topic Thank you! It works but i don in Network Security

PBR and Static NAT (Cisco ASA)

lyutov_dv — Tue, 12 Mar 2019 07:11:59 GMT

Hello!

I have a problem with working PBR and Static NAT together on ASA.

I have two ISP. I use the first one to provide internet access for users. The second one i want to use to publish SMTP server. I need to use PBR to make it work.

I configured Static NAT and ACL to publish SMTP server.

To provide routing I use PBR, because default route uses ISP_1.

I created ACL to match traffic from SMTP server and to set default next hop.

If SMTP server open a connection to any external server everything works good (traffic goes through ISP_2)

But when i try to connect from test server in Internet it doesn't work... But when i configure static route to inside server through ISP_2 everything works great (it means ACL and NAT work correctly).

I think this problem because ASA can't match traffic when an external server establishes a connection. (works stateful inspection). But i'm not sure and i don't know how to fix it.

HI

jagmeesi — Thu, 28 Jan 2016 01:35:52 GMT

Is it possible if you can share the configuration

Regards

Jagmeet.

Hi. My configuration is too

lyutov_dv — Thu, 28 Jan 2016 01:49:19 GMT

Hi. My configuration is too big because it working ASA and i wouldn't share the whole one.

But I can share certain partitions... Which one would you like to see?

I'm not sure only about PBR, because with the static route everything is OK.

show run nat

jagmeesi — Thu, 28 Jan 2016 08:24:08 GMT

show run nat

show run route-map

show run interface

show route

show run route

show run track

show run access-list

show run access-group

Regards

Jagmeet.

try this

Syed Taukir — Thu, 28 Jan 2016 08:45:26 GMT

try this

Create a default route with higher Admin Distance

Route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10

Let me know if this works ?

Thanks

Syed

Thank you! It works but i don

lyutov_dv — Thu, 28 Jan 2016 09:02:58 GMT

Thank you! It works but i don't understand...

Could you explain it? Why does it work?

'sh route' shows only ome default route through ISP_1

A very good question and it

Syed Taukir — Thu, 28 Jan 2016 20:51:52 GMT

A very good question and it helps increase our understanding about the FW.

The reason why it has worked is because firewall does stateful inspection and builds connection whereas router doesn't do that.

When traffic comes from ISP_2 to the Server on the DMZ, a connection is trying to be formed from ISP_2 to the DMZ, the forward traffic is sent to the DMZ and the return path should also be via the same interface (ISP_2) and not ISP_1.

For the return traffic, the ASA looks at it's fast path "show asp table routing" and since there's no route via ISP_2, it drops the traffic.

Now you would tell me that the PBR is applied so the ASA should forward the traffic based on the policy-route. On the ASA, the PBR is applied on to the initial packet and that's why when connection is initiated from DMZ it takes the ISP_2 but when the traffic is initiated from the ISP_2, the return path doesn't consult the policy-route.

So when you applied the a route with higher AD "route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10" and if you check the ASP routing table, the ASA now has a route via ISP_2 and without it, the ASA was dropping the traffic due to no route via ISP_2.

Reference

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

HTH

Syed Taukir

Thank you very much for your

lyutov_dv — Fri, 29 Jan 2016 02:28:31 GMT

Thank you very much for your explanation.

I thought about stateful inspection but i had never heard about ASP before.

It seems to be very useful for troubleshooting.

Thank you very much, it realy

Taras Manko — Sat, 13 Feb 2016 13:30:57 GMT

Thank you very much, it realy helped me! I have one OUTSIDE and two DMZ interfaces from another ISP with PBR default next hop policy. During a week, i tried do it using TCP state bypass, but the solution is much simpler.

Re: A very good question and it

Deniz Miscioglu — Sun, 26 May 2019 16:30:27 GMT

Thank you for the explanation.

One question:

If the main ISP link goes down, will this second higher cost route not cause all the inside network devices to use the backup ISP?

(In our case, we are planning to link a second cellular 4G connection to the ASA to only route the voice vlan telephones and dont want all the users etc consume the limited bandwidth of the backup link. Any advise on this would be appreciated)

Regards

Deniz