https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043862#M134409 <P>Thanks Dinesh. I will try your suggestion. I was under impression that there is a&nbsp;<SPAN>an&nbsp;</SPAN><B>implicit deny</B><SPAN><SPAN>&nbsp;</SPAN>&nbsp;at the end of&nbsp;route-map acl. Do you know if SLA monitor requires a security plus license? I enabled the SLA monitor but the debugging not showing&nbsp;anything?</SPAN></P> Wed, 05 Jul 2017 02:45:07 GMT ms-tech-001 2017-07-05T02:45:07Z https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043858#M134405 <P>Can I please know if there is anyway to make a permanent static route on cisco asa 5506x? &nbsp;I am basically looking for a PPTPoE route to be available &nbsp;in the routing table&nbsp;all the time so that my backup route won't get activated when there is some issue with the primary connection.</P> <P></P> <P>Thanks.</P> <P>MS</P> Tue, 12 Mar 2019 09:39:02 GMT https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043858#M134405 ms-tech-001 2019-03-12T09:39:02Z https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043859#M134406 <P></P> <P>You can use metric to define the route to be chosen but once this is down, the other route (with higher metric) will take over.</P> <P><BR />Is there any specific reason you want to keep the backup route but not have it activated once the primary goes <G class="gr_ gr_15 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="15" data-gr-id="15">down ?</G></P> <P>I'd suggest you have IP SLA setup to monitor ISP links<BR /><A href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html">http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html</A></P> <P><BR />Regards<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Mon, 03 Jul 2017 06:41:05 GMT https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043859#M134406 Dinesh Moudgil 2017-07-03T06:41:05Z https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043860#M134407 <P>Thanks for the reply Dinesh. We have two ISP connected to our asa, one for general internet stuff and the second one dedicated to&nbsp;voip. We are using route-map to send the voip traffic to the backup connection. We thought about SLA monitoring but we have only base license. I believe that you need a security plus license to enable SLA? Also we noticed some issue with route-map when the backup connection&nbsp;become active and I think this issue will continue &nbsp;even we proceed with SLA monitor. Our route-map acl has configured to permit only the&nbsp;&nbsp;voip gateway to use the backup connection and this works fine when both connections are active but as soon as the primary route disappeared from the routing table all other devices will start to use the backup connection. Can I please know why this is happening and is there anyway to stop this.&nbsp;</P> <P>Thanks</P> <P>MS</P> Mon, 03 Jul 2017 07:09:59 GMT https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043860#M134407 ms-tech-001 2017-07-03T07:09:59Z https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043861#M134408 <P>One thing that you can try is to modify the access-list applied to PBR on 2nd ISP which is dedicated to <G class="gr_ gr_170 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="170" data-gr-id="170">voip</G> gateway so that the data traffic is implicitly dropped due to <G class="gr_ gr_245 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" id="245" data-gr-id="245">deny</G> in access-list.<BR /><BR /></P> <P>Regards<BR />Dinesh Moudgil</P> <P></P> <P>P.S. Please rate helpful posts.</P> Mon, 03 Jul 2017 07:38:25 GMT https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043861#M134408 Dinesh Moudgil 2017-07-03T07:38:25Z https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043862#M134409 <P>Thanks Dinesh. I will try your suggestion. I was under impression that there is a&nbsp;<SPAN>an&nbsp;</SPAN><B>implicit deny</B><SPAN><SPAN>&nbsp;</SPAN>&nbsp;at the end of&nbsp;route-map acl. Do you know if SLA monitor requires a security plus license? I enabled the SLA monitor but the debugging not showing&nbsp;anything?</SPAN></P> Wed, 05 Jul 2017 02:45:07 GMT https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043862#M134409 ms-tech-001 2017-07-05T02:45:07Z https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043863#M134410 <P>The IP SLA Monitoring could be configured in all type of licenses, there are no specific requirements for this feature.<BR /><BR />I doubt this is possible via PBR. Selective traffic propagation might not work as track will failover all the traffic. You might want to create an access-list entry for an access-list applied on ingress interface that will block your traffic which should not be allowed via <G class="gr_ gr_242 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" id="242" data-gr-id="242">second</G> ISP.<BR /><BR />Hope this helps.<BR /><BR />Regards<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Wed, 05 Jul 2017 04:45:20 GMT https://community.cisco.com/t5/network-security/permanent-route-on-cisco-asa/m-p/3043863#M134410 Dinesh Moudgil 2017-07-05T04:45:20Z