09-18-2019 02:40 AM - edited 02-21-2020 09:30 AM
Hi All,
I'm after some advice on the attached setup and wondering about the ASA order of Operations here along with PBR/Encryption. I'm comfortable with the VPN itself and PBR etc. This is more to see if anyone has a better understanding of how the PBR and Crypto work together.
I have ASA with 3 interfaces, Server hanging off Interface 3. Two goals I am looking to achieve are on there.
I know I can create a PBR and attach to Interface 3 which will achieve the 2 routing goals however I am not sure if when my PBR sends traffic to a next hop out Interface 2 that it be encrypted.
My understanding is the following -
PBR will be matching on real IP address of server (192.168.10.10).
Encryption domain will match my NAT'd address of 10.99.0.10
What I am not sure of is will my server still match the encryption domain when PBR'd out the interface with the cryptomap attached or does the use of a PBR cause it to bypass the crypto somehow?
In an ideal world I would use route based VPN but not possible for this one.
09-18-2019 04:49 AM
As per my knowledge,
ASA order of operation for your scenario would be ROUTE (PBR) > NAT > VPN
So your setup will work. You have to configure all the component correctly like PBR, ROUTE, NAT, and Crypto ACL etc.
HTH
09-18-2019 04:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide