https://community.cisco.com/t5/network-security/question-about-policy-based-routing-on-asa-5500x-series/m-p/3675748#M13196 <P>Hi,</P> <P>&nbsp;</P> <P>Does anyone know if PBR on the new ASAs to solve the following scenario? Or is there a better option?</P> <P>I need to send outbound SMTP traffic out to a separate physical port from the main one.</P> <P>I have a stateless security device that filters inbound and outbound traffic between our legacy ASA and our internet link. We utilize an online spam service that has it's IP whitelisted on the security device,and our MX record points to that service. However outbound SMTP traffic goes through the security device and is subsequently blocked to certain geographic areas. I can't whitelist all destination mail servers, so I'd like to send all SMTP traffic out an alternate port on the new 5516x that will bypass the security device.</P> <P>I don't want other traffic to bypass the security device, only SMTP traffic.</P> <P>What's the best was of doing this?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>B</P> Fri, 21 Feb 2020 16:01:29 GMT Brad Hodgins 2020-02-21T16:01:29Z https://community.cisco.com/t5/network-security/question-about-policy-based-routing-on-asa-5500x-series/m-p/3675748#M13196 <P>Hi,</P> <P>&nbsp;</P> <P>Does anyone know if PBR on the new ASAs to solve the following scenario? Or is there a better option?</P> <P>I need to send outbound SMTP traffic out to a separate physical port from the main one.</P> <P>I have a stateless security device that filters inbound and outbound traffic between our legacy ASA and our internet link. We utilize an online spam service that has it's IP whitelisted on the security device,and our MX record points to that service. However outbound SMTP traffic goes through the security device and is subsequently blocked to certain geographic areas. I can't whitelist all destination mail servers, so I'd like to send all SMTP traffic out an alternate port on the new 5516x that will bypass the security device.</P> <P>I don't want other traffic to bypass the security device, only SMTP traffic.</P> <P>What's the best was of doing this?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>B</P> Fri, 21 Feb 2020 16:01:29 GMT https://community.cisco.com/t5/network-security/question-about-policy-based-routing-on-asa-5500x-series/m-p/3675748#M13196 Brad Hodgins 2020-02-21T16:01:29Z https://community.cisco.com/t5/network-security/question-about-policy-based-routing-on-asa-5500x-series/m-p/3675894#M13197 <P>You need to create the access list for interesting traffic that will perform PBR based on the protocol.</P> <P>&nbsp;</P> <P>ciscoasa(config)# access-list Interesting extended permit tcp any any eq smtp</P> <P>&nbsp;</P> <DIV id="crayon-5b5a5eeadd72d837536514-7" class="crayon-line"><SPAN>ciscoasa(config)#&nbsp;</SPAN>route-map map-pbr permit 10</DIV> <DIV id="crayon-5b5a5eeadd72d837536514-8" class="crayon-line crayon-striped-line"><SPAN>ciscoasa(config-route-map)#&nbsp;</SPAN>match ip address&nbsp;Interesting</DIV> <DIV id="crayon-5b5a5eeadd72d837536514-9" class="crayon-line"><SPAN>ciscoasa(config-route-map)#</SPAN>set ip next-hop&nbsp;<EM>ip-of-next-hope-for-smtp-traffic</EM></DIV> <P>&nbsp;</P> <P>apply the PBR on the inside interface</P> <DIV class="crayon-line">&nbsp;</DIV> <DIV id="crayon-5b5a5eeadd72d837536514-5" class="crayon-line"><SPAN>ciscoasa(config)#</SPAN>interface GigabitEthernet1/3 <DIV id="crayon-5b5a5eeadd72d837536514-2" class="crayon-line crayon-striped-line"><SPAN>ciscoasa(config-if)#</SPAN>policy-route route-map map-pbr</DIV> <DIV class="crayon-line crayon-striped-line">&nbsp;</DIV> <DIV class="crayon-line crayon-striped-line">Regards</DIV> </DIV> Thu, 26 Jul 2018 23:57:10 GMT https://community.cisco.com/t5/network-security/question-about-policy-based-routing-on-asa-5500x-series/m-p/3675894#M13197 epoceros1 2018-07-26T23:57:10Z