https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612249#M580589 <HTML><HEAD></HEAD><BODY><P>Thanks Federico,</P><P></P><P>I thought that was in fact the case - that it is possible to policy route directly to the ASA interface ip address, but wanted to confirm.</P><P></P><P>Thanks again for your responses!</P><P></P><P>Best regards.</P><P></P><P>Rob</P></BODY></HTML> Sat, 05 Mar 2011 19:42:10 GMT rlesyshyn 2011-03-05T19:42:10Z https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612245#M580579 <P>Hi,</P><P></P><P>Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?</P><P>Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?</P><P></P><P>At a high level, here's what we have:</P><P></P><UL><LI>ISP 1 - with /21 IP Prefix</LI><LI>No BGP Routing</LI><LI>3845 Edge Router - Default Route to ISP 1</LI><LI>PIX535 Firewalls (HA) - Default Route to Edge Router</LI><LI>LAN Core/Distribution - Default Route to PIX535 Inside Interface</LI><LI>All applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.</LI></UL><P></P><P>Here's what we are adding:</P><P></P><UL><LI>ISP 2 - with /24 IP Prefix</LI><LI>No BGP Routing</LI><LI>3925E Edge Router - Default Route to ISP 2</LI><LI>ASA5550 Firewalls (HA) - Default Route to Edge Router</LI><LI>Same connectivity to LAN Core/Distribution</LI></UL><P></P><P>Goals:</P><P></P><UL><LI>Maintain ISP 1 for now</LI><LI>Migrate only end user Internet traffic to ISP 2</LI><LI>No disruptions to applications/services using current DefGW to PIX535</LI></UL><P></P><P>Question:</P><P></P><P>So, my question again is how to best use PBR to selectively direct traffic to the ASA inside interface?</P><P></P><P>Also, please feel free to suggest other methods that might be more appropriate.</P><P></P><P>Thanks!</P><P></P><P>Rob</P> Mon, 11 Mar 2019 20:01:18 GMT https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612245#M580579 rlesyshyn 2019-03-11T20:01:18Z https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612246#M580581 <HTML><HEAD></HEAD><BODY><P>Rob,</P><P></P><P>Just to be clear you're asking on how to configure PBR on the routers correct?</P><P>The reason I ask is because there's no PBR functionality on ASAs.</P><P></P><P>Federico.</P></BODY></HTML> Sat, 05 Mar 2011 18:55:04 GMT https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612246#M580581 Federico Coto Fajardo 2011-03-05T18:55:04Z https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612247#M580583 <HTML><HEAD></HEAD><BODY><P>Hi Federico,</P><P></P><P>Thanks for the reply!</P><P></P><P>I know how to use PBR and I do realize that PBR is not supported ON the ASA.</P><P></P><P>My question is can I use PBR to set an ip next-hop that points to the ASA inside interface?</P><P></P><P>In my scenario above, I do not want to make a wholesale default gateway change just yet to route all traffic away from our legacy PIX535.</P><P></P><P>I just want to selectively move traffic on a subnet by subnet to egress the new ASA.</P><P></P><P>Thanks!</P><P></P><P>Rob</P></BODY></HTML> Sat, 05 Mar 2011 19:23:15 GMT https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612247#M580583 rlesyshyn 2011-03-05T19:23:15Z https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612248#M580587 <HTML><HEAD></HEAD><BODY><P>If you have a router behind the ASA, you can configure PBR on that router to send a subset of traffic to the ASA's inside interface IP.</P><P></P><P>When configuring PBR, you can set the next-hop to be the inside IP of the ASA (the IP, not the actual interface of the ASA) but this should be no problem.</P><P></P><P>In this case it does not matter if the next-hop is an ASA, a router or any other device, you just set the next-hop to the IP address.</P><P></P><P>Federico.</P></BODY></HTML> Sat, 05 Mar 2011 19:29:19 GMT https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612248#M580587 Federico Coto Fajardo 2011-03-05T19:29:19Z https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612249#M580589 <HTML><HEAD></HEAD><BODY><P>Thanks Federico,</P><P></P><P>I thought that was in fact the case - that it is possible to policy route directly to the ASA interface ip address, but wanted to confirm.</P><P></P><P>Thanks again for your responses!</P><P></P><P>Best regards.</P><P></P><P>Rob</P></BODY></HTML> Sat, 05 Mar 2011 19:42:10 GMT https://community.cisco.com/t5/network-security/policy-based-routing-to-asa-inside-interface/m-p/1612249#M580589 rlesyshyn 2011-03-05T19:42:10Z