Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
1
Replies

ASA and Policy Based Routing

ebottani
Level 1
Level 1

‎06-24-2013 07:38 AM - edited ‎03-11-2019 07:02 PM

hi all,
is the Policy Based Routing added to the ASA feature set? Or is there such a workaround to get the following:
the ASA cluster forwards the default Internet traffic toward the ISP-A next-hop; only for the traffic coming from a specific IP (direct connected in DMZ), the next hop should be a different one (ISP-B).
Any suggestion will be appreciated.

Thanks, Efrem

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎06-24-2013 07:51 AM

Hi,

The Policy Based Routing (PBR) is not officially supported on the ASA firewalls.

It has been mentioned as a possible future update but so far I have not heard any update about what was said to me.

With the new software levels there is a possibility to use the NAT configurations to "route" traffic to different egress interface depending on the source address alone.

But as I said the idea of forwarding traffic like this isnt to my understanding officially supported so the I am not sure if the ability to control traffic this way might change at some point or what kind of problems it might create in a production environment.

I tested this kind of setup for a user here on the CSC couple of months ago I think using ASA5520 and 9.1(1) software but I imagine this could be done with other software levels also. Preferably 8.4(5) or newer.

In the previous case the user also wanted to forward a DMZs traffic through another ISP that wasnt holding the active default route.

Here is one example configuration which is modified a bit

The reason we have the wierd destination networks was to overcome a strange situation where the NAT wasnt working as supposed to.

object network DMZ

subnet 10.10.10.0 255.255.255.0

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (DMZ,WAN-2) source dynamic DMZ interface destination static ALL ALL

Naturally the above would also require a Default route on the WAN-2 link is of lower metric than the original one (that is in use for other traffic)

Have a look at this thread for the my previous discussion about this subject:

https://supportforums.cisco.com/thread/2209874

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed naturally.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card