topic Re: ASA 5508-X PBR Wrong Interface Selection in Network Security

ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Fri, 21 Feb 2020 16:17:14 GMT

Hi, I have setup a PBR to route traffic matching an ACL to a second interface. The problem I have is when running debug policy-map I get

pbr: First matching rule from ACL(9)
pbr: route map route-xxx, sequence 10, permit; proceed with policy routing
pbr: evaluating next-hop 203.78.115.123
pbr: no connected route to next-hop 203.78.115.123 found
pbr: policy based routing could not be applied; proceeding with normal route lookup

or when I run packet-tracer I get:

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map route-xxx permit 10
 match ip address route-xxx
 set ip next-hop 203.78.115.123
Additional Information:
 Matched route-map route-xxx, sequence 10, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 120.1.2.3 using egress ifc  External-Internet

203.78.115.123 is the gateway IP configured for the interface we want to send the traffic for, so its connected via 203.78.115.122. Even if I specify the next hop as 203.78.115.122 I get the exact same results in packet tracer and debug.

I have a default route with a metric of 2 for the second interface, I also have a NAT rule allowing traffic out on that interface too.

object network LAN1
 nat (LAN,External-ISP2) dynamic interface
object network LAN
 nat (LAN,External-ISP1) dynamic interface

route External-ISP1 0.0.0.0 0.0.0.0 120.1.2.3 1
route External-ISP2 0.0.0.0 0.0.0.0 203.78.115.122 2

I can clearly see the PBR is being evaulated so its correctly applied to the interface, its matching the traffic, so the ACL is configured correctly. The problem I have is its always picking the default route because it can't see the second interface as directly connected, yet the route table shows it..... Can anyone suggest where I've gone wrong?

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 120.72.83.25 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 120.72.83.25, External-Internet
C        120.1.2.0 255.255.255.248 is directly connected, External-Internet
L        120.1.2.3 255.255.255.255 is directly connected, External-Internet
C        192.168.20.0 255.255.255.0 is directly connected, LAN
L        192.168.20.254 255.255.255.255 is directly connected, LAN
C        202.78.115.120 255.255.255.248 is directly connected, External-VPN
L        202.78.115.123 255.255.255.255 is directly connected, External-VPN

Re: ASA 5508-X PBR Wrong Interface Selection

mvsheik123 — Thu, 27 Sep 2018 01:22:45 GMT

Hi,

Can you post complete PBR related config? Have you applied PBR to correct interface?

Thanks,

Re: ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Thu, 27 Sep 2018 01:25:54 GMT

Hi, As you can see from the policy-map debug, its evaluating the policy map, so it must be on the correct interface.

!
interface GigabitEthernet1/3
 nameif LAN
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
 policy-route route-map route-o365

Re: ASA 5508-X PBR Wrong Interface Selection

Karsten Iwen — Thu, 27 Sep 2018 08:00:23 GMT

Which is your ASA-IP and which is the ISP IP?

You need to have the default-route pointing to the ISP IP with a higher AD and the PBR next hop also pointing to the ISP IP. Your local ASA IP is never the next-hop of the PBR or routing-config on your ASA.

Re: ASA 5508-X PBR Wrong Interface Selection

Ajay Saini — Thu, 27 Sep 2018 11:10:35 GMT

Hello,

You have incorrect config, you need to correct the next hop ip address. Instead of the next hop as 203.78.115.123, you need to define 203.78.115.122 which is your default gateway for the ASA interface. I see that you have the less preferred route for the secondary ISP which is fine.

Looks like 203.78.115.123 is your ASA secondary ISP interface IP.

Also, ensure that ASA secondary ISP interface is UP.

Reference document:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf

HTH
AJ

Re: ASA 5508-X PBR Wrong Interface Selection

paul driver — Thu, 27 Sep 2018 12:56:45 GMT

Hello

Your next hop ip by the looks of it should be .122 not 123

Re: ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Thu, 27 Sep 2018 21:56:54 GMT

Thanks for the suggestions!

I have just changed the next-hop IP in the route-map back to the gateway IP. Believe me I have been trying many many things to get this to work.

I have stripped out the ACL/route-map/policy-route and the default route to the secondary ISP. I have slowly put everything back in place once piece at a time and its still NOT working.

Packet tracer still shows the PBR being evaluated and matching the ACL/route-map however on the Route-Lookup step directly after its still choosing the default route with a metric of 1 even though its been told in the step before to use the default route with a metric of 2. Just to check I wasnt going insane I've even reloaded the ASA.

I think I have nailed down the culprit and I think its bloody NAT. Its only allowing me to have one dynamic interface NAT rule for the LAN network object. So now I have to work out how I can NAT out both the ISP1 and ISP2 links depending on where the PBR sends the traffic all from the same /24 subnet. Has anyone got any pointers on this one?

Re: ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Thu, 27 Sep 2018 23:22:02 GMT

I have been reading the document you mentioned and I have found the following section:

PBR Policies Not Applied for Output Route Look-up
Policy Based Routing is an ingress-only feature; that is, it is applied only to the first packet of a new incoming
connection, at which time the egress interface for the forward leg of the connection is selected. Note that PBR
will not be triggered if the incoming packet belongs to an existing connection, or if NAT is applied

So based on that, if I am doing NAT from my LAN to my WAN connection, PBR will never be evaluated and I cannot direct traffic over an different WAN connection than the default route for specific destinations because I am NATing the traffic? That could explain why my packet-tracers are showing the PBR applied but the Route-Lookup being the default route not the next-hop IP address?

Re: ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Fri, 28 Sep 2018 01:43:33 GMT

Ok so after further testing and some trail & error, by setting set interface ISP2 on the route-map it seems that packet-tracer shows the traffic leaving the correct interface.

Thats good, however because of NAT it seems that the traffic doesn't actually move past the ASA.

So it looks like its back to troubleshooting NAT and how I can NAT from the LAN interface, to the 2 ISP interfaces at the same time.

Currently for the working ISP (default route) its just

network object LAN
  nat (LAN,ISP1) dynamic interface

But as it can only have 1 NAT rule, I cant do

network object LAN
  (LAN,ISP2) dynamic interface

as then the first NAT rule is overwritten.

How can I get 2 NAT rules so that traffic can leave either ISP interface?

Re: ASA 5508-X PBR Wrong Interface Selection

paul driver — Fri, 28 Sep 2018 10:50:45 GMT

Hello

You dont require to specify second default route for the PBR due to the fw having a connected interface towards it.
Nat
nat (LAN,ISP1) source dynamic any interface
nat (LAN,ISP2) source dynamic any interface

access-list 100 extended permit icmp any object LAN echo-reply
access-group 100 in interface ISP1
access-group 100 in interface ISP2

route ISP1 0.0.0.0 0.0.0.0 x.x.x.x.x 1

PBR
access-list pbr extended permit ip x.x.x.x. any
route-map PBR_rm permit 10
match ip address pbr
set ip next-hop x.x.x.x

int x/x
nameif LAN
policy-route route-map PBR_rm

Re: ASA 5508-X PBR Wrong Interface Selection

Ajay Saini — Sun, 30 Sep 2018 06:06:09 GMT

Sorry for late reply. I would expect you have 2 NAT statements corresponding to each ISP without a destination keyword. This feature PBR is a source based routing and ideally, the NAT statement should not affect the routing judgement as long as we have a NAT for that particular Interface. If you look at the packet-tracer output in your initial post, it indicates that PBR kicks in and needs a NAT statement for that chosen interface and a default route for traffic to be forwarded to the next hop.

If you can post the output packet-tracer command, we can see where this is failing. Next is captures, which can help identify the issue.

HTH
AJ

Re: ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Mon, 01 Oct 2018 01:33:40 GMT

Thanks Paul. Its pretty much what I have except I had the secondary route in which I have since removed and still cant get this to go.

I think the problem is less that the PBR's configured wrong and more that the second ISP isn't working as expected. Up until now we've only used it exclusively for a VPN connection back to the central office. As that is barely used now in favour of 'the cloud', we want to utilise it to point our traffic to some cloud services onto it, hence the PBR (seemed quite simple in my head).

I think the reason the PBR isn't working is because connectivity out that interface is either a NAT problem (not entirely sure myself if it is or not) or an ISP problem (which I could be troubleshooting something wasting my time). I have sanitized my config and happy to post it, but its verging on over 450 lines which makes this comment look hideous. Let me know if its more appropriate to host it on pastebin etc and link.

Substituions applied are:
ISP1 - Interface g1/1 - IP 100.0.0.1
ISP2 - Interface g1/2 - IP 200.0.0.1
LAN - interface g1/3 - 192.186.20.254

Existing VPN connection Endpoint: 50.0.0.1

Route-Map is route-o365 applied to the LAN interface g1/0 and access-list for it is route-o365

Using packet Tracer I still get it picks up the PBR and apparently applies it but the second route-lookup always goes back to the primary ISP. Debugging the policy map always ends in

pbr: First matching rule from ACL(9)
pbr: route map route-xxx, sequence 10, permit; proceed with policy routing
pbr: evaluating next-hop 203.78.115.123
pbr: no connected route to next-hop 203.78.115.123 found
pbr: policy based routing could not be applied; proceeding with normal route lookup

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map route-o365 permit 10
match ip address route-o365
set ip next-hop 200.0.0.2
Additional Information:
Matched route-map route-o365, sequence 10, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 100.0.0.2 using egress ifc External-Internet

Sanitized config is:

VNSGN-RTR-1(config)# show run
: Saved

: 
: Serial Number: JADxxxxxLM
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(1) 
!
hostname VNSGN-RTR-1
domain-name domain.com.vn
enable password lol
names

!
interface GigabitEthernet1/1
 nameif External-Internet
 security-level 0
 ip address 100.0.0.1 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif External-VPN
 security-level 0
 ip address 200.0.0.1 255.255.255.248 
!
interface GigabitEthernet1/3
 nameif LAN
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
 policy-route route-map route-o365
!
interface GigabitEthernet1/4
 nameif Guest
 security-level 50
 ip address 192.168.10.254 255.255.255.0 
!
interface GigabitEthernet1/5
 nameif DMZ
 security-level 49
 ip address 172.27.3.1 255.255.255.0
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone ICT 7
dns domain-lookup LAN
dns server-group DefaultDNS
 name-server 192.168.20.2 
 name-server 192.168.20.4 
 domain-name domain.com.vn
object network AucklandLANSubnet
 subnet 172.17.15.0 255.255.255.0
 description Auckland LAN Subnet/24
object network AucklandDMZSubnet
 subnet 172.17.18.0 255.255.255.0
 description Auckland DMZ Subnet/24
object network PCAdmin
 host 192.168.20.6
 description PCAdmin
object network VNDC
 host 192.168.20.2
 description VNDC
object network NZAKL1-Office-Ext-Network
 subnet 50.0.0.1 255.255.255.252
object service Windows-RDP
 service tcp source eq 3389 destination eq 3389 
object network LAN
 subnet 192.168.20.0 255.255.255.0
object network Guest_LAN
 subnet 192.168.10.0 255.255.255.0
object network vnhcm1-vpn-1
 host 172.27.3.2
object service https
 service udp source eq 443 destination eq 443 
object network VN-Time-Server
 fqdn v4 vn.pool.ntp.org
object network ClientVPN-Network
 subnet 172.27.3.0 255.255.255.0
object network ClientVPN_LAN
 subnet 172.27.3.0 255.255.255.0
object network ClientVPN
 host 172.27.3.2
object network LAN1
 subnet 192.168.20.0 255.255.255.0
object network LAN-VPNInt
 subnet 192.168.20.0 255.255.255.0
object network LAN-VPNI
object-group network DM_INLINE_NETWORK_1
 network-object object AucklandDMZSubnet
 network-object object AucklandLANSubnet
object-group network o365Rules
 remark office 365 endpoints
access-list External-VPN_cryptomap extended permit ip 192.168.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list LAN_access_in extended permit icmp 192.168.20.0 255.255.255.0 any 
access-list LAN_access_in extended deny ip 192.168.20.0 255.255.255.0 object-group BLOCKED-SERVICES 
access-list LAN_access_in extended permit udp object-group DNS-Servers any eq domain 
access-list LAN_access_in extended permit ip host 192.168.20.6 any 
access-list LAN_access_in extended permit tcp object-group VNSGN1-Infra-Servers any object-group ExternalWebAccess 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 any object-group ExternalWebAccess 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group NZAKL1-All-Subnets eq 3389 
access-list LAN_access_in extended permit ip object PCAdmin object NADA 
access-list LAN_access_in extended permit tcp object VNDEV08 object-group Calqtech-RDP-Servers eq 3389 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 172.17.15.0 255.255.255.0 object-group LynchFileTransferServiceGroup 
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object ZEUS 
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object LyncServer02 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object AucklandLANSubnet object-group ExternalWebAccess 
access-list LAN_access_in extended permit object-group SIPServiceGroup 192.168.20.0 255.255.255.0 object AucklandLANSubnet 
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object SCCM 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group AzureSQLDatabase object-group AzureSQL 
access-list LAN_access_in extended permit object-group TCP-UDP 192.168.20.0 255.255.255.0 object-group Merlot-Aero-Azure-VMs object-group Merlot-Aero-AzureVM-PortGroup 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object AUGENTFS03 eq 8080 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object NADA eq 8080 
access-list LAN_access_in extended permit tcp object PCAdmin any eq ftp 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group NZVMCHL-Servers eq 3389 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group NZVMCHL-Servers eq 135 
access-list LAN_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object softtech-logserver.database.windows.net object-group AzureSQL 
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.20.0 255.255.255.0 object NZAKL1IIS001 
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 host 172.17.15.9 eq ftp 
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object NZAKL1SQ001 
access-list LAN_access_in extended permit tcp object-group Allow-GoRentals-UAT object-group GoRentals-Azure-Resources object-group DM_INLINE_TCP_3 
access-list LAN_access_in extended permit udp object-group ESXi-Server-Group object VN-Time-Server eq ntp 
access-list LAN_access_in extended permit object-group PPTPGroup object-group DM_INLINE_NETWORK_5 object DRCT-VPNEndpoint 
access-list LAN_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 object dp-dev.database.windows.net object-group AzureSQL 
access-list Allow_All extended permit ip any any 
access-list External-VPN_access_in_controlplane extended permit tcp object AucklandLANSubnet any object-group DM_INLINE_TCP_2 
access-list External-VPN_access_in_controlplane extended permit tcp object NZAKL1-Office-Ext-Network any object-group DM_INLINE_TCP_1 
access-list External-Internet_access_in extended permit tcp object NZAKL1-Office-Ext-Network object PCAdmin eq 3389 
access-list External-Internet_access_in extended permit icmp any any time-exceeded 
access-list External-Internet_access_in extended permit udp any object vnhcm1-vpn-1 eq 1194 
access-list External-Internet_access_in extended permit icmp any any unreachable 
access-list Guest_access_in extended permit ip host 192.168.10.253 host 192.168.20.6 
access-list Guest_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group ExternalWebAccess 
access-list Guest_access_in extended permit icmp 192.168.10.0 255.255.255.0 any 
access-list Guest_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq domain 
access-list Guest_access_in extended permit tcp 192.168.10.0 255.255.255.0 object app.ss-prophet.com eq 3389 
access-list Guest_access_in extended permit ip 192.168.10.0 255.255.255.0 object secure.domain.com 
access-list Guest_access_in extended permit tcp object vnhcm1-vpn-1 object-group DM_INLINE_NETWORK_3 eq ldap 
access-list global_mpc extended permit ip any any 
access-list ClientVPN_access_in extended permit ip object vnhcm1-vpn-1 any 
access-list ClientVPN_access_in extended permit tcp object vnhcm1-vpn-1 object-group DM_INLINE_NETWORK_4 eq ldap 
access-list ClientVPN_access_in extended permit object-group DM_INLINE_SERVICE_1 object VPN-Network 192.168.20.0 255.255.255.0 
access-list route-o365 extended permit ip any object-group o365Rules 
pager lines 50
logging enable
logging timestamp
no logging hide username
logging standby
logging list SysLogList level informational
logging trap informational
logging asdm informational
logging mail critical
logging device-id hostname
logging host LAN 192.168.20.22
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination LAN 192.168.20.6 5002
flow-export template timeout-rate 1
flow-export delay flow-create 30
mtu External-Internet 1500
mtu External-VPN 1500
mtu LAN 1500
mtu Guest 1500
mtu DMZ 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo LAN
icmp permit any echo-reply LAN
icmp permit any echo Guest
icmp permit any echo-reply Guest
asdm image disk0:/asdm-781.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (LAN,Guest) source static LAN LAN destination static Guest Guest
nat (LAN,External-VPN) source static LAN LAN destination static NZAKL1-All-Subnets NZAKL1-All-Subnets no-proxy-arp route-lookup
nat (LAN,External-VPN) source dynamic any interface
nat (LAN,External-Internet) source dynamic any interface
!
object network PCAdmin
 nat (LAN,External-Internet) static interface service tcp 3389 1337 
object network Guest_LAN
 nat (Guest,External-Internet) dynamic interface
object network vnhcm1-vpn-1
 nat (DMZ,External-Internet) static 100.0.0.2 service udp 1194 1194 
object network ClientVPN_LAN
 nat (DMZ,External-Internet) dynamic interface
access-group External-Internet_access_in in interface External-Internet
access-group External-VPN_access_in_controlplane in interface External-VPN control-plane
access-group LAN_access_in in interface LAN
access-group Guest_access_in in interface Guest
access-group ClientVPN_access_in in interface DMZ
!
route-map route-o365 permit 10
 match ip address route-o365
 set interface External-VPN

!
route External-Internet 0.0.0.0 0.0.0.0 100.0.0.2 1
route External-VPN 50.0.0.1 255.255.255.255 200.0.0.2 1
route External-VPN 172.17.15.0 255.255.255.0 200.0.0.2 1
route External-VPN 172.17.18.0 255.255.255.0 200.0.0.2 1
route DMZ 172.27.5.0 255.255.255.0 172.27.3.2 1
route Guest 192.168.21.0 255.255.255.0 192.168.10.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
http 192.168.20.6 255.255.255.255 LAN
http 172.17.15.0 255.255.255.0 LAN
snmp-server host LAN 192.168.20.6 community ***** version 2c
snmp-server location HCMC
snmp-server contact Admin
sysopt noproxyarp LAN
service sw-reset-button
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map External-VPN_map5 1 match address External-VPN_cryptomap
crypto map External-VPN_map5 1 set pfs 
crypto map External-VPN_map5 1 set peer 50.0.0.1 
crypto map External-VPN_map5 1 set ikev1 phase1-mode aggressive 
crypto map External-VPN_map5 1 set ikev1 transform-set ESP-3DES-SHA
crypto map External-VPN_map5 1 set security-association lifetime seconds 86400
crypto map External-VPN_map5 1 set security-association lifetime kilobytes unlimited
crypto map External-VPN_map5 1 set nat-t-disable
crypto map External-VPN_map5 interface External-VPN
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca xxxx
 quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable External-VPN
crypto ikev1 enable External-VPN
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 50.0.0.1 255.255.255.252 External-Internet
ssh 50.0.0.1 255.255.255.252 External-VPN
ssh 192.168.20.6 255.255.255.255 LAN
ssh 172.17.15.0 255.255.255.0 LAN
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access LAN

dhcpd auto_config External-Internet
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 150.101.254.110
group-policy AugenVPNGroupPolicy internal
group-policy AugenVPNGroupPolicy attributes
 vpn-tunnel-protocol ikev1 
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 50.0.0.1 type ipsec-l2l
tunnel-group 50.0.0.1 general-attributes
 default-group-policy AugenVPNGroupPolicy
tunnel-group 50.0.0.1 ipsec-attributes
 ikev1 pre-shared-key ********
!
class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 no tcp-inspection
policy-map route-o365
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect rsh 
 inspect rtsp 
 inspect sqlnet 
 inspect skinny 
 inspect sunrpc 
 inspect xdmcp 
 inspect sip 
 inspect netbios 
 inspect tftp 
 inspect ip-options 
 inspect icmp 
 inspect pptp 
 class global-class
 flow-export event-type all destination 192.168.20.6
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:xxxxx
: end

Re: ASA 5508-X PBR Wrong Interface Selection

Marius Gunnerud — Mon, 01 Oct 2018 06:31:33 GMT

object-group network o365Rules
 remark office 365 endpoints

access-list route-o365 extended permit ip any object-group o365Rules

route-map route-o365 permit 10
 match ip address route-o365
 set interface External-VPN

Is the object-group network o365Rules a copy paste error? it only has a remark.

Re: ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Mon, 01 Oct 2018 19:45:38 GMT

Hi Marius, not an error, but removed to make the config as small as possible, it has ~150 rules in it and you can see by packet tracer output earlier in the post it is matching against it.

Re: ASA 5508-X PBR Wrong Interface Selection

Marius Gunnerud — Tue, 02 Oct 2018 16:06:40 GMT

I don't see an interface within the 203.78.115.123 subnet configured on your ASA. As the error message states, you need an interface that is directly connected to the second ISP or use a directly connected subnet that is in the path to the second ISP.

interface GigabitEthernet1/1
 nameif External-Internet
 security-level 0
 ip address 100.0.0.1 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif External-VPN
 security-level 0
 ip address 200.0.0.1 255.255.255.248 
!
interface GigabitEthernet1/3
 nameif LAN
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
 policy-route route-map route-o365
!
interface GigabitEthernet1/4
 nameif Guest
 security-level 50
 ip address 192.168.10.254 255.255.255.0 
!
interface GigabitEthernet1/5
 nameif DMZ
 security-level 49
 ip address 172.27.3.1 255.255.255.0

Re: ASA 5508-X PBR Wrong Interface Selection

LordBoBCUP — Wed, 03 Oct 2018 21:58:23 GMT

Hi All,

It appears that the configuration was 90% correct in the original deployment. The major problem was the gateway IP was incorrect so the suggestions did help get me on the right track there. The rest of the issues were caused by an ISP problem which they have now acknowledged and fixed for us.

Thank you all for your assistance.