cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


317
Views
0
Helpful
6
Replies
Enthusiast

Cisco ASA PBR

Looking to do PBR on the ASA for Tunnel interface, is this possible? 

 

It has been super long time since I have done this because I try to avoid it at all costs. I cant recall when I make a PBR ACL that uses a source Subnet to a destination subnet on ports 80/443, what happens to the traffic not from that subnet? I ask because I am tying the ACL to the inside interface and do not want other traffic to get blocked. Do i need to add a permit any after the matching the ACL in the route-map? 

6 REPLIES 6
VIP Advisor

Re: Cisco ASA PBR

here is the referene  guide :

 

https://community.cisco.com/t5/networking-documents/how-to-configure-pbr/ta-p/3122774

 

good example :

https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

 

make sure you have verion 9.4.x above.

BB
*** Rate All Helpful Responses ***
Enthusiast

Re: Cisco ASA PBR

So when looking at this:

route-map PBR permit 2 <– create the route-map and give it a name “PBR”
match ip address PBR_ACL1 <– match the traffic of LAN1 identified in ACL1 created above
set ip next-hop 50.50.50.2 <– set the next hop of LAN1 traffic to be ISP1

route-map PBR permit 3 <– create another entry in the same route-map
match ip address PBR_ACL2 <– match the traffic of LAN2 identified in ACL2 created above
set ip next-hop 55.55.55.2 <– set the next hop of LAN2 traffic to be ISP2

What if I want only one network of many behind the firewall to traverse ISP1 and want everything else to hit ISP2?

Would the second statement have an acl that is "access-list PBR_ACL_2 extended permit ip any any" so it would process my more defined network first and send it out ISP1 and then take anything after that matching any any and send it out ISP2?
Beginner

Re: Cisco ASA PBR

"Would the second statement have an acl that is "access-list PBR_ACL_2 extended permit ip any any" so it would process my more defined network first and send it out ISP1 and then take anything after that matching any any and send it out ISP2?"

 

This is correct, alternatively you could simply have your default route through ISP2 that way you only need one entry in the route map used for PBR.

 

route WAN_ISP2 0.0.0.0 0.0.0.0 55.55.55.2

!

route-map PBR permit 2 
match ip address PBR_ACL1 
set ip next-hop 50.50.50.2 

Enthusiast

Re: Cisco ASA PBR

Something is wrong that I cannot see or notice. I am seeing the entries in the xlate table but no internet is getting out. 

 

ICMP shows this:

 

Stevens-MacBook-Pro:~ stevenwiliams$ traceroute 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 64 hops max, 52 byte packets

1  10.20.42.3 (10.20.42.3)  0.625 ms  0.325 ms  0.266 ms

2  10.53.100.9 (10.53.100.9)  0.722 ms

    10.53.100.13 (10.53.100.13)  0.873 ms  0.915 ms

3  * * *

4  * * 192.133.72.1 (192.133.72.1)  1.747 ms !N

5  192.133.72.1 (192.133.72.1)  1.721 ms !N * *

6  192.133.72.1 (192.133.72.1)  1.931 ms !N *  2.042 ms !N

Stevens-MacBook-Pro:~ stevenwiliams$

 

 

Enthusiast

Re: Cisco ASA PBR

Something is wrong that I cannot see or notice. I am seeing the entries in the xlate table but no internet is getting out. 

 

ICMP shows this:

 

Stevens-MacBook-Pro:~ stevenwiliams$ traceroute 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 64 hops max, 52 byte packets

1  10.20.42.3 (10.20.42.3)  0.625 ms  0.325 ms  0.266 ms

2  10.53.100.9 (10.53.100.9)  0.722 ms

    10.53.100.13 (10.53.100.13)  0.873 ms  0.915 ms

3  * * *

4  * * 192.133.72.1 (192.133.72.1)  1.747 ms !N

5  192.133.72.1 (192.133.72.1)  1.721 ms !N * *

6  192.133.72.1 (192.133.72.1)  1.931 ms !N *  2.042 ms !N

Stevens-MacBook-Pro:~ stevenwiliams$

Enthusiast

Re: Cisco ASA PBR

Will a packet tracer detail actually process the traffic using the PBR acl?