A 'debug ip policy' should show if it's hitting or not... IP: s=30.0.0.1 (Ethernet0/0/1), d=40.0.0.7, len 100,FIB flow policy match
IP: s=30.0.0.1 (Ethernet0/0/1), d=40.0.0.7, len 100,FIB PR flow accelerated! IP: s=30.0.0.1 (Ethernet0/0/1), d=40.0.0.7, g=10.0.0.8, len 100, FIB policy routed On Thu, Aug 12, 2010 at 2:33 PM, Andrey Khomyakov < khomyakov.and...@gmail.com> wrote: > I dont' think this will work. Here is the formal description of "set > interface" from cisco.com: > > This action specifies that the packet is forwarded out of the local > interface. The interface must be a Layer 3 interface (no switchports), and > the destination address in the packet must lie within the IP network > assigned to that interface. If the destination address for the packet does > not lie within that network, the packet is dropped. > > > Since in my case the packets are destined to random addresses on the webz, > my understanding that this will effectively be a drop statement for them. > > But, no, I have not tried it. > > On Thu, Aug 12, 2010 at 3:25 PM, Rogelio <rgam...@gmail.com> wrote: > > > Have you tried "set interface" instead of "set ip"? > > > > > > Sent from my iPhone > > > > On Aug 12, 2010, at 3:13 PM, Andrey Khomyakov < > khomyakov.and...@gmail.com> > > wrote: > > > > > I did try an extended ACL and had the same result. > > > The way I know that it's not working is that I see these packets > arriving > > on > > > a wrong interface on the firewall and therefor being dropped. > > > I actually had to open a CR with Cisco and they verified the config and > > said > > > nothing is wrong with it. They are escalating and will hopefully get > back > > to > > > me about this. > > > > > > Andrey > > > > > > -- > Andrey Khomyakov > [khomyakov.and...@gmail.com] >