Route-Map

Anyone know why this route-map isn't working?

route-map policy-route, permit, sequence 10
Match clauses:
ip address (access-lists): 50 85
Set clauses:
ip next-hop 192.168.20.26
Policy routing matches: 423 packets, 117419 bytes
route-map policy-route, permit, sequence 20
Match clauses:
ip address (access-lists): 112
Set clauses:
ip next-hop 192.168.26.10
Policy routing matches: 0 packets, 0 bytes

Extended IP access list 112
10 permit tcp host 172.16.25.90 any eq ftp log

The permit sequence 10 works fine but sequence 20 doesn't want to work.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

broc

Can you post your access-lists 50 and 85?

burbankmarc

Standard IP access list 50
20 permit 172.16.25.4 (21 matches)
30 permit 172.16.25.14
40 permit 172.16.25.23 (4 matches)
Standard IP access list 85
70 permit 172.16.26.22(6 matches)
50 permit 172.16.26.20

broc

Can you post the complete access-list as it is written in your router? My guess is the problem comes from the host 172.16.25.90 being matched in either the access-list 50 or 85 which is why it is not considered by the second statement in your route-map.

If you can post the complete syntax for both access-lists 50 and 85, we should be able to verify that.

jason_lunde

So when you initiate an FTP session from 172.16.25.90 to something outside of its subnet your not getting a policy match?

burbankmarc

sh access-l 50
Standard IP access list 50
10 permit 172.16.17.177
70 permit 172.16.25.150
20 permit 172.16.25.4 (21 matches)
30 permit 172.16.25.14
40 permit 172.16.25.23 (4 matches)
50 permit 172.16.48.75
60 permit 172.16.19.88
sh access-l 85
Standard IP access list 85
70 permit 172.16.26.22
50 permit 172.16.26.20
60 permit 172.16.26.21
40 permit 172.16.26.102
10 permit 172.16.26.100
20 permit 172.16.26.101
30 permit 172.16.17.101

jason_lunde wrote: »

So when you initiate an FTP session from 172.16.25.90 to something outside of its subnet your not getting a policy match?

Yeah, that seems to be the case. I have the policy map applied to a 3560 which is on the outside of my ASA, the ASA has a default route to the 3560 so all exiting traffic has to go through the 3560.

jason_lunde

burbankmarc wrote: »

sh access-l 50
Yeah, that seems to be the case. I have the policy map applied to a 3560 which is on the outside of my ASA, the ASA has a default route to the 3560 so all exiting traffic has to go through the 3560.

What interface/port do you have it applied on?

burbankmarc

jason_lunde wrote: »

What interface/port do you have it applied on?

The one connected to the ASA.

ilcram19-2

burbankmarc wrote: »

The one connected to the ASA.

are you applying the route map to an interface?

burbankmarc

Ok, so here's how it works. I have 2 ASAs working in failover mode. Those are connected to 2 3560 using HSRP. Then it goes to 2 2811s. The interfaces the ASAs connect to are in a VLAN, the route-map is applied to the SVI for the VLAN.

jason_lunde

burbankmarc wrote: »

Ok, so here's how it works. I have 2 ASAs working in failover mode. Those are connected to 2 3560 using HSRP. Then it goes to 2 2811s. The interfaces the ASAs connect to are in a VLAN, the route-map is applied to the SVI for the VLAN.

Is the ASA doing any natting that might affect that particular ip?

You could do like a debug ip packet 112 to debug that part. access-list to see if you are even hitting it.

burbankmarc

There's no NAT for that IP on the ASA.

I moved the route-map from the 3560 to my ISR which is directly connected to the internet. The route-map was getting matches but it wasn't forwarding the FTP traffic to my transparent FTP server.

I guess I have some other problem going on.

jason_lunde

stupid question but is that router...192.168.26.10...an adjacent router for the 3560?

burbankmarc

jason_lunde wrote: »

stupid question but is that router...192.168.26.10...an adjacent router for the 3560?

No it's not, which I assume is the problem. I remember doing it this way a long time ago though, maybe my memory is failing me.