cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
0
Helpful
5
Replies

FlexConfig for PBR on DMZ

Herald Sison
Level 3
Level 3

Hi Everyone,

I have 4 ISP's connected to my FTD 7.0.5 device ASA5508X with FMC 7.3.0.

Now i have configured the 3 ISP's to route for our internal network and created a flexconfig for it then the other 1 ISP has been routed to my DMZ network and created a separate flexconfig for it.

So technically 2 separate Flexconfig has been added in the Selected Append FlexConfigs and after deploying it we experienced a downtime for the whole internal network. So i am thinking if creating 2 separate flexconfigs may cause this problem and is it possible to add the 2 flexconfig into 1 flexconfig file. is it possible or it still the same?

Here is the 2 flexconfig below that is consolidated in to 1. I dont know if this works or not since i have not deployed it yet.

 

route-map $RM permit 10

set ip next-hop verify-availability $INTERNET2_GW 1 track 5

set ip next-hop verify-availability $INTERNET1A_GW-US 2 track 6

set ip next-hop verify-availability $INTERNET1B_GW-ASIA 3 track 7

 

route-map $RM permit 30

set ip next-hop verify-availability $INFINIVAN1A_GW-US 1 track 6

set ip next-hop verify-availability $INFINIVAN1B_GW-ASIA 2 track 7

set ip next-hop verify-availability $INTERNET2_GW 3 track 5

 

route-map $RM permit 33

set ip next-hop verify-availability $INTERNET1B_GW-ASIA 1 track 7

set ip next-hop verify-availability $INTERNET2_GW 2 track 5

set ip next-hop verify-availability $INTERNET1A_GW-US 3 track 6

 

interface GigabitEthernet1/3

policy-route route-map $RM

 

route-map $DMZ-RM permit 250

set ip next-hop verify-availability $DMZ-WAN 1 track 8

 

interface GigabitEthernet1/5

 

policy-route route-map $DMZ-RM

1 Accepted Solution

Accepted Solutions

urathod
Cisco Employee
Cisco Employee

In your setup, consolidating the two FlexConfigs into one should not cause any issues. Your combined FlexConfig looks correct as it's written, and having them in one FlexConfig should make the configuration cleaner and easier to manage.

The downtime you experienced might have been caused by other factors. The process of deploying a FlexConfig should not cause any downtime, as it should only reconfigure the device without interrupting the existing sessions. However, some changes like changing the routing can cause temporary disruption until the routing table is updated across all devices.

Before you deploy the new FlexConfig, I would recommend you to:

  1. Review your routing setup: Make sure that your route-maps are correctly configured and there are no conflicts between them.

  2. Check your tracking setup: Ensure that the tracks are correctly setup and are associated with the right interface or IP SLA.

  3. Monitor the network: Use network monitoring tools to watch the network performance during the deployment. If any issues occur, you can identify them quickly.

  4. Backup: Always backup your current configuration before making any changes. This way you can easily revert back to the previous state if something goes wrong.

Lastly, if you have Cisco support, it could be useful to reach out to them for more specific advice tailored to your network setup.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

View solution in original post

5 Replies 5

urathod
Cisco Employee
Cisco Employee

In your setup, consolidating the two FlexConfigs into one should not cause any issues. Your combined FlexConfig looks correct as it's written, and having them in one FlexConfig should make the configuration cleaner and easier to manage.

The downtime you experienced might have been caused by other factors. The process of deploying a FlexConfig should not cause any downtime, as it should only reconfigure the device without interrupting the existing sessions. However, some changes like changing the routing can cause temporary disruption until the routing table is updated across all devices.

Before you deploy the new FlexConfig, I would recommend you to:

  1. Review your routing setup: Make sure that your route-maps are correctly configured and there are no conflicts between them.

  2. Check your tracking setup: Ensure that the tracks are correctly setup and are associated with the right interface or IP SLA.

  3. Monitor the network: Use network monitoring tools to watch the network performance during the deployment. If any issues occur, you can identify them quickly.

  4. Backup: Always backup your current configuration before making any changes. This way you can easily revert back to the previous state if something goes wrong.

Lastly, if you have Cisco support, it could be useful to reach out to them for more specific advice tailored to your network setup.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

that correct what you need is 
first match traffic under route-map 
do you track 8.8.8.8 ? what is the interface you use for each track ?

Herald Sison
Level 3
Level 3

This has been addressed, you are right we had a different issue occured that is why traffic has been disrupted. Thank you

can I know what was the problem here ?

Hi Sir, we were hitting a bug that was not related to PBR. We have already applied the workaround and it is now running smoothly.

Review Cisco Networking for a $25 gift card