topic Policy Based Routing in Cisco ASA in Network Security

Policy Based Routing in Cisco ASA

begad.nashaat — Tue, 12 Mar 2019 05:30:20 GMT

Dears,

I want to connect three internet connections (connected to three different ISPs) to my Cisco ASA firewall, accordingly I want to configure the ASA to route traffic based on the source subnet.

Let's say that my network is divided into three different VLANs with different subnets addresses as shown below:

VLAN 10 -> 10.0.10.0/24
VLAN 20 -> 10.0.20.0/24
VLAN 30 -> 10.0.30.0/24

Also, the internet connection are connected to below Outside interfaces on the ASA:

ISP1 -> Outside1
ISP2 -> Outside2
ISP3 -> Outside3

My target is to configure the ASA to route Internet traffic based on the source subnet as mentioned below:

Internet traffic sourced from VLAN10 (10.0.10.0/24) to be routed through ISP1 (Outside1)
Internet traffic sourced from VLAN20 (10.0.20.0/24) to be routed through ISP2 (Outside2)
Internet traffic sourced from VLAN30 (10.0.30.0/24) to be routed through ISP3 (Outside3)

Any ideas ??????

Appreciate your feedback.

Best Regards,

Begad Ahmed

The ASA is not capable of

Karsten Iwen — Sun, 15 Feb 2015 13:36:00 GMT

The ASA is not capable of policy-based routing. At least not in the actual versions.

Hi Karsten, Any workaround to

begad.nashaat — Sun, 15 Feb 2015 13:43:46 GMT

Hi Karsten,

Any workaround to deploy this configuration on the ASA ??

What are the versions capable to support this type of configuration ???

Best Regards,

Begad Ahmed

You can possibly accomplish

Marvin Rhoads — Sun, 15 Feb 2015 18:01:44 GMT

You can possibly accomplish it with multiple contexts or multiple virtual ASAs (ASAv product).

On a single context physical ASA it is not currently possible.

Thanks Marvin !!Is it

begad.nashaat — Sun, 15 Feb 2015 18:47:46 GMT

Thanks Marvin !!

Is it possible to provide me with sample configuration for multiple contexts ??

You're welcome.Cisco has some

Marvin Rhoads — Sun, 15 Feb 2015 18:55:55 GMT

You're welcome.

Cisco has some very nice examples already. See this one for example.

Note that multiple context require separate licensing - they are not automatically included. "show version" will show your current licensing active on the ASA.

Just to add, that with ASA

Karsten Iwen — Thu, 02 Apr 2015 05:15:36 GMT

Just to add, that with ASA-version 9.4(1), policy-based routing is now supported. This is from the release-notes:

Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.

We introduced the following commands: set ip next-hop verify-availability, set ip next-hop, set ip next-hop recursive, set interface, set ip default next-hop, set default interface, set ip df, set ip dscp, policy-route route-map, show policy-route, debug policy-route