topic Re: Cisco ASA PBR in Network Security

Cisco ASA PBR

Steven Williams — Fri, 21 Feb 2020 17:29:43 GMT

Looking to do PBR on the ASA for Tunnel interface, is this possible?

It has been super long time since I have done this because I try to avoid it at all costs. I cant recall when I make a PBR ACL that uses a source Subnet to a destination subnet on ports 80/443, what happens to the traffic not from that subnet? I ask because I am tying the ACL to the inside interface and do not want other traffic to get blocked. Do i need to add a permit any after the matching the ACL in the route-map?

Re: Cisco ASA PBR

balaji.bandi — Fri, 13 Sep 2019 13:44:48 GMT

here is the referene guide :

https://community.cisco.com/t5/networking-documents/how-to-configure-pbr/ta-p/3122774

good example :

https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

make sure you have verion 9.4.x above.

Re: Cisco ASA PBR

Steven Williams — Wed, 02 Oct 2019 00:27:00 GMT

So when looking at this:

route-map PBR permit 2 <– create the route-map and give it a name “PBR”
match ip address PBR_ACL1 <– match the traffic of LAN1 identified in ACL1 created above
set ip next-hop 50.50.50.2 <– set the next hop of LAN1 traffic to be ISP1

route-map PBR permit 3 <– create another entry in the same route-map
match ip address PBR_ACL2 <– match the traffic of LAN2 identified in ACL2 created above
set ip next-hop 55.55.55.2 <– set the next hop of LAN2 traffic to be ISP2

What if I want only one network of many behind the firewall to traverse ISP1 and want everything else to hit ISP2?

Would the second statement have an acl that is "access-list PBR_ACL_2 extended permit ip any any" so it would process my more defined network first and send it out ISP1 and then take anything after that matching any any and send it out ISP2?

Re: Cisco ASA PBR

josedelpino — Wed, 02 Oct 2019 02:14:40 GMT

"Would the second statement have an acl that is "access-list PBR_ACL_2 extended permit ip any any" so it would process my more defined network first and send it out ISP1 and then take anything after that matching any any and send it out ISP2?"

This is correct, alternatively you could simply have your default route through ISP2 that way you only need one entry in the route map used for PBR.

route WAN_ISP2 0.0.0.0 0.0.0.0 55.55.55.2

route-map PBR permit 2
match ip address PBR_ACL1
set ip next-hop 50.50.50.2

Re: Cisco ASA PBR

Steven Williams — Mon, 07 Oct 2019 18:38:24 GMT

Something is wrong that I cannot see or notice. I am seeing the entries in the xlate table but no internet is getting out.

ICMP shows this:

Stevens-MacBook-Pro:~ stevenwiliams$ traceroute 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 64 hops max, 52 byte packets

1 10.20.42.3 (10.20.42.3) 0.625 ms 0.325 ms 0.266 ms

2 10.53.100.9 (10.53.100.9) 0.722 ms

10.53.100.13 (10.53.100.13) 0.873 ms 0.915 ms

3 * * *

4 * * 192.133.72.1 (192.133.72.1) 1.747 ms !N

5 192.133.72.1 (192.133.72.1) 1.721 ms !N * *

6 192.133.72.1 (192.133.72.1) 1.931 ms !N * 2.042 ms !N

Stevens-MacBook-Pro:~ stevenwiliams$

Re: Cisco ASA PBR

Steven Williams — Mon, 07 Oct 2019 18:38:47 GMT

Something is wrong that I cannot see or notice. I am seeing the entries in the xlate table but no internet is getting out.

ICMP shows this:

Stevens-MacBook-Pro:~ stevenwiliams$ traceroute 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 64 hops max, 52 byte packets

1 10.20.42.3 (10.20.42.3) 0.625 ms 0.325 ms 0.266 ms

2 10.53.100.9 (10.53.100.9) 0.722 ms

10.53.100.13 (10.53.100.13) 0.873 ms 0.915 ms

3 * * *

4 * * 192.133.72.1 (192.133.72.1) 1.747 ms !N

5 192.133.72.1 (192.133.72.1) 1.721 ms !N * *

6 192.133.72.1 (192.133.72.1) 1.931 ms !N * 2.042 ms !N

Stevens-MacBook-Pro:~ stevenwiliams$

Re: Cisco ASA PBR

Steven Williams — Mon, 07 Oct 2019 20:13:55 GMT

Will a packet tracer detail actually process the traffic using the PBR acl?