ASA Policy Based Routing Alternative

mikedelafield · ‎01-25-2013

Hi there.

I believe its possible to mimic some of the functionality of PBR using NAT.

I've found this example which seems like it would logically work for the old NAT statements.

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside1 0.0.0.0 0.0.0.0 193.168.1.1 2

nat (inside) 1 0 0
global (outside) 1 interface
global (outside1) 1 interface

static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (outside1,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0

Is this solution a valid workaround for the new NAT statements of 8.4 and above?

I've tried to get it working but without success so far.

What I would like to do is push web traffic via one ISP and SMTP via another, but so far when I check which IP i'm connecting as at the other end i'm still coming from the default.

Has anyone made this work on 8.4 +?

Thanks.

Mike

mikedelafield · ‎01-25-2013

Using the packet tracer I can see that the route-lookup is occuring first and it is not basing its decision on the destination NAT rule.

I thought that the route-lookup command needed to be run for this to happen, but I can confirm it has not been run....

Jouni Forss · ‎01-25-2013

Hi,

Not exactly what you are looking for but thought I'd still mention.

The only enviroment where I have actually succesfully configured overlapping networks or "a type of PBR" with a single ASA is with an ASA that is only serving VPN Client connectivity.

I used 8.4(x) software and used NAT to determine the ingress and eggress interface for traffic (As I knew both the source and destination of the traffic this was easy). It also seemed setting the "Vlan value" under the Group-policy handled choosing the eggress interface as the VPN Client users traffic was coming to the ASA from the tunnel.

After this it was only matter of configuring routes with different metrics towards the subinterfaces

This seemed to work just fine but rather than manage such an environment with a nightmarish NAT and route configuration I'm still waiting for the decision if we are going to get an Cisco IOS device instead to handle this.

At the moment I'd rather use a IOS device to do any PBR if needed.

- Jouni

mikedelafield · ‎01-25-2013

I've seen many examples of people saying they have this working using the old nat commands.

And indeed the CLI doc implies that if you have a NAT rule in place and specify an interface then it uses the NAT interface for egress automatically.

"If you specify an optional interface, then the ASA uses the NAT configuration to determine the egress interface. For identity NAT, the default behavior is to use the NAT configuration, but you have the option to always use a route lookup instead."

I'm pretty sure if can work i'm just missing a command to skip the route-lookup first...

Jouni Forss · ‎01-25-2013

Hi,

This is from 8.4(2) Release notes (Had to check as theres been some changes all throughout 8.4 software level in the minor updates)

Identity NAT configurable proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.

We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).

According to the above if you have 8.4(1) for example "route-lookup" is always active. And from 8.4(2) onwards the default behaviour should be that "route-lookup" is disabled and NAT handles the ingress/eggress decision.

What software level are you using? What kind of NAT configurations have you used to try this out?

Guess I might be able to try this out at home with my own ASA later. But until that I cant really say as I havent tried this or have not had the need to do this functionality on an ASA.

- Jouni

mikedelafield · ‎01-25-2013

Its acutally 8.6 so i've been working on the above 8.4(1) logic...

As far as I can see route-lookup should not be used where a specific NAT is in place but I can't get it to work that way

Jouni Forss · ‎01-25-2013

Hi,

I'll let you know about the results if I get to test this out. Can you share any configurations and "packet-tracer" outputs on the things you have tried so far for me to compare to if I get to test this out?

Dont know if I will have time on the weekend and next week I will be at Cisco Live! 2013 London

- Jouni

mikedelafield · ‎01-25-2013

If anyone else has any ideas on destination NAT to force traffic out of a partuclar outside interface regardless of routes..... I keep seeing hints that its possible but can't quite get it working....

Jouni Forss · ‎01-26-2013

Hi,

So I did a very simple test on my home ASA 5505 running 9.1(1) (Base License)

Heres my basic configuration

Some notes

WAN-SEC IP address is just a placeholder
There is a "no forward" configuration on the interface as I only have Base License on my home ASA
- This doesnt however prevent traffic initiated from LAN -> WAN-SEC
x.x.x.x = My actual WAN public IP address
y.y.y.y = My actual WAN public IP gateway

INTERFACES

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.255.0

!

interface Vlan10

description WAN

nameif WAN

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Vlan20

no forward interface Vlan1

nameif WAN-SEC

security-level 50

ip address 10.10.234.1 255.255.255.0

ROUTES

route WAN 0.0.0.0 0.0.0.0 y.y.y.y 1

route WAN-SEC 0.0.0.0 0.0.0.0 10.10.234.2 2

NAT OBJECTS

object service WWW

service tcp destination eq www

object service SMTP

service tcp destination eq smtp

NAT CONFIGURATIONS

nat (LAN,WAN) source dynamic any interface service WWW WWW

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

!

nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface

PACKET-TRACER OUTPUT

WWW-TRAFFIC

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source dynamic any interface service WWW WWW

Additional Information:

NAT divert to egress interface WAN

Untranslate 1.2.3.4/80 to 1.2.3.4/80

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source dynamic any interface service WWW WWW

Additional Information:

Dynamic translate 10.0.0.100/1025 to x.x.x.x/1025

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source dynamic any interface service WWW WWW

Additional Information:

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 112793, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

SMTP TRAFFIC

ASA# packet-tracer input LAN tcp 10.0.0.100 1025 1.2.3.4 25

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

Additional Information:

NAT divert to egress interface WAN-SEC

Untranslate 1.2.3.4/25 to 1.2.3.4/25

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

Additional Information:

Dynamic translate 10.0.0.100/1025 to 10.10.234.1/1025

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN-SEC) source dynamic any interface service SMTP SMTP

Additional Information:

Phase: 8

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 112797, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN-SEC

output-status: up

output-line-status: up

Action: allow

This was the only setup I could get the "packet-tracer" output seem what its "supposed" to show when the traffic would leave to different WAN interface.

Hopefully you can get something out of this. I wont be able to proper lab this unless I use equipment and WAN connections at my work. But that wont happen until maybe after a week or so.

Let me know if you have already tried this and it doesnt work. And also if you havent yet tried it let me know did it help at all.

- Jouni

kenrandrews · ‎07-11-2013

Thanks for the effort on this, it really helped to point me in the right direction. I tried it out and it was not working because even though it gets sent to the interface properly it looks for a route once it gets to that interface and fails. I was able to set the default route pointing out the WAN-SEC interface and then put the below routes pointing out the WAN interface.

route WAN 0.0.0.0 128.0.0.0 10.2.101.1 1

route WAN 128.0.0.0 128.0.0.0 10.2.101.1 1

Since they are more specific normal traffic flows out the WAN interface while the NAT'd traffic is sent out the other interface. I confirmed it is working using packet captures.