cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

690
Views
0
Helpful
2
Replies
Highlighted
Frequent Contributor

ASA PBR, Encryption Domain (And NAT)

Hi All,

 

I'm after some advice on the attached setup and wondering about the ASA order of Operations here along with PBR/Encryption. I'm comfortable with the VPN itself and PBR etc. This is more to see if anyone has a better understanding of how the PBR and Crypto work together.

 

I have ASA with 3 interfaces, Server hanging off Interface 3. Two goals I am looking to achieve are on there.

 

I know I can create a PBR and attach to Interface 3 which will achieve the 2 routing goals however I am not sure if when my PBR sends traffic to a next hop out Interface 2 that it be encrypted.

 

My understanding is the following -

PBR will be matching on real IP address of server (192.168.10.10).

Encryption domain will match my NAT'd address of 10.99.0.10

 

What I am not sure of is will my server still match the encryption domain when PBR'd out the interface with the cryptomap attached or does the use of a PBR cause it to bypass the crypto somehow?

 

In an ideal world I would use route based VPN but not possible for this one.

2 REPLIES 2
Highlighted
Beginner

As per my knowledge, 

ASA order of operation for your scenario would be ROUTE (PBR) > NAT > VPN 

 

So your setup will work. You have to configure all the component correctly like PBR, ROUTE, NAT, and Crypto ACL etc. 

 

 

HTH

Highlighted
Beginner

In Short...

What I am not sure of is will my server still match the encryption domain when PBR'd out the interface with the cryptomap attached or does the use of a PBR cause it to bypass the crypto somehow?

YES

HTH
Content for Community-Ad