topic Haven't used PBR on ASAs but in Network Security

Cisco ASA PBR forwarding

nshinde01 — Tue, 12 Mar 2019 06:48:46 GMT

I have a Cisco ASA 5525-X, with 2 ISPs (Consider X and Y). I want to use both of them for loadbalancing, but the issue is I have a site to site VPN over ISP-X. As per my understanding, if my PBR routes my VPN interested traffic through ISP-Y, it would be dropped.
Not sure If ASA checks crypto ACL first or the PBR.
Please help me to understand.

Haven't used PBR on ASAs but

Jon Marshall — Fri, 30 Oct 2015 16:07:40 GMT

Haven't used PBR on ASAs but the routing happens first whether that is with PBR or the routing table.

If the traffic is then routed out of an interface that has a crypto map applied and the traffic matches an entry in the acl it will sent down the tunnel.

I'm not sure what the issue is though.

If you are using PBR just make sure the VPN traffic is policy routed to the right interface or exclude it from PBR and if the routing table already points out the right interface ie. your default route it should work anyway.

Jon

Hello Jon,Thanks for your

nshinde01 — Fri, 30 Oct 2015 18:03:02 GMT

Hello Jon,

Thanks for your quick response. That helps me to understand how traffic encryption decision is taken by the device. I have to check if I am exposing my whole internal subnet over the VPN.

I think 'reverse-route' in crypto map and 'set ip default next-hop' together can help me, but I have to think about it.
Also I have not considered remote-access VPN traffic at the moment, I do not want that to get hampered because of PBR.

I totally forgot that I can

nshinde01 — Sat, 31 Oct 2015 08:42:20 GMT

I totally forgot that I can match source and destination IP all together to take intelligent forwarding decision.
I will come back with my solution.