Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
194
Views
0
Helpful
0
Replies

ASA PBR Hairpin Issue

tpksupport
Level 1
Level 1

‎10-26-2016 03:34 PM - edited ‎03-12-2019 01:27 AM

My objective is to intercept traffic from a particular subnet (192.168.5.0/24) that has been directed to the ASA as the default external route and then redirect that traffic to a proxy server that exists on the ingress interface. I've set up the PBR to identify the correct traffic and set the next hop to the proxy server which is on a directly connected subnet (to the ingress interface). A packet trace and debug policy-route all show the PBR performing correctly. However no traffic ever leaves the ASA target interface. I have confirmed this with a packet capture. Note: Enable Traffic between 2 or more hosts on the same interface is on. Another observation was that I started getting deny hits a specifying traffic traffic from the source subnet heading for external hosts with pbr matching ports inside interface. Creating a rule to allow this stopped the notifications but no traffic is leaving the interface. Note: From the ASA I can ping the proxy and vice versa. If I try using the ip-verify-availability set clause I get messages in the syslog stating the target addresses are down yet I can ping them. See below for relevant config snippets and packet trace outputs. Any advise would be gratefully accepted. object-group service Internet_Services tcp port-object eq ftp port-object eq ftp-data port-object eq www port-object eq https object-group network DM_INLINE_NETWORK_40 network-object 192.168.25.0 255.255.255.0 network-object 192.168.5.0 255.255.255.0 object-group network DM_INLINE_NETWORK_41 network-object 192.168.25.0 255.255.255.0 network-object 192.168.5.0 255.255.255.0 access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_41 any4 object-group Internet_Services access-list Test_Proxy_Networks extended permit tcp object-group DM_INLINE_NETWORK_40 any4 object-group Internet_Services route-map Route_Proxy_Traffic permit 1 match ip address Test_Proxy_Networks set ip next-hop 10.1.1.51 10.1.1.50 set interface Inside show policy-route Interface Route map GigabitEthernet0/1 Route_Proxy_Traffic Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f3284a86380, priority=1, domain=permit, deny=false hits=247343186, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Inside, output_ifc=any Phase: 2 Type: PBR-LOOKUP Subtype: policy-route Result: ALLOW Config: route-map Route_Proxy_Traffic permit 1 match ip address Test_Proxy_Networks set ip next-hop 10.1.1.51 10.1.1.50 set interface Inside Additional Information: Matched route-map Route_Proxy_Traffic, sequence 1, permit Found next-hop 10.1.1.51 using egress ifc Inside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group Inside_access_in in interface Inside control-plane access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_41 any4 object-group Internet_Services access-list Inside_access_in remark Temp rule to test PBR with Staging and Development object-group network DM_INLINE_NETWORK_41 network-object 192.168.25.0 255.255.255.0 network-object 192.168.5.0 255.255.255.0 object-group service Internet_Services tcp port-object eq ftp port-object eq ftp-data port-object eq www port-object eq https Additional Information: Forward Flow based lookup yields rule: in id=0x7f328c69bc20, priority=13, domain=permit, deny=false hits=46067, user_data=0x7f327a5a5940, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3283c34c50, priority=1, domain=nat-per-session, deny=true hits=15722604, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3284a8fa90, priority=0, domain=inspect-ip-options, deny=true hits=5603537, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 6 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3284e5fa10, priority=20, domain=lu, deny=false hits=390333, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f3283c34c50, priority=1, domain=nat-per-session, deny=true hits=15722606, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f3284a8fa90, priority=0, domain=inspect-ip-options, deny=true hits=5603539, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 15301427, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: Inside input-status: up input-line-status: up output-interface: Inside output-status: up output-line-status: up Action: allow
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card