hop 192.168.26.10
Policy routing matches: 0 packets, 0 bytes
Extended IP access list 112
10 permit tcp host 172.16.25.90 any eq ftp log
The permit sequence 10 works fine but sequence 20 doesn't want to work.
Comments
-
broc Member Posts: 167Can you post your access-lists 50 and 85?"Not everything that counts can be counted, and not everything that can be counted counts.”
-
burbankmarc Member Posts: 460Standard IP access list 50
20 permit 172.16.25.4 (21 matches)
30 permit 172.16.25.14
40 permit 172.16.25.23 (4 matches)
Standard IP access list 85
70 permit 172.16.26.22(6 matches)
50 permit 172.16.26.20 -
broc Member Posts: 167Can you post the complete access-list as it is written in your router? My guess is the problem comes from the host 172.16.25.90 being matched in either the access-list 50 or 85 which is why it is not considered by the second statement in your route-map.
If you can post the complete syntax for both access-lists 50 and 85, we should be able to verify that."Not everything that counts can be counted, and not everything that can be counted counts.” -
jason_lunde Member Posts: 567So when you initiate an FTP session from 172.16.25.90 to something outside of its subnet your not getting a policy match?
-
burbankmarc Member Posts: 460sh access-l 50
Standard IP access list 50
10 permit 172.16.17.177
70 permit 172.16.25.150
20 permit 172.16.25.4 (21 matches)
30 permit 172.16.25.14
40 permit 172.16.25.23 (4 matches)
50 permit 172.16.48.75
60 permit 172.16.19.88
sh access-l 85
Standard IP access list 85
70 permit 172.16.26.22
50 permit 172.16.26.20
60 permit 172.16.26.21
40 permit 172.16.26.102
10 permit 172.16.26.100
20 permit 172.16.26.101
30 permit 172.16.17.101jason_lunde wrote: »So when you initiate an FTP session from 172.16.25.90 to something outside of its subnet your not getting a policy match?
Yeah, that seems to be the case. I have the policy map applied to a 3560 which is on the outside of my ASA, the ASA has a default route to the 3560 so all exiting traffic has to go through the 3560. -
jason_lunde Member Posts: 567burbankmarc wrote: »sh access-l 50
Yeah, that seems to be the case. I have the policy map applied to a 3560 which is on the outside of my ASA, the ASA has a default route to the 3560 so all exiting traffic has to go through the 3560.
What interface/port do you have it applied on? -
ilcram19-2 Banned Posts: 436burbankmarc wrote: »The one connected to the ASA.
are you applying the route map to an interface? -
burbankmarc Member Posts: 460Ok, so here's how it works. I have 2 ASAs working in failover mode. Those are connected to 2 3560 using HSRP. Then it goes to 2 2811s. The interfaces the ASAs connect to are in a VLAN, the route-map is applied to the SVI for the VLAN.
-
jason_lunde Member Posts: 567burbankmarc wrote: »Ok, so here's how it works. I have 2 ASAs working in failover mode. Those are connected to 2 3560 using HSRP. Then it goes to 2 2811s. The interfaces the ASAs connect to are in a VLAN, the route-map is applied to the SVI for the VLAN.
Is the ASA doing any natting that might affect that particular ip?
You could do like a debug ip packet 112 to debug that part. access-list to see if you are even hitting it. -
burbankmarc Member Posts: 460There's no NAT for that IP on the ASA.
I moved the route-map from the 3560 to my ISR which is directly connected to the internet. The route-map was getting matches but it wasn't forwarding the FTP traffic to my transparent FTP server.
I guess I have some other problem going on. -
jason_lunde Member Posts: 567stupid question but is that router...192.168.26.10...an adjacent router for the 3560?
-
burbankmarc Member Posts: 460jason_lunde wrote: »stupid question but is that router...192.168.26.10...an adjacent router for the 3560?
No it's not, which I assume is the problem. I remember doing it this way a long time ago though, maybe my memory is failing me.