My objective is to intercept traffic from a particular subnet (192.168.5.0/24) that has been directed to the ASA as the default external route and then redirect that traffic to a proxy server that exists on the ingress interface.
I've set up the PBR to identify the correct traffic and set the next hop to the proxy server which is on a directly connected subnet (to the ingress interface). A packet trace and debug policy-route all show the PBR performing correctly. However no traffic ever leaves the ASA target interface. I have confirmed this with a packet capture.
Note: Enable Traffic between 2 or more hosts on the same interface is on.
Another observation was that I started getting deny hits a specifying traffic traffic from the source subnet heading for external hosts with pbr matching ports inside interface. Creating a rule to allow this stopped the notifications but no traffic is leaving the interface.
Note: From the ASA I can ping the proxy and vice versa.
If I try using the ip-verify-availability set clause I get messages in the syslog stating the target addresses are down yet I can ping them.
See below for relevant config snippets and packet trace outputs.
Any advise would be gratefully accepted.
object-group service Internet_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_40
network-object 192.168.25.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_41
network-object 192.168.25.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_41 any4 object-group Internet_Services
access-list Test_Proxy_Networks extended permit tcp object-group DM_INLINE_NETWORK_40 any4 object-group Internet_Services
route-map Route_Proxy_Traffic permit 1
match ip address Test_Proxy_Networks
set ip next-hop 10.1.1.51 10.1.1.50
set interface Inside
show policy-route
Interface Route map
GigabitEthernet0/1 Route_Proxy_Traffic
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3284a86380, priority=1, domain=permit, deny=false
hits=247343186, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Inside, output_ifc=any
Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map Route_Proxy_Traffic permit 1
match ip address Test_Proxy_Networks
set ip next-hop 10.1.1.51 10.1.1.50
set interface Inside
Additional Information:
Matched route-map Route_Proxy_Traffic, sequence 1, permit
Found next-hop 10.1.1.51 using egress ifc Inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside control-plane
access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_41 any4 object-group Internet_Services
access-list Inside_access_in remark Temp rule to test PBR with Staging and Development
object-group network DM_INLINE_NETWORK_41
network-object 192.168.25.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f328c69bc20, priority=13, domain=permit, deny=false
hits=46067, user_data=0x7f327a5a5940, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3283c34c50, priority=1, domain=nat-per-session, deny=true
hits=15722604, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3284a8fa90, priority=0, domain=inspect-ip-options, deny=true
hits=5603537, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3284e5fa10, priority=20, domain=lu, deny=false
hits=390333, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f3283c34c50, priority=1, domain=nat-per-session, deny=true
hits=15722606, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f3284a8fa90, priority=0, domain=inspect-ip-options, deny=true
hits=5603539, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 15301427, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow