Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
2
Helpful
4
Replies

Cisco ASA Question re Route Maps

Go to solution
MattMH
Level 1
Level 1

‎01-05-2024 07:28 AM - edited ‎01-05-2024 07:33 AM

Would someone mind helping me determine what the purpose of a config like this is doing on a Cisco ASA? I am inheriting an ASA environment that has not been audited in years, is my assumption. 

I see a route-map that is matching on an ACL, LAN-DMZ-ACL. The route map is then using a Policy Based Routing configuration that sets the Interface to Inside-LAN.

The LAN-DMZ-ACL has 2 objects. A /16 network and a /24 network. The /16 network is our user network and the /24 is a VPN network. 

I do not understand why traffic from these 2 objects has a PBR that sets the interface to Inside-LAN bc the /16 and /24 objects are already coming from the Inside-LAN interface source. 

We have 10+ route maps setup the same way. Maybe this is typical of an ASA Fw deployment, but its not making sense to me.

If I look at some docs, I see... 
specify the egress interface for a route but not necessarily to set a specific outgoing interface.

Wouldnt the routing on the ASA handle this?

TIA

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎01-05-2024 08:27 AM

You are correct
Yes it should be
MHM

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎01-05-2024 08:27 AM

You are correct
Yes it should be
MHM

Go to solution
MHM Cisco World
VIP
VIP

‎01-05-2024 10:59 AM

can you check if this PBR is apply to interface or not

MHM

0 Helpful

Go to solution
MattMH
Level 1
Level 1
In response to MHM Cisco World

‎01-05-2024 11:06 AM

Yes, I did see that it is. 

Whoever set this up, seems like they were trying to do routing with it, vs just simply using routes. I ran into this issue bc I was trying to create a new static route and it wasn't working. I am pretty sure PBR's are priority over routes. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MattMH

‎01-05-2024 11:15 AM

there is one case 
when the DMZ and INside share same subnet (supernet) when the interface is flapping then the RIB will forward the traffic via wrong interface and if traffic is UDP then you will face issue in traffic 
the solution is timeout floating-conn but I think your team use PBR instead to be sure that the traffic always direct to correct interface.

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card