ASA PBR, Encryption Domain (And NAT)

GRANT3779 · ‎09-18-2019

Hi All,

I'm after some advice on the attached setup and wondering about the ASA order of Operations here along with PBR/Encryption. I'm comfortable with the VPN itself and PBR etc. This is more to see if anyone has a better understanding of how the PBR and Crypto work together.

I have ASA with 3 interfaces, Server hanging off Interface 3. Two goals I am looking to achieve are on there.

I know I can create a PBR and attach to Interface 3 which will achieve the 2 routing goals however I am not sure if when my PBR sends traffic to a next hop out Interface 2 that it be encrypted.

My understanding is the following -

PBR will be matching on real IP address of server (192.168.10.10).

Encryption domain will match my NAT'd address of 10.99.0.10

What I am not sure of is will my server still match the encryption domain when PBR'd out the interface with the cryptomap attached or does the use of a PBR cause it to bypass the crypto somehow?

In an ideal world I would use route based VPN but not possible for this one.

bhargavdesai · ‎09-18-2019

As per my knowledge,

ASA order of operation for your scenario would be ROUTE (PBR) > NAT > VPN

So your setup will work. You have to configure all the component correctly like PBR, ROUTE, NAT, and Crypto ACL etc.

HTH

bhargavdesai · ‎09-18-2019

In Short...

What I am not sure of is will my server still match the encryption domain when PBR'd out the interface with the cryptomap attached or does the use of a PBR cause it to bypass the crypto somehow?

YES

HTH