Re: Cisco ASA 5515-X Policy Based Routing

nishesh3003 · ‎12-17-2018

Hello!

I have not used PBR on Cisco ASAs before and I have some questions I would rather get clarified before i dive into the configuration.

The Cisco ASA has the following interfaces connected:

Outside1 > ISP1

Outside2 > ISP2

Inside1

Inside2

Inside3

Inside4

Inside5

Our Remote ASA has following interfaces connected:

RemOutside1

RemInside1

Outside1 to ISP1 is the default route on the ASA.

All Inside subnets currently use Outside1 to go out to the Internet and to set up IPSEC tunnel with our remote ASA 5525.

Inside3 and Inside4 now need to use PBR to go out via Outside2 for both Internet and IPSEC tunneling.

I am using extended ACLs to filter traffic based upon source subnet Inside3 and destination subnet RemInside1.

I am using this ACL in my route map with multiple permit statements.

My confusion is - what happens when Inside3 tries to communicate with Inside1 ? Do directly connected routes take precedence ? Also - does IPSEC between Inside3 and RemInside1 require any additional configuration outside of phase 1 and phase 2 ?

Mohammed al Baqari · ‎12-17-2018

PBR takes precedence over any routing protocol. However, if you don't
include in1 and in3 subnets in PBR then it won't be invoked for inter-zone
traffic.

For IPSec you need to configure normal VPN. Just avoid to overlap subnets
between both tunnels (ISP1-remote and ISP2-remote). This will be a problem.

nishesh3003 · ‎12-18-2018

1. How do i achieve routing between the directly connected subnets on the
inside and also have them PBR to ISP2 for all internet communications ?

2. So do i create a PBR for IPSEC tunneling or the Crypto map is enough to
take care of this if i do not include the two subnets in any shape or form
within the PBR ?

nishesh3003 · ‎12-18-2018

1. How do i achieve routing between the directly connected subnets on the inside and also have them PBR to ISP2 for all internet communications ?

2. So do i create a PBR for IPSEC tunneling or the Crypto map is enough to take care of this if i do not include the two subnets in any shape or form within the PBR ?

gekko2725 · ‎12-18-2018

Great thread! Here is a quick related question on the topic, in case anyone else here has seen it.

Does anyone know what would happen if a policy route-map is applied to a VLAN whose access-list does not include all the members of the VLAN?

1) Do the other members of the VLAN get dropped, or
2) Do the other members inherit the default route for the switch?

I understand that PBRs take precedence over static and default routes. I'm curious what happens to the members of that segment that are not listed in the access-list.

Here is an example

- There is a network of 10.10.1.0/24 on VLAN 10
- The VLAN IP is 10.10.1.10
- The default switch gateway is 10.10.1.1
- There is an alternative gateway of 10.10.1.2

! Match HTTP & SSL traffic for a specific host
CAT3550(config)# access-list 100 permit tcp 10.10.1.10 0.0.0.0 any eq 80 443
CAT3550(config)# access-list 100 permit tcp 10.10.1.11 0.0.0.0 any eq 80 443
CAT3550(config)# access-list 100 permit tcp 10.10.1.12 0.0.0.0 any eq 80 443

CAT3550(config)# route-map secureweb permit 10
CAT3550(config-route-map)# match ip address 100
CAT3550(config-route-map)# set ip next-hop 10.10.1.2
CAT3550(config-route-map)# end

CAT3550(config)# interface Vlan10
CAT3550(config-if)# ip policy route-map secureweb
CAT3550(config-if)# end

Cheers,

Stewart