Cisco ASA PBR scenario

deyster94 · ‎03-17-2017

I have a client that wants to use PBR on his ASA. Here are the connections on their ASA:

Outside1 to ISP1

Outside2 to ISP2

Inside to internal networks

Connection to MPLS cloud and using OSPF for routing - this connection is provided by ISP1 and was designed before I got into the mix. I don't understand why the did it this way, but's causing head aches for this situation.

They have two locations and would like to do the following with PBR:

1. Have all http, https and FTP traffic go outbound over ISP2, rest of outbound traffic goes out over ISP1 - pretty cut and dry

2. If above fails, all outbound go over ISP1

3. If MPLS fails, create a S2S tunnel over ISP2

My concern is with the MPLS and how to keep the traffic taking the OSPF routing and to use the PBR/S2S if the MPLS connection goes down. I do have an email into the client to find out if any http/https/ftp traffic goes across the MPLS connection. If so, that will complicate the design.

TIA for ideas/suggestions. Feel free to ask any questions.

Dan

Francesco Molino · ‎03-17-2017

Hi Dan

How I understood your concern correctly.

First of all, to run PBR you should have version 9.4 but I guess you knew it.

For the site to site vpn you'll apply the crypto map to your isp2 interface. Your routing will always point out to your isp1 per default and you'll need to add a route with worst metric going to isp2 in case isp1 is down. You can also use tracking to install the route only when needed.

The traffic will go through the tunnel only if traffic is routed to isp2 and if this traffic hits the crypto acl otherwise it'll still go through your mpls.

To forward only specific protocols like http, https and ftp through isp2 will be done using a specific acl matching this traffic and applied on your pbr configuration. This pbr will be applied on your inside interface.

Hope I answered your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

deyster94 · ‎03-20-2017

Francesco,

Thank you for the reply. Here is my concern. The client stated that across the MPLS connection, there is going to be http, https and FTP traffic to internal resources. If I have those protocols defined to go out over ISP2, that will obviously cause an issue. I will have to define those protocols for internal networks to go over the MPLS circuit. If that is the case, how will the S2S tunnel come up when the MPLS circuit is down?

Thanks,

Dan

Francesco Molino · ‎03-20-2017

Hi Dan,

I don't get your point.

With PBR you can select the traffic you want and set the next-hop to ISP2, right. I mean using acl for PBR, you can deny every http, https and ftp for internal networks to be part of the PBR selection.

Then you can have a 2nd default route going to ISP2 when ISP1 goes down on which you'll have your Site-to-Site tunnel. The traffic will go through VPN if the default route says that the outside interface is ISP2 and if the traffic matches the crypto acl otherwise the traffic won't take VPN as default path. Also, your MPLS OSPF routing isn't done on ISP2 right? Then no chance a traffic goes through ISP2 if MPLS and ISP1 is UP.

Hope that clarify a bit.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question