https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990670#M1107590 <P>Would someone mind helping me determine what the purpose of a config like this is doing on a Cisco ASA? I am inheriting an ASA environment that has not been audited in years, is my assumption.&nbsp;</P><P>I see a route-map that is matching on an ACL, LAN-DMZ-ACL. The route map is then using a Policy Based Routing configuration that sets the Interface to Inside-LAN.</P><P>The&nbsp;LAN-DMZ-ACL has 2 objects. A /16 network and a /24 network. The /16 network is our user network and the /24 is a VPN network.&nbsp;</P><P>I do not understand why traffic from these 2 objects has a PBR that sets the interface to Inside-LAN bc the /16 and /24 objects are already coming from the Inside-LAN interface source.&nbsp;</P><P>We have 10+ route maps setup the same way. Maybe this is typical of an ASA Fw deployment, but its not making sense to me.</P><P>If I look at some docs, I see...&nbsp;<BR /><EM><STRONG>specify the egress interface for a route but not necessarily to set a specific outgoing interface.</STRONG></EM></P><P>Wouldnt the routing on the ASA handle this?</P><P>TIA</P> Fri, 05 Jan 2024 15:33:12 GMT MattMH 2024-01-05T15:33:12Z https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990670#M1107590 <P>Would someone mind helping me determine what the purpose of a config like this is doing on a Cisco ASA? I am inheriting an ASA environment that has not been audited in years, is my assumption.&nbsp;</P><P>I see a route-map that is matching on an ACL, LAN-DMZ-ACL. The route map is then using a Policy Based Routing configuration that sets the Interface to Inside-LAN.</P><P>The&nbsp;LAN-DMZ-ACL has 2 objects. A /16 network and a /24 network. The /16 network is our user network and the /24 is a VPN network.&nbsp;</P><P>I do not understand why traffic from these 2 objects has a PBR that sets the interface to Inside-LAN bc the /16 and /24 objects are already coming from the Inside-LAN interface source.&nbsp;</P><P>We have 10+ route maps setup the same way. Maybe this is typical of an ASA Fw deployment, but its not making sense to me.</P><P>If I look at some docs, I see...&nbsp;<BR /><EM><STRONG>specify the egress interface for a route but not necessarily to set a specific outgoing interface.</STRONG></EM></P><P>Wouldnt the routing on the ASA handle this?</P><P>TIA</P> Fri, 05 Jan 2024 15:33:12 GMT https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990670#M1107590 MattMH 2024-01-05T15:33:12Z https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990715#M1107591 <P>You are correct <BR />Yes it should be<BR />MHM<BR /><BR /></P> Fri, 05 Jan 2024 16:27:24 GMT https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990715#M1107591 MHM Cisco World 2024-01-05T16:27:24Z https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990796#M1107604 <P>can you check if this PBR is apply to interface or not</P> <P>MHM</P> Fri, 05 Jan 2024 18:59:27 GMT https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990796#M1107604 MHM Cisco World 2024-01-05T18:59:27Z https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990800#M1107605 <P>Yes, I did see that it is.&nbsp;</P><P>Whoever set this up, seems like they were trying to do routing with it, vs just simply using routes. I ran into this issue bc I was trying to create a new static route and it wasn't working. I am pretty sure PBR's are priority over routes.&nbsp;</P> Fri, 05 Jan 2024 19:06:24 GMT https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990800#M1107605 MattMH 2024-01-05T19:06:24Z https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990809#M1107606 <P>there is one case&nbsp;<BR />when the DMZ and INside share same subnet (supernet) when the interface is flapping then the RIB will forward the traffic via wrong interface and if traffic is UDP then you will face issue in traffic&nbsp;<BR />the solution is&nbsp;timeout floating-conn but I think your team use PBR instead to be sure that the traffic always direct to correct interface.</P> <P>MHM</P> Fri, 05 Jan 2024 19:15:20 GMT https://community.cisco.com/t5/network-security/cisco-asa-question-re-route-maps/m-p/4990809#M1107606 MHM Cisco World 2024-01-05T19:15:20Z