topic Hi, in Network Security

ASA PBR

manemaren — Tue, 12 Mar 2019 08:52:08 GMT

Hi,

I am trying to configure my ASA 5515x with Policy Based Routing. I have 2 inside network which need to access internet via 2 different outside interface.

object network OBJ-NET-INSIDE25
subnet 172.25.1.0 255.255.255.0
object network OBJ-NET-INSIDE26
subnet 172.26.1.0 255.255.255.0

object network OBJ-NET-INSIDE25
nat (inside25,outside1) dynamic interface
object network OBJ-NET-INSIDE26
nat (inside26,outside2) dynamic interface

access-list ACL-OUTSIDE1 permit 172.25.1.0 255.255.255.0
access-list ACL-OUTSIDE2 permit 172.26.1.0 255.255.255.0

route-map PBR-MAP permit 10
match ip address ACL-OUTSIDE1
set interface OUTSIDE1
route-map PBR-MAP permit 20
match ip address ACL-OUTSIDE2
set interface OUTSIDE2
route-map PBR-MAP permit 30
set interface null0

interface GigabitEthernet0/0
policy-route route-map PBR-MAP

interface GigabitEthernet0/1
policy-route route-map PBR-MAP

It does not work. The PC in the inside26 network did not get internet access. I did a debug as follows :

pbr: policy based route lookup called for x.x.x.77/138 to x.x.x.255/138 proto 17 sub_proto 0 received on interface outside2
pbr: First matching rule from ACL(-1)
pbr: route map PBR-MAP, sequence 30, permit; proceed with policy routing
pbr: evaluating interface Null0
pbr: policy based routing applied; packet is dropped

Something is not right with the Access-List? It matches to sequence 30. Since the PC is in inside26, it should match sequence 20 but it didn't.

Any idea? Please assist.

Hi,

Pablo — Thu, 02 Feb 2017 02:36:32 GMT

Hi,

A couple of issues:

You need to configure extended ACLs to match under the route-map

access-list ACL-OUTSIDE2 extended permit 172.26.1.0 255.255.255.0 any

access-list ACL-OUTSIDE1 extended permit 172.25.1.0 255.255.255.0 any

Secondly, it seems you applied the PRB on your outbound interfaces but it needs to be configured with an inbound direction. Remove it from Gi0/0 and gi0/1 an apply it to the inside25, inside26 defined interfaces.

Make sure that you have a second default route with a higher metric for the outside2 interface

route outside1 0 0 <ISP 1> 1

route outside2 0 0 <ISP 2> 2

As a recommendation, we prefer to use the set ip next-hop instead of the set interface on the route-map clause.

HTH

Pablo

Hi,

manemaren — Thu, 02 Feb 2017 04:40:06 GMT

Hi,

I made the amendments and the PBR is now working.

However, my dhcp is not working. Initially it was working.

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 86400
dhcpd address 172.25.1.50-172.25.1.200 inside25
dhcpd enable inside25
dhcpd address 172.26.1.50-172.26.1.200 inside26
dhcpd enable inside26

I also could not ping from inside segment to any outside public ip.

I did the following :

interface GigabitEthernet0/2
policy-route route-map PBR-MAP

interface GigabitEthernet0/3
policy-route route-map PBR-MAP

access-list ACL-OUTSIDE1 extended permit ip 172.25.1.0 255.255.255.0 any4
access-list ACL-OUTSIDE2 extended permit ip 172.26.1.0 255.255.255.0 any4

route-map PBR-MAP permit 10
match ip address ACL-OUTSIDE1
set ip next-hop <isp1 gw>
route-map PBR-MAP permit 20
match ip address ACL-OUTSIDE2
set ip next-hop <isp2 gw>
route-map PBR-MAP permit 30
set interface null0

Please advice.

Hi,

manemaren — Thu, 02 Feb 2017 04:43:46 GMT

Hi,

I also added the following lines

route outside1 0.0.0.0 0.0.0.0 <ISP1 Gw> 1
route outside2 0.0.0.0 0.0.0.0 <ISP2 Gw> 2

Hi,

Pablo — Thu, 02 Feb 2017 18:13:19 GMT

Hi,

The problem is that you're blackholing the DHCP requests on the clause 30 of your route-maps. You can either remove this clause or create a clause on top of that and match a new ACL that permits traffic from 0.0.0.0 to 255.255.255.255 although this might not work due to CSCux16427.

HTH

Pablo

Re: Hi,

gustavo-suarez — Fri, 05 Jan 2018 20:50:28 GMT

Hello Cisco Community!,

I am trying to accomplish the same objective. I now have two ISP links and I need to only provide access to the new link to one subnet. I have reviewed the "Policy Base Routing" doc for ASA in which I already entered the needed commands based on this documents. My concern is that all LAN traffic is entering the ASA 5515-X through one interface, "inside", if when I apply the "route-map" for the specific subnet that I configured that all subnets will not traverse through. I believe I am looking at this like a trunk port. Would implementing the route-map for the specific subnet in the "inside" interface could drop the traffic of the other subnets?