https://community.cisco.com/t5/network-security/pbr-config-questions-on-asa/m-p/4097255#M1070714 <P>Hi,</P> <P>&nbsp;</P> <P>After reviewing your question, this is all the config you need for PBR.</P> <P>&nbsp;</P> <PRE>--Create ACL for interesting traffic:: access-list PBR_ACL extended permit ip 10.192.172.0 255.255.252.0 any --Create route-map Route-maps are similar to access list but unlike access-lists, route-map has the “set” actions that change the packet ciscoasa(config)# route-map PBR_ROUTE_MAP permit 10 ciscoasa(config-route-map)# match ip address PBR_ACL ciscaasa(config-route-map)# set ip next-hop 206.XXX.XXX.1 --Attach route-map to INSIDE interface or the Guest where ever the source is ciscoasa(config)# interface GigabitEthernet0/3 ciscoasa(config-if)#nameif Guest ciscoasa(config-if)#ip address 10.192.172.1 255.255.255.0 ciscoasa(config-if)#policy-route route-map PBR_ROUTE_MAP -- route outside1 0.0.0.0 0.0.0.0 165.XXX.XXX.129 route outside2 0.0.0.0 0.0.0.0 206.XXX.XXX.1 50</PRE> <P><BR />Rest of the traffic will automatically take 165.XXX.XXX.129 as the next hope because that's the default route.</P> <P>Note we have set the distance metric of 50 for route via outside2 so that default traffic does not take that route.</P> <P>&nbsp;</P> <P>HTH</P> <P>Chakshu</P> Thu, 04 Jun 2020 01:26:16 GMT Chakshu Piplani 2020-06-04T01:26:16Z https://community.cisco.com/t5/network-security/pbr-config-questions-on-asa/m-p/4096289#M1070666 <P>I'm about to implement PBR on our ASA to route guest network traffic out of our secondary WAN connection. I do have a couple questions about the configuration though.</P><P>&nbsp;</P><P><EM>Primary WAN Gateway: 165.XXX.XXX.129</EM></P><P><EM>Secondary WAN Gateway: 206.XXX.XXX.1</EM></P><P><EM>Guest Network: 10.192.172.0/22</EM></P><P>&nbsp;</P><P>This is what the config will look like:&nbsp;<BR /><BR /></P><P>&nbsp;</P><PRE>ciscoasa(config)# access-list acl-1 permit ip 10.15.0.0 255.255.0.0 ciscoasa(config)# access-list acl-2 permit ip 10.21.0.0 255.255.0.0 ciscoasa(config)# access-list acl-3 permit ip 192.168.0.0 255.255.0.0 ciscoasa(config)# access-list acl-4 permit ip 172.0.0.0 255.0.0.0 ciscoasa(config)# access-list acl-5 permit ip 10.192.172.0 255.255.252.0 ciscoasa(config)# route-map PBR-1 permit 5 ciscoasa(config-route-map)# match ip address acl-1 ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129 ciscoasa(config)# route-map PBR-1 permit 10 ciscoasa(config-route-map)# match ip address acl-2 ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129 ciscoasa(config)# route-map PBR-1 permit 15 ciscoasa(config-route-map)# match ip address acl-3 ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129 ciscoasa(config)# route-map PBR-1 permit 20 ciscoasa(config-route-map)# match ip address acl-4 ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129 ciscoasa(config)# route-map PBR-1 permit 25 ciscoasa(config-route-map)# match ip address acl-5 ciscoasa(config-route-map)# set ip next-hop 206.XXX.XXX.1 ciscoasa(config)# route-map PBR-1 permit 30 ciscoasa(config-route-map)# set ip interface Null0 ciscoasa(config)# interface GigabitEthernet1/2 ciscoasa(config-if)# policy-route route-map PBR-1</PRE><P>&nbsp;</P><P>&nbsp;</P><P>So I guess the first question is does this configuration look good?<BR /><BR />Second, doesn't the&nbsp;<EM><STRONG>set ip next-hop</STRONG>&nbsp;</EM>override the routes in the routing table? Are those routes even needed anymore after implementing PBR?</P><P>&nbsp;</P><P>Third, and just out of curiosity, what does&nbsp;<EM><STRONG>set ip interface Null0&nbsp;</STRONG></EM>do and why is it needed?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 02 Jun 2020 18:00:06 GMT https://community.cisco.com/t5/network-security/pbr-config-questions-on-asa/m-p/4096289#M1070666 tim829 2020-06-02T18:00:06Z https://community.cisco.com/t5/network-security/pbr-config-questions-on-asa/m-p/4097255#M1070714 <P>Hi,</P> <P>&nbsp;</P> <P>After reviewing your question, this is all the config you need for PBR.</P> <P>&nbsp;</P> <PRE>--Create ACL for interesting traffic:: access-list PBR_ACL extended permit ip 10.192.172.0 255.255.252.0 any --Create route-map Route-maps are similar to access list but unlike access-lists, route-map has the “set” actions that change the packet ciscoasa(config)# route-map PBR_ROUTE_MAP permit 10 ciscoasa(config-route-map)# match ip address PBR_ACL ciscaasa(config-route-map)# set ip next-hop 206.XXX.XXX.1 --Attach route-map to INSIDE interface or the Guest where ever the source is ciscoasa(config)# interface GigabitEthernet0/3 ciscoasa(config-if)#nameif Guest ciscoasa(config-if)#ip address 10.192.172.1 255.255.255.0 ciscoasa(config-if)#policy-route route-map PBR_ROUTE_MAP -- route outside1 0.0.0.0 0.0.0.0 165.XXX.XXX.129 route outside2 0.0.0.0 0.0.0.0 206.XXX.XXX.1 50</PRE> <P><BR />Rest of the traffic will automatically take 165.XXX.XXX.129 as the next hope because that's the default route.</P> <P>Note we have set the distance metric of 50 for route via outside2 so that default traffic does not take that route.</P> <P>&nbsp;</P> <P>HTH</P> <P>Chakshu</P> Thu, 04 Jun 2020 01:26:16 GMT https://community.cisco.com/t5/network-security/pbr-config-questions-on-asa/m-p/4097255#M1070714 Chakshu Piplani 2020-06-04T01:26:16Z https://community.cisco.com/t5/network-security/pbr-config-questions-on-asa/m-p/4099360#M1070861 Thank you! I was hoping I wouldn't have to define all the VLANS and could just do the one I wanted to route outside differently. Mon, 08 Jun 2020 13:38:40 GMT https://community.cisco.com/t5/network-security/pbr-config-questions-on-asa/m-p/4099360#M1070861 tim829 2020-06-08T13:38:40Z