cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


6862
Views
0
Helpful
2
Replies
Beginner

Source Routing/Route Maps on ASA

Hi,

We have the scenario attached in this post, where we have the same subnet (172.21.0.0/16) behind our DMZ and our management interfaces on our Cisco ASA.

Supposing we can’t modify our subnets, and we want to use source routing on the ASA as below:

  • All traffic arriving from outside with source IP address 10.1.163.0/24 and destination 172.21.0.0/16 be routed to DMZ (10.46.254.19)
  • Any other traffic with destination IP address 172.21.0.0/16 be routed to management (172.21.3.65).

Can you please propose a solution to this problem on ASA (any workaround, any possible alternative configuration).

Thanks in advance.

2 REPLIES 2
Cisco Employee

Source Routing/Route Maps on ASA

Hey,

What you are trying to do is called PBR which is not supported on the ASA firewall. The stateful algorithm of it wouldnt allow it to effectively track the TCP sessions, so that could lead to an insecure environment, here is a better explanation:

Q. Can Cisco 5500 Series ASA do a  Policy Based Routing (PBR) like Cisco Router? For example, mail traffic  should be routed to first ISP while http traffic should be routed to  the second one.



A. Unfortunately, there is no way to do policy-based routing  on the ASA at this time. It can be a feature that is added to the ASA in  the future.

Note: The route-map command is used to redistribute routes between routing protocols, such  as OSPF and RIP, with the use of metrics and not to policy route regular  traffic as in routers.

This is the document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

Hope it helps

Mike

PS, I could not make the font smaller, sorry about that.

Mike
Highlighted
Cisco Employee

Source Routing/Route Maps on ASA

firstly you wont be able to perform any source based routing on asa

so the alternative is that you have a network static nat for one of  the network for example

nat network behind any one interface to another network x.x.x.0 and ask users to connect to x.x.x.0 network

if even this does not work then i guess put a router behind asa and do source based routing on that

outside------asa-----------router------------------management    

                                        |------------------ DMZ