ASA PBR problem

mickyq · ‎06-21-2018

what trouble shooting commands are there available for PBR on ASA?

ive created a pbr and its working outbound fine, the problem I have is an external IP coming inbound is translated and routed correctly however the return traffic doesnt see to leave the firewall.

A packet cap on the outside and dmz interface shows traffic coming into the firewall from the internet. it gets translated from the public ip to the internal ip and routed to the dmz interface. I can see packets coming back from the internal server destined to the internet on the dmz interface but i dont see the packets leave the outside interface.

Thanks

Abdullo Salikhov · ‎06-21-2018

Are you using SIP ? Do you see SIP confirmation exchange ? Can you share your NAT and do you have inspect SIP enabled ?

Abdullo Salikhov
Dushanbe, Tajikistan

mickyq · ‎06-21-2018

im not using SIP. its just internet traffic to an internal server on 443

Florin Barhala · ‎06-21-2018

I have tried on 9.6: PBR and NAT doesn't work on ASA (yet).
packet capture showed it as it works but traffic capture and production said something else.

mickyq · ‎06-21-2018

Thanks

the outbound dynamic nat with PBR seems to work ok. Im using v9.8

is there a compatibility table?

Florin Barhala · ‎06-25-2018

Can you share the NAT config that's used in conjunction with PBR?

Thanks!

mickyq · ‎06-26-2018

I have managed to find the problem but im not sure I understand why its happening.

Outbound traffic is using the pbr and working.

inbound traffic from the internet to one of our public IP's translated to a server in the dmz doesnt work.

The problem seems to be with the return route from the server.

I can only get it working with a static route. I assumed inbound traffic would create a session and return the traffic back to the interface it came in on.