help : ip protocol based routing

[kriske01]

i have an internal cisco 1700 router who redirect all internal traffic

now i would like to redirect certain ip-protocols to another gateway then the default one, this cisco has ip 10.0.0.250 and reroutes all outgoing traffic to 10.0.0.253. now i want him to redirect http en ftp to 10.0.0.254. all other traffic should be routed to the default gateway 10.0.0.253

can somebody help me with this ?

 

[baddos]

Try this..

access-list 101 permit tcp any any eq 21
access-list 101 permit tcp any any eq 80
ip cef policy

route-map redirect permit 10
match ip address 101
set ip next-hop xxx.xxx.xxx.xxx
!
route-map redirect permit 20
!
interface Ethernet0/0
ip policy route-map redirect


'Set the xxx.xxx.xxx.xxx to be the IP of your other router.

 

[VanDykI]

Just a question about your config - what does "ip cef policy" mean?

Ian

 

[kriske01]

what if i want one specific ip (eg. 10.0.2.5) to still use the default gateway ?

kris

 

[baddos]

ip cef policy let's the router cache it's policy decisions so the CPU doesn't have to work as much.

Is the router's ip 10.0.2.5 that this policy going on? If so then you won't need to do anything else. Otherwise all under the "route-map redirect permit 20" command the "set ip next-hop 10.0.2.5" command.

-Bad Dos

 

[kriske01]

thx for your advice but still some issues remains;

first, ip cep policy command is not supported on a cisco 1701, never the less, your solution works

10.0.2.5 is an internal ip of a client.

i want all inside-users to be redirect for ftp en http to gateway 10.0.0.254 for all destinations different from 10.x.x.x/255.0.0.0

kris

 

[baddos]

Ok... Modify your ACL To look like this:

access-list 101 deny tcp 10.0.0.0 255.0.0.0 any eq 21
access-list 101 deny tcp 10.0.0.0 255.0.0.0 any eq 80
access-list 101 permit tcp any any eq 21
access-list 101 permit tcp any any eq 80

 

[kriske01]

baddos,

i've tried this but it blocks all connections from and to 10.x.x.x

but when i want to enter 10.0.0.0 as a source address he changes it to 0.0.0.0

my config :

interface FastEthernet0
ip address 10.0.0.251 255.255.0.0 secondary
ip address 10.0.0.250 255.255.0.0
no ip directed-broadcast
ip policy route-map redirect
!
access-list 101 deny tcp 0.0.0.0 255.0.0.0 0.0.0.0 255.0.0.0 eq www
access-list 101 permit tcp any any eq www

route-map redirect permit 10
match ip address 101
set ip next-hop 10.0.0.254
!
route-map redirect permit 20
!

 

[marvandkelly]

The ACL's subnet masks are backwards. Cisco IOS uses inverted submasks for their ACL's

Try:

access-list 101 deny tcp 10.0.0.0 0.255.255.255 any eq 21
access-list 101 deny tcp 10.0.0.0 0.255.255.255 any eq 80
access-list 101 permit tcp any any eq 21
access-list 101 permit tcp any any eq 80

 

[kriske01]

correct

it was a mistake from me

it works fine now

many thanks

kris

 

[kriske01]

how do i applies this access-list on a cisco 3550 ?

i have 1 vlan

but when i do conf t and then try to enter the ip policy rule he refuses the command

any suggestion

regards

kris