https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835171#M489588 <P>HI all,</P><P></P><P>I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste, sorry):</P><P></P><P>access-list 101 deny any any neq www</P><P>access-list 101 deny tcp host 10.0.2.2 any</P><P>access-list 101 permit tcp any any</P><P></P><P>route-map proxy-redirect permit 101</P><P>&nbsp;&nbsp;&nbsp;&nbsp; match ip address 101</P><P>&nbsp;&nbsp;&nbsp;&nbsp; set ip next-hop 10.0.2.2</P><P></P><P>Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.</P><P></P><P>This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?</P><P></P><P>I know folks will suggest WCCP but that's not going to be applicable in my case I'm afraid, and although I can make a NAT rule work under 8.4, that sadly doesn't work under 8.2.</P><P></P><P>Any feedback would be greatly appreciated!</P><P></P><P>Thanks in advance!</P> Mon, 11 Mar 2019 22:09:21 GMT ohansen 2019-03-11T22:09:21Z https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835171#M489588 <P>HI all,</P><P></P><P>I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste, sorry):</P><P></P><P>access-list 101 deny any any neq www</P><P>access-list 101 deny tcp host 10.0.2.2 any</P><P>access-list 101 permit tcp any any</P><P></P><P>route-map proxy-redirect permit 101</P><P>&nbsp;&nbsp;&nbsp;&nbsp; match ip address 101</P><P>&nbsp;&nbsp;&nbsp;&nbsp; set ip next-hop 10.0.2.2</P><P></P><P>Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.</P><P></P><P>This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?</P><P></P><P>I know folks will suggest WCCP but that's not going to be applicable in my case I'm afraid, and although I can make a NAT rule work under 8.4, that sadly doesn't work under 8.2.</P><P></P><P>Any feedback would be greatly appreciated!</P><P></P><P>Thanks in advance!</P> Mon, 11 Mar 2019 22:09:21 GMT https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835171#M489588 ohansen 2019-03-11T22:09:21Z https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835172#M489590 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><EM>Since others are able to make this work</EM>&nbsp;&nbsp;&nbsp;&nbsp; How ?&nbsp; because PBR is not supported on the ASA and route-maps are used for redistribution purposes only.</P><P></P><P>Don't forget to rate if helpful.</P><P></P><P>Regards.</P><P></P><P>Alain</P></BODY></HTML> Tue, 03 Jan 2012 10:31:39 GMT https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835172#M489590 cadet alain 2012-01-03T10:31:39Z https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835173#M489592 <HTML><HEAD></HEAD><BODY><P>Thanks Alain,</P><P></P><P>&gt; <EM>Since others are able to make this work</EM>&nbsp;&nbsp;&nbsp;&nbsp; How ?</P><P></P><P>there are a few posts/articles out there that hints that it's possible, like the one below, I was hoping it would be tied to a licenced feature, routing config etc., but I guess you're right...</P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2058702">https://supportforums.cisco.com/thread/2058702</A></P><P></P><P>Thanks again!</P></BODY></HTML> Tue, 03 Jan 2012 14:39:45 GMT https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835173#M489592 ohansen 2012-01-03T14:39:45Z https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835174#M489594 <HTML><HEAD></HEAD><BODY><P>dear bro,</P><P></P><P>what are the others ways to do rather then next-hop config</P><P></P><P>can you please write down that.</P><P></P><P>RG</P></BODY></HTML> Tue, 06 Aug 2013 20:48:43 GMT https://community.cisco.com/t5/network-security/asa-why-doesn-t-quot-route-map-quot-quot-set-ip-next-hop-quot/m-p/1835174#M489594 Waisudin Farzam 2013-08-06T20:48:43Z