cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


825
Views
15
Helpful
15
Replies
Highlighted
Beginner

ASA 5508-X PBR Wrong Interface Selection

Hi, I have setup a PBR to route traffic matching an ACL to a second interface. The problem I have is when running debug policy-map I get 

 

pbr: First matching rule from ACL(9)
pbr: route map route-xxx, sequence 10, permit; proceed with policy routing
pbr: evaluating next-hop 203.78.115.123
pbr: no connected route to next-hop 203.78.115.123 found
pbr: policy based routing could not be applied; proceeding with normal route lookup

or when I run packet-tracer I get:

 

 

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map route-xxx permit 10
 match ip address route-xxx
 set ip next-hop 203.78.115.123
Additional Information:
 Matched route-map route-xxx, sequence 10, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 120.1.2.3 using egress ifc  External-Internet

203.78.115.123 is the gateway IP configured for the interface we want to send the traffic for, so its connected via 203.78.115.122. Even if I specify the next hop as 203.78.115.122 I get the exact same results in packet tracer and debug.

I have a default route with a metric of 2 for the second interface, I also have a NAT rule allowing traffic out on that interface too. 

object network LAN1
 nat (LAN,External-ISP2) dynamic interface
object network LAN
 nat (LAN,External-ISP1) dynamic interface

route External-ISP1 0.0.0.0 0.0.0.0 120.1.2.3 1
route External-ISP2 0.0.0.0 0.0.0.0 203.78.115.122 2

I can clearly see the PBR is being evaulated so its correctly applied to the interface, its matching the traffic, so the ACL is configured correctly. The problem I have is its always picking the default route because it can't see the second interface as directly connected, yet the route table shows it..... Can anyone suggest where I've gone wrong?

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 120.72.83.25 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 120.72.83.25, External-Internet
C        120.1.2.0 255.255.255.248 is directly connected, External-Internet
L        120.1.2.3 255.255.255.255 is directly connected, External-Internet
C        192.168.20.0 255.255.255.0 is directly connected, LAN
L        192.168.20.254 255.255.255.255 is directly connected, LAN
C        202.78.115.120 255.255.255.248 is directly connected, External-VPN
L        202.78.115.123 255.255.255.255 is directly connected, External-VPN

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: ASA 5508-X PBR Wrong Interface Selection

Hi Marius, not an error, but removed to make the config as small as possible, it has ~150 rules in it and you can see by packet tracer output earlier in the post it is matching against it.

15 REPLIES 15
Rising star

Re: ASA 5508-X PBR Wrong Interface Selection

Hi,

Can you post complete PBR related config? Have you applied PBR to correct interface?

Thanks,

MS

Beginner

Re: ASA 5508-X PBR Wrong Interface Selection

Hi, As you can see from the policy-map debug, its evaluating the policy map, so it must be on the correct interface.

!
interface GigabitEthernet1/3
 nameif LAN
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
 policy-route route-map route-o365
VIP Mentor

Re: ASA 5508-X PBR Wrong Interface Selection

Which is your ASA-IP and which is the ISP IP?

You need to have the default-route pointing to the ISP IP with a higher AD and the PBR next hop also pointing to the ISP IP. Your local ASA IP is never the next-hop of the PBR or routing-config on your ASA.

Rising star

Re: ASA 5508-X PBR Wrong Interface Selection

Hello,

 

You have incorrect config, you need to correct the next hop ip address. Instead of the next hop as 203.78.115.123, you need to define 203.78.115.122 which is your default gateway for the ASA interface. I see that you have the less preferred route for the secondary ISP which is fine.

Looks like 203.78.115.123 is your ASA secondary ISP interface IP. 

 

Also, ensure that ASA secondary ISP interface is UP.


Reference document:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf

 

 

HTH
AJ

Beginner

Re: ASA 5508-X PBR Wrong Interface Selection

Thanks for the suggestions!

 

I have just changed the next-hop IP in the route-map back to the gateway IP. Believe me I have been trying many many things to get this to work.

 

I have stripped out the ACL/route-map/policy-route and the default route to the secondary ISP. I have slowly put everything back in place once piece at a time and its still NOT working. 

 

Packet tracer still shows the PBR being evaluated and matching the ACL/route-map however on the Route-Lookup step directly after its still choosing the default route with a metric of 1 even though its been told in the step before to use the default route with a metric of 2. Just to check I wasnt going insane I've even reloaded the ASA.

 

I think I have nailed down the culprit and I think its bloody NAT. Its only allowing me to have one dynamic interface NAT rule for the LAN network object. So now I have to work out how I can NAT out both the ISP1 and ISP2 links depending on where the PBR sends the traffic all from the same /24 subnet. Has anyone got any pointers on this one?

 

Beginner

Re: ASA 5508-X PBR Wrong Interface Selection

I have been reading the document you mentioned and I have found the following section:

PBR Policies Not Applied for Output Route Look-up
Policy Based Routing is an ingress-only feature; that is, it is applied only to the first packet of a new incoming
connection, at which time the egress interface for the forward leg of the connection is selected. Note that PBR
will not be triggered if the incoming packet belongs to an existing connection, or if NAT is applied

So based on that, if I am doing NAT from my LAN to my WAN connection, PBR will never be evaluated and I cannot direct traffic over an different WAN connection than the default route for specific destinations because I am NATing the traffic? That could explain why my packet-tracers are showing the PBR applied but the Route-Lookup being the default route not the next-hop IP address?

Rising star

Re: ASA 5508-X PBR Wrong Interface Selection

Sorry for late reply. I would expect you have 2 NAT statements corresponding to each ISP without a destination keyword. This feature PBR is a source based routing and ideally, the NAT statement should not affect the routing judgement as long as we have a NAT for that particular Interface. If you look at the packet-tracer output in your initial post, it indicates that  PBR kicks in and needs a NAT statement for that chosen interface and a default route for traffic to be forwarded to the next hop.

 

If you can post the output packet-tracer command, we can see where this is failing. Next is captures, which can help identify the issue.

 

HTH
AJ

 

 

VIP Advisor

Re: ASA 5508-X PBR Wrong Interface Selection

Hello

Your next hop ip by the looks of it  should be .122 not 123



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: ASA 5508-X PBR Wrong Interface Selection

Ok so after further testing and some trail & error, by setting set interface ISP2 on the route-map it seems that packet-tracer shows the traffic leaving the correct interface.

Thats good, however because of NAT it seems that the traffic doesn't actually move past the ASA.


So it looks like its back to troubleshooting NAT and how I can NAT from the LAN interface, to the 2 ISP interfaces at the same time.

 

Currently for the working ISP (default route) its just

network object LAN
  nat (LAN,ISP1) dynamic interface

But as it can only have 1 NAT rule, I cant do 

network object LAN
  (LAN,ISP2) dynamic interface

as then the first NAT rule is overwritten. 

How can I get 2 NAT rules so that traffic can leave either ISP interface?

VIP Advisor

Re: ASA 5508-X PBR Wrong Interface Selection

Hello

 

You dont require to specify second default route for the PBR due to the fw having a connected interface towards it.
Nat
nat (LAN,ISP1) source dynamic any interface
nat (LAN,ISP2) source dynamic any interface

access-list 100 extended permit icmp any object LAN echo-reply
access-group 100 in interface ISP1
access-group 100 in interface ISP2

route ISP1 0.0.0.0 0.0.0.0 x.x.x.x.x 1

PBR
access-list pbr extended permit ip x.x.x.x. any
route-map PBR_rm permit 10
match ip address pbr
set ip next-hop x.x.x.x

int x/x
nameif LAN
policy-route route-map PBR_rm





kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: ASA 5508-X PBR Wrong Interface Selection

Thanks Paul. Its pretty much what I have except I had the secondary route in which I have since removed and still cant get this to go.

 

I think the problem is less that the PBR's configured wrong and more that the second ISP isn't working as expected. Up until now we've only used it exclusively for a VPN connection back to the central office. As that is barely used now in favour of 'the cloud', we want to utilise it to point our traffic to some cloud services onto it, hence the PBR (seemed quite simple in my head).

 

I think the reason the PBR isn't working is because connectivity out that interface is either a NAT problem (not entirely sure myself if it is or not) or an ISP problem (which I could be troubleshooting something wasting my time). I have sanitized my config and happy to post it, but its verging on over 450 lines which makes this comment look hideous. Let me know if its more appropriate to host it on pastebin etc and link.

 

Substituions applied are: 
ISP1 - Interface g1/1 - IP 100.0.0.1
ISP2 - Interface g1/2 - IP 200.0.0.1
LAN - interface g1/3 - 192.186.20.254

Existing VPN connection Endpoint: 50.0.0.1

Route-Map is route-o365 applied to the LAN interface g1/0 and access-list for it is route-o365

Using packet Tracer I still get it picks up the PBR and apparently applies it but the second route-lookup always goes back to the primary ISP. Debugging the policy map always ends in 

pbr: First matching rule from ACL(9)
pbr: route map route-xxx, sequence 10, permit; proceed with policy routing
pbr: evaluating next-hop 203.78.115.123
pbr: no connected route to next-hop 203.78.115.123 found
pbr: policy based routing could not be applied; proceeding with normal route lookup

 

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map route-o365 permit 10
match ip address route-o365
set ip next-hop 200.0.0.2
Additional Information:
Matched route-map route-o365, sequence 10, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 100.0.0.2 using egress ifc External-Internet

Sanitized config is:

 

 

VNSGN-RTR-1(config)# show run
: Saved

:
: Serial Number: JADxxxxxLM
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(1)
!
hostname VNSGN-RTR-1
domain-name domain.com.vn
enable password lol
names

!
interface GigabitEthernet1/1
nameif External-Internet
security-level 0
ip address 100.0.0.1 255.255.255.248
!
interface GigabitEthernet1/2
nameif External-VPN
security-level 0
ip address 200.0.0.1 255.255.255.248
!
interface GigabitEthernet1/3
nameif LAN
security-level 100
ip address 192.168.20.254 255.255.255.0
policy-route route-map route-o365
!
interface GigabitEthernet1/4
nameif Guest
security-level 50
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1/5
nameif DMZ
security-level 49
ip address 172.27.3.1 255.255.255.0
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone ICT 7
dns domain-lookup LAN
dns server-group DefaultDNS
name-server 192.168.20.2
name-server 192.168.20.4
domain-name domain.com.vn
object network AucklandLANSubnet
subnet 172.17.15.0 255.255.255.0
description Auckland LAN Subnet/24
object network AucklandDMZSubnet
subnet 172.17.18.0 255.255.255.0
description Auckland DMZ Subnet/24
object network PCAdmin
host 192.168.20.6
description PCAdmin
object network VNDC
host 192.168.20.2
description VNDC
object network NZAKL1-Office-Ext-Network
subnet 50.0.0.1 255.255.255.252
object service Windows-RDP
service tcp source eq 3389 destination eq 3389
object network LAN
subnet 192.168.20.0 255.255.255.0
object network Guest_LAN
subnet 192.168.10.0 255.255.255.0
object network vnhcm1-vpn-1
host 172.27.3.2
object service https
service udp source eq 443 destination eq 443
object network VN-Time-Server
fqdn v4 vn.pool.ntp.org
object network ClientVPN-Network
subnet 172.27.3.0 255.255.255.0
object network ClientVPN_LAN
subnet 172.27.3.0 255.255.255.0
object network ClientVPN
host 172.27.3.2
object network LAN1
subnet 192.168.20.0 255.255.255.0
object network LAN-VPNInt
subnet 192.168.20.0 255.255.255.0
object network LAN-VPNI
object-group network DM_INLINE_NETWORK_1
network-object object AucklandDMZSubnet
network-object object AucklandLANSubnet
object-group network o365Rules
remark office 365 endpoints
access-list External-VPN_cryptomap extended permit ip 192.168.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list LAN_access_in extended permit icmp 192.168.20.0 255.255.255.0 any
access-list LAN_access_in extended deny ip 192.168.20.0 255.255.255.0 object-group BLOCKED-SERVICES
access-list LAN_access_in extended permit udp object-group DNS-Servers any eq domain
access-list LAN_access_in extended permit ip host 192.168.20.6 any
access-list LAN_access_in extended permit tcp object-group VNSGN1-Infra-Servers any object-group ExternalWebAccess
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 any object-group ExternalWebAccess
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group NZAKL1-All-Subnets eq 3389
access-list LAN_access_in extended permit ip object PCAdmin object NADA
access-list LAN_access_in extended permit tcp object VNDEV08 object-group Calqtech-RDP-Servers eq 3389
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 172.17.15.0 255.255.255.0 object-group LynchFileTransferServiceGroup
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object ZEUS
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object LyncServer02
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object AucklandLANSubnet object-group ExternalWebAccess
access-list LAN_access_in extended permit object-group SIPServiceGroup 192.168.20.0 255.255.255.0 object AucklandLANSubnet
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object SCCM
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group AzureSQLDatabase object-group AzureSQL
access-list LAN_access_in extended permit object-group TCP-UDP 192.168.20.0 255.255.255.0 object-group Merlot-Aero-Azure-VMs object-group Merlot-Aero-AzureVM-PortGroup
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object AUGENTFS03 eq 8080
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object NADA eq 8080
access-list LAN_access_in extended permit tcp object PCAdmin any eq ftp
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group NZVMCHL-Servers eq 3389
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 object-group NZVMCHL-Servers eq 135
access-list LAN_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 object softtech-logserver.database.windows.net object-group AzureSQL
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.20.0 255.255.255.0 object NZAKL1IIS001
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list LAN_access_in extended permit tcp 192.168.20.0 255.255.255.0 host 172.17.15.9 eq ftp
access-list LAN_access_in extended permit ip 192.168.20.0 255.255.255.0 object NZAKL1SQ001
access-list LAN_access_in extended permit tcp object-group Allow-GoRentals-UAT object-group GoRentals-Azure-Resources object-group DM_INLINE_TCP_3
access-list LAN_access_in extended permit udp object-group ESXi-Server-Group object VN-Time-Server eq ntp
access-list LAN_access_in extended permit object-group PPTPGroup object-group DM_INLINE_NETWORK_5 object DRCT-VPNEndpoint
access-list LAN_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 object dp-dev.database.windows.net object-group AzureSQL
access-list Allow_All extended permit ip any any
access-list External-VPN_access_in_controlplane extended permit tcp object AucklandLANSubnet any object-group DM_INLINE_TCP_2
access-list External-VPN_access_in_controlplane extended permit tcp object NZAKL1-Office-Ext-Network any object-group DM_INLINE_TCP_1
access-list External-Internet_access_in extended permit tcp object NZAKL1-Office-Ext-Network object PCAdmin eq 3389
access-list External-Internet_access_in extended permit icmp any any time-exceeded
access-list External-Internet_access_in extended permit udp any object vnhcm1-vpn-1 eq 1194
access-list External-Internet_access_in extended permit icmp any any unreachable
access-list Guest_access_in extended permit ip host 192.168.10.253 host 192.168.20.6
access-list Guest_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group ExternalWebAccess
access-list Guest_access_in extended permit icmp 192.168.10.0 255.255.255.0 any
access-list Guest_access_in extended permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list Guest_access_in extended permit tcp 192.168.10.0 255.255.255.0 object app.ss-prophet.com eq 3389
access-list Guest_access_in extended permit ip 192.168.10.0 255.255.255.0 object secure.domain.com
access-list Guest_access_in extended permit tcp object vnhcm1-vpn-1 object-group DM_INLINE_NETWORK_3 eq ldap
access-list global_mpc extended permit ip any any
access-list ClientVPN_access_in extended permit ip object vnhcm1-vpn-1 any
access-list ClientVPN_access_in extended permit tcp object vnhcm1-vpn-1 object-group DM_INLINE_NETWORK_4 eq ldap
access-list ClientVPN_access_in extended permit object-group DM_INLINE_SERVICE_1 object VPN-Network 192.168.20.0 255.255.255.0
access-list route-o365 extended permit ip any object-group o365Rules
pager lines 50
logging enable
logging timestamp
no logging hide username
logging standby
logging list SysLogList level informational
logging trap informational
logging asdm informational
logging mail critical
logging device-id hostname
logging host LAN 192.168.20.22
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination LAN 192.168.20.6 5002
flow-export template timeout-rate 1
flow-export delay flow-create 30
mtu External-Internet 1500
mtu External-VPN 1500
mtu LAN 1500
mtu Guest 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo LAN
icmp permit any echo-reply LAN
icmp permit any echo Guest
icmp permit any echo-reply Guest
asdm image disk0:/asdm-781.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (LAN,Guest) source static LAN LAN destination static Guest Guest
nat (LAN,External-VPN) source static LAN LAN destination static NZAKL1-All-Subnets NZAKL1-All-Subnets no-proxy-arp route-lookup
nat (LAN,External-VPN) source dynamic any interface
nat (LAN,External-Internet) source dynamic any interface
!
object network PCAdmin
nat (LAN,External-Internet) static interface service tcp 3389 1337
object network Guest_LAN
nat (Guest,External-Internet) dynamic interface
object network vnhcm1-vpn-1
nat (DMZ,External-Internet) static 100.0.0.2 service udp 1194 1194
object network ClientVPN_LAN
nat (DMZ,External-Internet) dynamic interface
access-group External-Internet_access_in in interface External-Internet
access-group External-VPN_access_in_controlplane in interface External-VPN control-plane
access-group LAN_access_in in interface LAN
access-group Guest_access_in in interface Guest
access-group ClientVPN_access_in in interface DMZ
!
route-map route-o365 permit 10
match ip address route-o365
set interface External-VPN

!
route External-Internet 0.0.0.0 0.0.0.0 100.0.0.2 1
route External-VPN 50.0.0.1 255.255.255.255 200.0.0.2 1
route External-VPN 172.17.15.0 255.255.255.0 200.0.0.2 1
route External-VPN 172.17.18.0 255.255.255.0 200.0.0.2 1
route DMZ 172.27.5.0 255.255.255.0 172.27.3.2 1
route Guest 192.168.21.0 255.255.255.0 192.168.10.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
http 192.168.20.6 255.255.255.255 LAN
http 172.17.15.0 255.255.255.0 LAN
snmp-server host LAN 192.168.20.6 community ***** version 2c
snmp-server location HCMC
snmp-server contact Admin
sysopt noproxyarp LAN
service sw-reset-button
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map External-VPN_map5 1 match address External-VPN_cryptomap
crypto map External-VPN_map5 1 set pfs
crypto map External-VPN_map5 1 set peer 50.0.0.1
crypto map External-VPN_map5 1 set ikev1 phase1-mode aggressive
crypto map External-VPN_map5 1 set ikev1 transform-set ESP-3DES-SHA
crypto map External-VPN_map5 1 set security-association lifetime seconds 86400
crypto map External-VPN_map5 1 set security-association lifetime kilobytes unlimited
crypto map External-VPN_map5 1 set nat-t-disable
crypto map External-VPN_map5 interface External-VPN
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External-VPN
crypto ikev1 enable External-VPN
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 50.0.0.1 255.255.255.252 External-Internet
ssh 50.0.0.1 255.255.255.252 External-VPN
ssh 192.168.20.6 255.255.255.255 LAN
ssh 172.17.15.0 255.255.255.0 LAN
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access LAN

dhcpd auto_config External-Internet
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 150.101.254.110
group-policy AugenVPNGroupPolicy internal
group-policy AugenVPNGroupPolicy attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 50.0.0.1 type ipsec-l2l
tunnel-group 50.0.0.1 general-attributes
default-group-policy AugenVPNGroupPolicy
tunnel-group 50.0.0.1 ipsec-attributes
ikev1 pre-shared-key ********
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map route-o365
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
class global-class
flow-export event-type all destination 192.168.20.6
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:xxxxx
: end

 

 

VIP Advocate

Re: ASA 5508-X PBR Wrong Interface Selection

object-group network o365Rules
remark office 365 endpoints
access-list route-o365 extended permit ip any object-group o365Rules
route-map route-o365 permit 10
match ip address route-o365
set interface External-VPN


 Is the object-group network o365Rules a copy paste error?  it only has a remark.

--
Please remember to rate and select a correct answer
Beginner

Re: ASA 5508-X PBR Wrong Interface Selection

Hi Marius, not an error, but removed to make the config as small as possible, it has ~150 rules in it and you can see by packet tracer output earlier in the post it is matching against it.

VIP Advocate

Re: ASA 5508-X PBR Wrong Interface Selection

I don't see an interface within the 203.78.115.123 subnet configured on your ASA.  As the error message states, you need an interface that is directly connected to the second ISP or use a directly connected subnet that is in the path to the second ISP.

 

interface GigabitEthernet1/1
nameif External-Internet
security-level 0
ip address 100.0.0.1 255.255.255.248
!
interface GigabitEthernet1/2
nameif External-VPN
security-level 0
ip address 200.0.0.1 255.255.255.248
!
interface GigabitEthernet1/3
nameif LAN
security-level 100
ip address 192.168.20.254 255.255.255.0
policy-route route-map route-o365
!
interface GigabitEthernet1/4
nameif Guest
security-level 50
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1/5
nameif DMZ
security-level 49
ip address 172.27.3.1 255.255.255.0

 

--
Please remember to rate and select a correct answer