Ah, ok thanks.

rbradshaw85 · ‎07-13-2017

Hi

I have a 5585X with 2 WAN interfaces.

One is the OUTSIDE interface which the default route points to.

The other is a VPN interface which I would like to use for Anyconnect VPN sessions.

I have configured PBR to set the next-hop of traffic sourced from the VPN interface to the gateway of that interface, but I cannot get it to work. I get the error: Routing failed to locate next hop for icmp from VPN:xx.xx.xx.xx (VPN interface IP) to xx.xx.xx.xx (destination IP)

I have applied the following config:

interface Port-channel10.879
nameif VPN
security-level 0
ip address xx.xx.xx.118 255.255.255.252
policy-route route-map RM-VPN-TRAFFIC
!

access-list ACL-VPN-TRAFFIC extended permit ip interface VPN any

route-map RM-VPN-TRAFFIC permit 10
match ip address ACL-VPN-TRAFFIC
set ip next-hop xx.xx.xx.117
!

Can anyone please help me get this working?

Thanks
Ryan

Marvin Rhoads · ‎07-13-2017

PBR really doesnt work well (or usually at all) for traffic coming into the ASA since it is (usually) originating from random IP addresses all over the internet.

You can reach the interface fine but the return traffic will take the default route (in the absence of a PBR match for the remote clients' addresses). That will make traffic flows asymmetric and asymmetry is the bane of a stateful firewall.

rbradshaw85 · ‎07-14-2017

Ah, ok thanks.

I may have to mess with NAT so the source IP of the traffic entering that interface is on a connected subnet.

Thanks.

ASA 5585X PBR