Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
5
Helpful
3
Replies

Cisco ASA PBR forwarding

Go to solution
nshinde01
Level 1
Level 1

‎10-30-2015 06:14 AM - edited ‎03-11-2019 11:48 PM

I have a Cisco ASA 5525-X, with 2 ISPs (Consider X and Y). I want to use both of them for loadbalancing, but the issue is I have a site to site VPN over ISP-X.  As per my understanding, if my PBR routes my VPN interested traffic through ISP-Y, it would be dropped. 
Not sure If ASA checks crypto ACL first or the PBR. 
Please help me to understand. 
 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-30-2015 09:07 AM

Haven't used PBR on ASAs but the routing happens first whether that is with PBR or the routing table.

If the traffic is then routed out of an interface that has a crypto map applied and the traffic matches an entry in the acl it will sent down the tunnel.

I'm not sure what the issue is though.

If you are using PBR just make sure the VPN traffic is policy routed to the right interface or exclude it from PBR and if the routing table already points out the right interface ie. your default route it should work anyway.

Jon

View solution in original post

3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-30-2015 09:07 AM

Haven't used PBR on ASAs but the routing happens first whether that is with PBR or the routing table.

If the traffic is then routed out of an interface that has a crypto map applied and the traffic matches an entry in the acl it will sent down the tunnel.

I'm not sure what the issue is though.

If you are using PBR just make sure the VPN traffic is policy routed to the right interface or exclude it from PBR and if the routing table already points out the right interface ie. your default route it should work anyway.

Jon

Go to solution
nshinde01
Level 1
Level 1
In response to Jon Marshall

‎10-30-2015 11:03 AM

Hello Jon,

Thanks for your quick response. That helps me to understand how traffic encryption decision is taken by the device. I have to check if I am exposing my whole internal subnet over the VPN. 

I think 'reverse-route' in crypto map and 'set ip default next-hop' together can help me, but I have to think about it.
Also I have not considered remote-access VPN traffic at the moment, I do not want that to get hampered because of PBR. 

0 Helpful

Go to solution
nshinde01
Level 1
Level 1
In response to nshinde01

‎10-31-2015 01:42 AM

I totally forgot that I can match source and destination IP all together to take intelligent forwarding decision.
I will come back with my solution.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card