Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3973
Views
10
Helpful
8
Replies

PBR on cisco ASA

Go to solution
pugliededaniele88
Level 1
Level 1

‎02-05-2018 05:13 AM - edited ‎02-21-2020 07:17 AM

Dear all,

I have a cisco asa vers. 8.4(2)8 with 2 outside interface. I need to redirect the traffic form only 1 host to use a different outside interface. I explane better

Outside1 = internet traffic

Outside2= single host traffic

 

I tried to create a route-map but it seems does't possibile on my version.


Can anyone help me to do this ?

 

Thank you,


Daniele.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎02-05-2018 08:12 AM

Hello,

 

PBR is available 9.4.1 onwards:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116518

 

You would need to upgrade the ASA to 9.4.1 to get this support.

 

HTH

AJ

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Ajay Saini
Level 7
Level 7

‎02-05-2018 08:12 AM

Hello,

 

PBR is available 9.4.1 onwards:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116518

 

You would need to upgrade the ASA to 9.4.1 to get this support.

 

HTH

AJ

0 Helpful

Go to solution
pugliededaniele88
Level 1
Level 1
In response to Ajay Saini

‎02-06-2018 05:19 AM

Hi,

I see the software version availability and the last version available is 9.1.7. 9.4.1 is not available. Is this version not compatibile with asa 5510 ?

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to pugliededaniele88

‎02-06-2018 07:20 AM

Thats true, legacy ASA does not support the version 9.4.x and hence PBR.

 

-

HTH
AJ

0 Helpful

Go to solution
pugliededaniele88
Level 1
Level 1
In response to Ajay Saini

‎02-06-2018 07:47 AM

Hi,

can you explain me what means legacy asa ? is there a lists of the compatible device ?

 

Thank you,

 

Daniele.

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to pugliededaniele88

‎02-07-2018 09:51 PM

Hello,

 

You can refer to following tables for the info. Legacy ASA means the old ASA 5500 devices. Newer ones came out as 5500-X series appliances followed by Firepower UTM appliances, likes of 2100, 4100, 7000 and 8000 series:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-112283

 

Refer to table 6.

 

-

HTH
AJ

Go to solution
pugliededaniele88
Level 1
Level 1
In response to Ajay Saini

‎02-08-2018 12:21 AM

thank you :)

0 Helpful

Go to solution
pugliededaniele88
Level 1
Level 1
In response to pugliededaniele88

‎02-08-2018 05:57 AM

Hi,

I found a work-around with a nat rule to route the traffic from the host out another interface.

 

object-group network NAVIGAZIONE_DIROTTATA

 description --host dirottati verso l'interfaccia outside--

 network-object 192.2.200.135 255.255.255.255

 

 object network ANY

 subnet 0.0.0.0 0.0.0.0

 

 

nat (inside,outside) source dynamic NAVIGAZIONE_DIROTTATA interface destination static ANY any

 

 

I'm just waiting for confirmation from our customer that it works.

Go to solution
pugliededaniele88
Level 1
Level 1
In response to pugliededaniele88

‎02-09-2018 03:55 AM

Hi,

I write to confirm that the nat rule works fine.

 

You need to pay attention at the function of proxy-arp. This function need to be disabled with command

 sysopt noproxyarp inside

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card