06-24-2013 07:38 AM - edited 03-11-2019 07:02 PM
hi all,
is the Policy Based Routing added to the ASA feature set? Or is there such a workaround to get the following:
the ASA cluster forwards the default Internet traffic toward the ISP-A next-hop; only for the traffic coming from a specific IP (direct connected in DMZ), the next hop should be a different one (ISP-B).
Any suggestion will be appreciated.
Thanks, Efrem
06-24-2013 07:51 AM
Hi,
The Policy Based Routing (PBR) is not officially supported on the ASA firewalls.
It has been mentioned as a possible future update but so far I have not heard any update about what was said to me.
With the new software levels there is a possibility to use the NAT configurations to "route" traffic to different egress interface depending on the source address alone.
But as I said the idea of forwarding traffic like this isnt to my understanding officially supported so the I am not sure if the ability to control traffic this way might change at some point or what kind of problems it might create in a production environment.
I tested this kind of setup for a user here on the CSC couple of months ago I think using ASA5520 and 9.1(1) software but I imagine this could be done with other software levels also. Preferably 8.4(5) or newer.
In the previous case the user also wanted to forward a DMZs traffic through another ISP that wasnt holding the active default route.
Here is one example configuration which is modified a bit
The reason we have the wierd destination networks was to overcome a strange situation where the NAT wasnt working as supposed to.
object network DMZ
subnet 10.10.10.0 255.255.255.0
object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-128.0.0.0-1
nat (DMZ,WAN-2) source dynamic DMZ interface destination static ALL ALL
Naturally the above would also require a Default route on the WAN-2 link is of lower metric than the original one (that is in use for other traffic)
Have a look at this thread for the my previous discussion about this subject:
https://supportforums.cisco.com/thread/2209874
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed naturally.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide