10-05-2016 01:01 AM - edited 03-12-2019 01:21 AM
Hi,
I'm trying to find out how to use PBR in conjunction with static NAT. I'm able to make it work with Dynamic PAT, but not static NAT...
Trouble
6 Oct 05 2016 08:47:42 110003 195.41.2.20 80 2.2.2.2 28641 Routing failed to locate next hop for TCP from new-dmz:195.41.2.20/80 to outside:2.2.2.2/28641
Configuration
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.2
vlan 2
nameif outside
security-level 0
ip address 195.41.2.4 255.255.255.0
!
interface GigabitEthernet0/0.10
vlan 10
nameif dmz
security-level 50
ip address 100.100.10.2 255.255.255.0
policy-route route-map dmz-pbr
!
interface GigabitEthernet0/0.20
vlan 20
nameif new-dmz
security-level 50
ip address 100.100.20.2 255.255.255.0
policy-route route-map new-dmz-pbr
!
same-security-traffic permit inter-interface
!
object network dmz
subnet 172.16.25.0 255.255.255.0
!
object network new-dmz
subnet 172.24.0.0 255.255.255.0
!
object network 172.16.25.1
host 172.16.25.1
!
object network 195.41.2.10
host 195.41.2.10
!
object network 172.24.0.1
host 172.24.0.1
!
object network 195.41.2.20
host 195.41.2.20
!
object-group network rfc1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
!
access-list dmz-pbr extended deny ip object dmz object-group rfc1918
access-list dmz-pbr extended permit ip object dmz any
!
access-list new-dmz-pbr extended deny ip object new-dmz object-group rfc1918
access-list new-dmz-pbr extended permit ip object new-dmz any
!
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object 172.16.25.1 eq www
access-list outside_access_in extended permit tcp any object 172.24.0.1 eq www
!
access-group outside_access_in in interface outside
!
object network dmz
nat (dmz,outside) dynamic interface
object network new-dmz
nat (new-dmz,outside) dynamic interface
object network 172.16.25.1
nat (dmz,outside) static 195.41.2.10
object network 172.24.0.1
nat (new-dmz,outside) static 195.41.2.20
access-group outside_access_in in interface outside
!
route-map dmz-pbr permit 10
match ip address dmz-pbr
set ip next-hop 195.41.2.1
!
route-map new-dmz-pbr permit 10
match ip address new-dmz-pbr
set ip next-hop 195.41.2.1
!
route dmz 172.16.25.0 255.255.255.0 100.100.10.1 1
route new-dmz 172.24.0.0 255.255.255.0 100.100.20.1 1
!
Verification
R1#telnet 172.16.25.1 80 /vrf new-dmz /source-interface lo20
Trying 172.16.25.1, 80 ... Open
R1#ping vrf dmz 2.2.2.2 source lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.25.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/9 ms
R1#
R1#ping vrf new-dmz 2.2.2.2 source lo20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.24.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
R1#
asa-pbr-test# packet-tracer input outside tcp 2.2.2.2 1234 195.41.2.20 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.24.0.1
nat (new-dmz,outside) static 195.41.2.20
Additional Information:
NAT divert to egress interface new-dmz
Untranslate 195.41.2.20/80 to 172.24.0.1/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object 172.24.0.1 eq www
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 172.24.0.1
nat (new-dmz,outside) static 195.41.2.20
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 122, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: new-dmz
output-status: up
output-line-status: up
Action: allow
asa-pbr-test#
Any suggestions are greatly appreciated. I actually need this on a production network.
Thanks.
Regards,
/JZ
10-05-2016 02:12 AM
Hi,
OK. I believe I found a solution. Not a nice one i my opinion.
Create a default route with a higher metric (AD for R&S people like me). This will actually be used even though not installed in the routing table.
I've also seen this "feature" with AnyConnect where you tie a group to a certain interface and create a default route out that interface with a higher metric (AD!).
So the solution was:
route outside 0.0.0.0 0.0.0.0 195.41.2.1 2
Thanks,
/JZ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide