topic ASA Policy Based Routing on NAT interface in Network Security

ASA Policy Based Routing on NAT interface

NazgulNr5 — Tue, 24 Jan 2023 17:32:18 GMT

Hi there,

is it possible on the ASA to apply PBR on a NAT interface? PBR is matched by port that is not changed by NAT.

Re: ASA Policy Based Routing on NAT interface

MHM Cisco World — Tue, 24 Jan 2023 17:46:39 GMT

can you more elaborate ?

Re: ASA Policy Based Routing on NAT interface

balaji.bandi — Tue, 24 Jan 2023 20:33:01 GMT

what is the ASA Model and what Code running on it, check PBR and NAT guidelines - if you looking more support provide example and config and routes you have :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html

Re: ASA Policy Based Routing on NAT interface

NazgulNr5 — Wed, 25 Jan 2023 09:23:57 GMT

Hi again,

Sorry for the **bleep**post...

Here is some more info.

NAT rules:

nat (inside_2,outside) source dynamic LAN_SUBNET PUBLIC_IP2 description NAT to server x
nat (inside_1,outside) source dynamic LAN_SUBNET PUBLIC_IP1

Planned PBR:

object-group services server-x-port tcp
port-object eq 8443

access-list PBR_ACL extended permit tcp object-group LAN_NET any object-group server-x-port

route-map PBR permit 1
match ip address PBR_ACL
set ip next-hop x.x.x.x (shove out interface inside2)

Story behind this:

Traffic to the external server x comes in on interface inside2. As the static route to the internal subnets is going out interface inside1 and need to use PBR to return traffic the way it came in.

Would that work?