Cisco – PBR not working as expected

ciscoipsecnat;pbrrouting

EDITED: ADDED FULL ROUTER CONFIG
I have a cisco 2921. It uses EIGRP to learn its routing table and has no static default routes set up. I would like to keep it that way. The default route (learned from EIGRP) is another device on my network across a Metro ENS link. When this particular router receives traffic from host 192.168.2.5 I want it to be given a default route out this routers ISP connection (3.3.3.1). It is not working, does anyone know why this route map does not work?

The traffic from my host arrives at Interface GigabitEthernet0/1. I want it to go out Interface GigabitEthernet0/0 using the ISP ( the IP in the route-map is the default gateway my ISP has provided). Interface gi0/0 also has a vpn tunnel configured to my main site, its more of a backup link but I do not see this as being a problem (or is it?).

I have verified that the access list on interface gig0/0 is not blocking any traffic for this host.

I ran debug ip policy and debug ip packet and nothing comes up. This tells me that whenever I try to access this device from the internet it is not hitting interface gi0/1 at all. I can see the traffic hitting gig0/0, but never gig0/1.

Perhaps I have a NAT issue? 

version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname name
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.155-3.M7.bin
boot-end-marker
!
!
card type t1 0 0
logging buffered 58192
enable secret 
enable password 
!
aaa new-model
!
!
aaa authentication 
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
process cpu threshold type total rising 75 interval 5
process cpu statistics limit entry-percentage 100 size 50000
clock timezone EST -5 0
clock summer-time EDT recurring
no network-clock-participate wic 0 
!
!
!
!         
!
!
no ip source-route
ip options drop
!
!
!
!
!
!
ip dhcp snooping vlan 1
ip dhcp snooping
ip flow-cache timeout active 1
no ip bootp server
ip domain name 
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint ssssssssssssssssssssss
 enrollment selfsigned
 subject-name sssssssssssssssssssssssssssssssssssssss
 revocation-check none
 rsakeypair ssssssssssssssssssssssssss
!
!
crypto pki certificate chain TP-self-signed-sssssssssssssss
 certificate self-signed 01
  jjjjjjjjjjjj
  ddddddddddd
  eeeeeeeeeee
        quit
license udi pid CISCO2921/K9 sn FGL171511XH
!
!
memory reserve critical 10024
memory free low-watermark processor 599187
memory free low-watermark IO 599187
!
redundancy
!
!
!
!
!
controller T1 0/0/0
 cablelength long 0db
 channel-group 0 timeslots 1-24
!         
controller T1 0/0/1
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 3 ip sla 3 reachability
!
track 100 list boolean or
 object 1
 object 2
 object 3
!
! 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key KEY address 1.1.1.1 
crypto isakmp key KEY address 2.2.2.2 
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set ESP-AES-128-SHA1 esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROF-1
 set transform-set ESP-AES-256-SHA 
!
!
!
crypto map HA_SERVICES 1 ipsec-isakmp 
 set peer 2.2.2.2
 set transform-set ESP-AES-128-SHA1 
 set pfs group2
 match address HASERVICES_DR
!
!
!
!
!
interface Loopback0
 description Management Int
 ip address 
!
interface Tunnel1
 ip address 10.254.254.2 255.255.255.252
 tunnel source 3.3.3.2
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile IPSEC-PROF-1
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Internet
 ip address 3.3.3.2 255.255.255.248
 ip access-group BLOCKEDIN in
 no ip redirects
 no ip unreachables
 ip directed-broadcast 100
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default
 duplex auto
 speed auto
 no lldp transmit
 no lldp receive
 crypto map HA_SERVICES
!
interface GigabitEthernet0/1
 ip address 172.31.2.7 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 ip policy route-map NVR
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface Serial0/0/0:0
 no ip address
 encapsulation ppp
 shutdown
 ppp multilink
!
interface Serial0/0/1:0
 no ip address
 encapsulation ppp
 shutdown
 ppp multilink
!
!
router eigrp 100
 distribute-list Tunnel-Out out Tunnel1
 network 10.2.2.22 0.0.0.0
 network 10.254.254.0 0.0.0.3
 network 172.31.2.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.2.5 3.3.3.4
ip route 10.0.0.0 255.248.0.0 172.31.2.1 200
ip route 10.1.1.39 255.255.255.255 172.31.2.1
ip route 10.1.1.73 255.255.255.255 172.31.2.1
ip route 1.1.1.1 255.255.255.255 3.3.3.1
ip route 172.31.0.0 255.255.248.0 172.31.2.1 200
ip route 192.168.0.0 255.255.248.0 172.31.2.1 200
ip ssh time-out 60
ip ssh version 2
!
ip access-list standard Tunnel-Out
 permit 10.2.2.2
 permit 10.2.2.22
 permit 10.2.200.0 0.0.0.255
 permit 172.31.2.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
!
ip access-list extended BLOCKEDIN
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
 deny   tcp any any eq ftp
 deny   ip any any option any-options
 deny   tcp any any eq 22
 deny   tcp any any eq telnet
 permit tcp any host 3.3.3.4 eq www
 permit tcp any host 3.3.3.4 eq 5445
 deny   tcp any any eq www
 deny   tcp any any eq 2002
 deny   tcp any any eq 4002
 deny   tcp any any eq 6002
 deny   tcp any any eq 9002
 permit ip any any
ip access-list extended HASERVICES_DR
 permit ip 172.31.2.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 10.2.100.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended NAT_ACL
 permit ip 10.2.200.0 0.0.0.255 any
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 10.2.100.0 0.0.0.255 any
 permit ip 172.31.2.0 0.0.0.255 any
 permit ip 192.168.2.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/1 
ip sla auto discovery
ip sla 1
 icmp-echo 8.19.112.154
 threshold 3000
 timeout 3000
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 8.19.112.193
 threshold 3000
 timeout 3000
 frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 8.19.203.193
 threshold 3000
 timeout 3000
 frequency 5
ip sla schedule 3 life forever start-time now

!
route-map NVR permit 10
 match ip address 5
 set ip default next-hop 3.3.3.1
!
route-map BGP-Community permit 10
 set community 13697114
!
!
access-list 5 permit 192.168.2.5
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.1.4.0 0.0.0.255
access-list 23 deny   any log
!
radius server 
 address ipv4  auth-port 1645 acct-port 1646
 timeout 30
 key 
!
!
!
control-plane
!
!
no vstack
!
line con 0
 exec-timeout 5 0
 authorization exec CONSOLE
 logging synchronous
 login authentication CONSOLE
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 4 59
 privilege level 15
 password 7 13353701181B54382F
 logging synchronous
 login authentication VTYLOGIN
 transport input ssh
 transport output ssh
line vty 5 15
 access-class 23 in
 exec-timeout 4 59
 privilege level 15
 password 7 01232617481C561D25
 logging synchronous
 login authentication VTYLOGIN
 transport input ssh
 transport output ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 5
scheduler allocate 20000 1000
ntp server  prefer
!
end

I used ip default next-hop because I want it to look at the routing table first (for internal communications to DNS, AD, local access) and then as a last resort use this route to get out to the internet. For testing, i add a static route 0.0.0.0/0 ab.ac.ab.ax and everything works great. But i do not want any of my other devices that send traffic through this router to know there is a way out to the internet. I only want this specific host to be able to use this local ISP link. This is why i am using PBR. Everything else that hits this router will go out the configured vpn tunnel on gi0/0 to another location.

Best Answer

If you are learning the networks at the other site from EIGRP, then PBR is something to avoid.

Packets to a destination not in the routing table get dropped. A default route will match anything else. If you do not have a default route, then traffic destined for unknown, Internet networks will be dropped. If you are learning a default route through EIGRP, then you need a better default route in your local router. That would need to be statically configured.

Unlike consumer-grade routers, business-grade routers need to be configured with a default route for Internet traffic. Business-grade routers do not automatically assume that the router is connecting to the public Internet.

Related Topic