topic Re: FMC PBR issues in Network Security

FMC PBR issues

tgillon — Wed, 27 Jul 2022 17:02:17 GMT

I'm having an issue with PBR that is driving me crazy. I have 2 outside connections with all traffic defaulting to the 1st outside connection. I'm trying to force 2 devices to send their traffic out the 2nd outside connection. One of the devices is in the DMZ and the other device is on the inside connection. The traffic from the DMZdevice goes out the 2nd connection, but the InsideDevice traffic does not. Here are the relevant lines from my config:

interface Ethernet1/2
nameif outside2
security-level 0
ip address <x.x.x.x> 255.255.255.0
policy-route route-map Edge
!
interface Ethernet1/4
nameif dmz
security-level 0
ip address 192.168.0.1 255.255.255.0
policy-route route-map DMZEdge

route-map Edge permit 10
match ip address Force2Outside2
set ip next-hop <outside2 default gateway>

!
route-map DMZEdge permit 10
match ip address ForceDMZ2Outside2
set ip next-hop <outside2 default gateway>

access-list ForceDMZ2Outside2 extended deny object-group ProxySG_ExtendedACL_17179898506 any object IPv4-Private-10.0.0.0-8
access-list ForceDMZ2Outside2 extended permit object-group ProxySG_ExtendedACL_17179898510 object DMZdevice any
access-list Force2Outside2 extended deny object-group ProxySG_ExtendedACL_17179898440 any object DMZ
access-list Force2Outside2 extended permit object-group ProxySG_ExtendedACL_17179898444 object InsideDevice any

object network DMZdevice
nat (dmz,outside2) static obj-<unique outside2 public IP address>

object network InsideDevice
nat (Inside,outside2) static obj-<unique outside2 public IP address>

Re: FMC PBR issues

MHM Cisco World — Wed, 27 Jul 2022 19:06:14 GMT

are the Client in Host use UDP traffic ?
IF YES then clear conn and it will work as you want

clear conn protocol udp address

Re: FMC PBR issues

tgillon — Thu, 28 Jul 2022 11:26:10 GMT

Thanks, but that did not work. I also tried to clear xlate, but the route-map Edge never gets called. The InsideDevice completely bypasses that and goes out the default connection.

Re: FMC PBR issues

MHM Cisco World — Thu, 28 Jul 2022 14:24:41 GMT

interface Ethernet1/2
nameif outside2 <- this NOT IN interface
security-level 0
ip address <x.x.x.x> 255.255.255.0
policy-route route-map Edge <- this for INSIDE client

Re: FMC PBR issues

tgillon — Thu, 28 Jul 2022 14:31:52 GMT

Thank you, that was it!

Re: FMC PBR issues

MHM Cisco World — Thu, 28 Jul 2022 14:36:13 GMT

You are so so welcome