02-01-2017 06:10 PM - edited 03-12-2019 01:52 AM
Hi,
I am trying to configure my ASA 5515x with Policy Based Routing. I have 2 inside network which need to access internet via 2 different outside interface.
object network OBJ-NET-INSIDE25
subnet 172.25.1.0 255.255.255.0
object network OBJ-NET-INSIDE26
subnet 172.26.1.0 255.255.255.0
object network OBJ-NET-INSIDE25
nat (inside25,outside1) dynamic interface
object network OBJ-NET-INSIDE26
nat (inside26,outside2) dynamic interface
access-list ACL-OUTSIDE1 permit 172.25.1.0 255.255.255.0
access-list ACL-OUTSIDE2 permit 172.26.1.0 255.255.255.0
route-map PBR-MAP permit 10
match ip address ACL-OUTSIDE1
set interface OUTSIDE1
route-map PBR-MAP permit 20
match ip address ACL-OUTSIDE2
set interface OUTSIDE2
route-map PBR-MAP permit 30
set interface null0
interface GigabitEthernet0/0
policy-route route-map PBR-MAP
interface GigabitEthernet0/1
policy-route route-map PBR-MAP
It does not work. The PC in the inside26 network did not get internet access. I did a debug as follows :
pbr: policy based route lookup called for x.x.x.77/138 to x.x.x.255/138 proto 17 sub_proto 0 received on interface outside2
pbr: First matching rule from ACL(-1)
pbr: route map PBR-MAP, sequence 30, permit; proceed with policy routing
pbr: evaluating interface Null0
pbr: policy based routing applied; packet is dropped
Something is not right with the Access-List? It matches to sequence 30. Since the PC is in inside26, it should match sequence 20 but it didn't.
Any idea? Please assist.
Solved! Go to Solution.
02-01-2017 06:36 PM
Hi,
A couple of issues:
You need to configure extended ACLs to match under the route-map
access-list ACL-OUTSIDE2 extended permit 172.26.1.0 255.255.255.0 any
access-list ACL-OUTSIDE1 extended permit 172.25.1.0 255.255.255.0 any
Secondly, it seems you applied the PRB on your outbound interfaces but it needs to be configured with an inbound direction. Remove it from Gi0/0 and gi0/1 an apply it to the inside25, inside26 defined interfaces.
Make sure that you have a second default route with a higher metric for the outside2 interface
route outside1 0 0 <ISP 1> 1
route outside2 0 0 <ISP 2> 2
As a recommendation, we prefer to use the set ip next-hop instead of the set interface on the route-map clause.
HTH
Pablo
02-01-2017 06:36 PM
Hi,
A couple of issues:
You need to configure extended ACLs to match under the route-map
access-list ACL-OUTSIDE2 extended permit 172.26.1.0 255.255.255.0 any
access-list ACL-OUTSIDE1 extended permit 172.25.1.0 255.255.255.0 any
Secondly, it seems you applied the PRB on your outbound interfaces but it needs to be configured with an inbound direction. Remove it from Gi0/0 and gi0/1 an apply it to the inside25, inside26 defined interfaces.
Make sure that you have a second default route with a higher metric for the outside2 interface
route outside1 0 0 <ISP 1> 1
route outside2 0 0 <ISP 2> 2
As a recommendation, we prefer to use the set ip next-hop instead of the set interface on the route-map clause.
HTH
Pablo
02-01-2017 08:40 PM
Hi,
I made the amendments and the PBR is now working.
However, my dhcp is not working. Initially it was working.
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 86400
dhcpd address 172.25.1.50-172.25.1.200 inside25
dhcpd enable inside25
dhcpd address 172.26.1.50-172.26.1.200 inside26
dhcpd enable inside26
I also could not ping from inside segment to any outside public ip.
I did the following :
interface GigabitEthernet0/2
policy-route route-map PBR-MAP
interface GigabitEthernet0/3
policy-route route-map PBR-MAP
access-list ACL-OUTSIDE1 extended permit ip 172.25.1.0 255.255.255.0 any4
access-list ACL-OUTSIDE2 extended permit ip 172.26.1.0 255.255.255.0 any4
route-map PBR-MAP permit 10
match ip address ACL-OUTSIDE1
set ip next-hop <isp1 gw>
route-map PBR-MAP permit 20
match ip address ACL-OUTSIDE2
set ip next-hop <isp2 gw>
route-map PBR-MAP permit 30
set interface null0
Please advice.
02-01-2017 08:43 PM
Hi,
I also added the following lines
route outside1 0.0.0.0 0.0.0.0 <ISP1 Gw> 1
route outside2 0.0.0.0 0.0.0.0 <ISP2 Gw> 2
02-02-2017 10:13 AM
Hi,
The problem is that you're blackholing the DHCP requests on the clause 30 of your route-maps. You can either remove this clause or create a clause on top of that and match a new ACL that permits traffic from 0.0.0.0 to 255.255.255.255 although this might not work due to CSCux16427.
HTH
Pablo
01-05-2018 12:50 PM
Hello Cisco Community!,
I am trying to accomplish the same objective. I now have two ISP links and I need to only provide access to the new link to one subnet. I have reviewed the "Policy Base Routing" doc for ASA in which I already entered the needed commands based on this documents. My concern is that all LAN traffic is entering the ASA 5515-X through one interface, "inside", if when I apply the "route-map" for the specific subnet that I configured that all subnets will not traverse through. I believe I am looking at this like a trunk port. Would implementing the route-map for the specific subnet in the "inside" interface could drop the traffic of the other subnets?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide