Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
0
Helpful
1
Replies

ASA 9.4 PBR vs. NAT

jonagyula
Level 1
Level 1

‎12-07-2015 03:27 PM - edited ‎03-12-2019 12:00 AM

Hi

I am asking for the community wisdom on the following customer reported problem.

Given the following simplified topology (I neither has have detailed running-config on this...)

Outside -- default route

Inside -- some 10/8 networks, might have overlapping subnets with networks behind DMZ if!!

DMZ -- Many networks behind this if, in 10.x.x.x, but NOT routed on the ASA!

Customer wants _not_ to appear the 10.x.x.x/8 in ASA routing table towards DMZ, therefore configures PBR on specific inside sources to be transmitted in this direction. In the route-map they use "set ip next-hop".

Inside -> (PBR + sNAT) -> DMZ: works fine

DMZ -> staticNAT -> Inside:  returning reply fails: "Routing failed to locate next hop for .."

The first case, sNAT is like accessing any outside:

nat (any,DMZ-networks) after-auto source dynamic any pat-pool pat-DMZ-range extended

Works fine.

The second (DMZ->Inside) case packets reaches inside host/rserver, but replies got routing failed. This case is rather like offering inside service for the public internet, hoping that the xlate enrty or the PBR redirects the reply package towards the DMZ where it came from, instead of default Outside.

We tried to enforce the return by identity sNAT:

nat (Inside,DMZ) source static REAL-INSIDE-ADDR GLOBAL-DMZ-ADDR destination static DMZ-10_x_x_x DMZ-10_x_x_x service SVC-GLOBAL SVC-LOCAL

on this last NAT entry we got the hitcount increasing, hen testing (initiating traffic) from the DMZ, but still getting the "Routing failed for" syslog.

Additional, probably relevant detail:

asa-1(config)# sh nat divert-table interface Inside
Divert Table
id=0x7ffc80e22240, domain=twice-nat section=1 ignore=no
    type=static, hits=0, flags=0x9, protocol=6
    src ip/id=10.a.b.c, mask=255.255.255.255, port=1111-1111  
    dst ip/id=10.0.0.0, mask=255.0.0.0, port=0-0
    input_ifc=Inside, output_ifc=DMZ id=0x7ffcbdf1a300, domain=auto-nat section=2 ignore=yes

(port 1111 is on local, real server, 10.0.0.0/8 is on inf DMZ, PBR should forward that)

This last statement, "ignore=yes" confusing:

Anyway, if there is a route lookup, PBR shoud direct the packet towards DMZ, if not, the existing xlate entry should force the returning packet to exit on the DMZ interface.

Both should forward reply packets towards the DMZ if.

Still geting the "routing failed" message.

Any advise experts?

thanks,

jonagy

1 person had this problem
Labels:
0 Helpful
1 Reply 1

jonagyula
Level 1
Level 1

‎12-09-2015 02:02 PM

might be the reason is this:

ASA: PBR policies should be applied for output route-lookup
CSCuv00272
https://tools.cisco.com/bugsearch/bug/CSCuv00272
jonagy
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card