topic Hi in Network Security

Issue with Policy Based Routing

andrewgori — Tue, 26 Mar 2019 01:00:14 GMT

I'm trying to set up policy based routing in a staging environment. The ASA is a 5515-x running 9.44 and it supports it.

I have one internal interface and two external interfaces (ISP1 and ISP2) ISP1 is the default route. I'm trying to route traffic from a certain network via ISP2. I have the route policy and ACL setup and applied to the Internal interface, but I can't get traffic to go out the ISP2 interface.

*ISP2 is live and I can send packets out if I set it as the default route. If I set ISP1 as the default route and try to access the 'world' via hosts on the 192.168.99.0 network, it fails. I can still ping directly connected networks, but that's it.

Thanks in advance for any suggestions you can provide.

btw, the IP addresses for the ISP's have been changed for privacy. They are publicly rout-able IP addresses

Result of the command: "show policy-route"

Interface Route map 
GigabitEthernet0/1 guest-wifi 

***********
interface GigabitEthernet0/0
 description external to ISP1.
 nameif external
 security-level 0
 ip address 10.211.84.114 255.255.255.248
!
interface GigabitEthernet0/1               <------ Internal interface
 description transit to core
 nameif transit
 security-level 100
 ip address 192.168.194.253 255.255.255.0
 policy-route route-map guest-wifi
!
interface GigabitEthernet0/2
 description External to ISP2
 nameif External-ISP2
 security-level 0
 ip address 10.99.7.12 255.255.255.248
************
  
access-list PBR-ISP2-out remark Route Guest wifi and other traffic out ISP2 connection.
access-list PBR-ISP2-out standard permit 192.168.99.0 255.255.255.0 
access-list PBR-ISP2-out standard permit host 10.99.7.13             

object network Guest-WiFI
 nat (transit,External-ISP2) dynamic 10.99.7.13
 
 route-map guest-wifi permit 12
 match ip address PBR-ISP2-out
 set interface External-ISP2
 set ip default next-hop 10.99.7.9 
 
 route external 0.0.0.0 0.0.0.0 10.211.84.113 1

Hi

Francesco Molino — Sat, 27 May 2017 04:26:12 GMT

First of all, your 2 statements on the policy-map are doing the same thing and it's not needed.

You can keep set interface. The set ip default next hop wouldn't be the one i'll choose. I'll prefer set ip next hop.

Here's is the definition of the set ip default next hop and you'll understand why in your case it isn't the best idea: If the normal route lookup fails for matching traffic, then the ASA forwards the traffic using this specified next-hop IP address.

ASA will user in the order the set ip default next hop before the set interface.

Can you remove it and keep set interface?

Do a test and while you're doing the test activate the debug: debug policy-route

Paste the output of the debug please.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thank you for the input. I

andrewgori — Tue, 30 May 2017 18:09:15 GMT

Thank you for the input. I removed the default next hop option and left the Set Interface option. It still isn't working. I've read through the white paper a couple times and it seems straight forward, but apparently, I'm missing something.

Here is the output from debug policy-route when trying to ping 8.8.8.8:

pbr: policy based route lookup called for 192.168.99.8/1 to 8.8.8.8/0 proto 1 sub_proto 8 received on interface transit

pbr: no route policy found; skip to normal route lookup

It says no policy is found, but it's right there in the config...

Also, I have tried it without 'set intereface' and using 'next hop IP4 address' and I get the same result.

I finally have it worked out.

andrewgori — Tue, 30 May 2017 21:38:24 GMT

I finally have it worked out. The ACL needs to be an extended ACL that specifies the source address AND 'any' as the destination. Previously, I was using a standard ACL.

ALSO: it did not work with the 'set interface' option. I had to use the 'set PBR next-hop' option to make it work.

Thank you Francesco Molino.

Hi

Francesco Molino — Tue, 30 May 2017 21:55:49 GMT

You're welcome.

I always use (most of the time) the set ip next hop with extended acl but set interface should work as well.

I'm sorry i didn't noticed that you were using standard acl. It works with standard acls but you need to setup the destination network and not the source.

Thanks