Re: question about policy based routing on ASA 5500x series

Brad Hodgins · ‎07-26-2018

Hi,

Does anyone know if PBR on the new ASAs to solve the following scenario? Or is there a better option?

I need to send outbound SMTP traffic out to a separate physical port from the main one.

I have a stateless security device that filters inbound and outbound traffic between our legacy ASA and our internet link. We utilize an online spam service that has it's IP whitelisted on the security device,and our MX record points to that service. However outbound SMTP traffic goes through the security device and is subsequently blocked to certain geographic areas. I can't whitelist all destination mail servers, so I'd like to send all SMTP traffic out an alternate port on the new 5516x that will bypass the security device.

I don't want other traffic to bypass the security device, only SMTP traffic.

What's the best was of doing this?

Thanks,

B

epoceros1 · ‎07-26-2018

You need to create the access list for interesting traffic that will perform PBR based on the protocol.

ciscoasa(config)# access-list Interesting extended permit tcp any any eq smtp

ciscoasa(config)# route-map map-pbr permit 10

ciscoasa(config-route-map)# match ip address Interesting

ciscoasa(config-route-map)#set ip next-hop ip-of-next-hope-for-smtp-traffic

apply the PBR on the inside interface

ciscoasa(config)#interface GigabitEthernet1/3

ciscoasa(config-if)#policy-route route-map map-pbr

Regards