Cisco ASA, 9.4 - we got PBR (Policy based Routing)

Philip D'Ath · ‎01-10-2016

I can hardly believe it. ASA 9.4 has added proper PBR support.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

Routing Features

Policy Based Routing

Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.

We introduced the following commands: set ip next-hop verify-availability, set ip next-hop, set ip next-hop recursive, set interface, set ip default next-hop, set default interface, set ip df, set ip dscp, policy-route route-map, show policy-route, debug policy-route

Akshay Rastogi · ‎01-11-2016

Hi Philip,

That's true. PBR is now supported on ASA from version 9.4.1. Customer would now be able to run PBR directly from ASA. They now need not to be dependent on Next Hope device to support Dual ISP based Scenarios. Source Based Routing is now supported directly from ASA. :)

Regards,

Akshay Rastogi

Philip D'Ath · ‎01-11-2016

I was doing some testing yesterday and had some issues with 9.4(2). It broke AnyConnect with certificates. However 9.5(2) seems to make everything work again. I feel a new gold star release candidate coming up in 6 months.

Jon Marshall · ‎01-11-2016

Hi Philip

Just out of interest do you know why it broke it ?

I only ask as a thread in LAN you answered has an issue with PBR and wondered if it might be the same sort of thing -

https://supportforums.cisco.com/discussion/12744756/asa-5512-9423-policy-based-routing-pbr-stateful

Jon

Philip D'Ath · ‎01-11-2016

What was happening is 9.4(2) was ignoring the configured trustpoint, and using the self generated certificate.

Alas I have just discovered that IKEv1 user to site VPNs seem to be broken in 9.5(2).

Not having a good day with my experiment.

Philip D'Ath · ‎01-11-2016

My first day of trying to use PBR and I crashed and burned.

The ASA had an existing 10Mb/s symmetric fibre circuit, and we were adding a new 200Mb/s symmetric PPPoE circuit. The customer wanted all web browsing to go down the 200Mb/s circuit.

I was using the "set interface" option to set the output interface. Well, PBR on an ASA wont use the specified output interface unless there is already a route in the routing table.

Being PPPoE it is not possible to add a static route via it. Because the customer has an existing fibre circuit a static default route existed via that. PPPoE would not install a default route because of the existing static route.

End result, impossible to use PBR to select the output interface.

In this case we had already sold the customer an ISR 4331 for doing the policy routing, so back to plan 'A'.

Jon Marshall · ‎01-12-2016

Good job you didn't know about PBR on the ASA before you sold the customer a router :)

Jon

Report Inappropriate Content · ‎07-16-2017

The default route is to the 10Mb/s symmetric fibre circuit,not use 0.0.0.0 0.0.0.0;
change to this two route 0.0.0.0 128.0.0.0 and 128.0.0.0 128.0.0.0