Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9339
Views
0
Helpful
2
Replies

Source Routing/Route Maps on ASA

pemasirid
Level 1
Level 1

‎06-13-2011 03:57 PM - edited ‎03-11-2019 01:44 PM

Hi,

We have the scenario attached in this post, where we have the same subnet (172.21.0.0/16) behind our DMZ and our management interfaces on our Cisco ASA.

Supposing we can’t modify our subnets, and we want to use source routing on the ASA as below:

  • All traffic arriving from outside with source IP address 10.1.163.0/24 and destination 172.21.0.0/16 be routed to DMZ (10.46.254.19)
  • Any other traffic with destination IP address 172.21.0.0/16 be routed to management (172.21.3.65).

Can you please propose a solution to this problem on ASA (any workaround, any possible alternative configuration).

Thanks in advance.

Labels:
Preview file
29 KB
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎06-13-2011 06:48 PM

Hey,

What you are trying to do is called PBR which is not supported on the ASA firewall. The stateful algorithm of it wouldnt allow it to effectively track the TCP sessions, so that could lead to an insecure environment, here is a better explanation:

Q. Can Cisco 5500 Series ASA do a  Policy Based Routing (PBR) like Cisco Router? For example, mail traffic  should be routed to first ISP while http traffic should be routed to  the second one.



A. Unfortunately, there is no way to do policy-based routing  on the ASA at this time. It can be a feature that is added to the ASA in  the future.

Note: The route-map command is used to redistribute routes between routing protocols, such  as OSPF and RIP, with the use of metrics and not to policy route regular  traffic as in routers.

This is the document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

Hope it helps

Mike

PS, I could not make the font smaller, sorry about that.

Mike
0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎06-13-2011 06:53 PM

firstly you wont be able to perform any source based routing on asa

so the alternative is that you have a network static nat for one of  the network for example

nat network behind any one interface to another network x.x.x.0 and ask users to connect to x.x.x.0 network

if even this does not work then i guess put a router behind asa and do source based routing on that

outside------asa-----------router------------------management    

                                        |------------------ DMZ

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card