Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
5
Helpful
5
Replies

FMC PBR issues

Go to solution
tgillon
Level 1
Level 1

‎07-27-2022 10:02 AM

I'm having an issue with PBR that is driving me crazy.  I have 2 outside connections with all traffic defaulting to the 1st outside connection.  I'm trying to force 2 devices to send their traffic out the 2nd outside connection.  One of the devices is in the DMZ and the other device is on the inside connection.  The traffic from the DMZdevice goes out the 2nd connection, but the InsideDevice traffic does not.  Here are the relevant lines from my config:

interface Ethernet1/2
nameif outside2
security-level 0
ip address <x.x.x.x> 255.255.255.0
policy-route route-map Edge
!
interface Ethernet1/4
nameif dmz
security-level 0
ip address 192.168.0.1 255.255.255.0
policy-route route-map DMZEdge

route-map Edge permit 10
match ip address Force2Outside2
set ip next-hop <outside2 default gateway>

!
route-map DMZEdge permit 10
match ip address ForceDMZ2Outside2
set ip next-hop <outside2 default gateway>

access-list ForceDMZ2Outside2 extended deny object-group ProxySG_ExtendedACL_17179898506 any object IPv4-Private-10.0.0.0-8
access-list ForceDMZ2Outside2 extended permit object-group ProxySG_ExtendedACL_17179898510 object DMZdevice any
access-list Force2Outside2 extended deny object-group ProxySG_ExtendedACL_17179898440 any object DMZ
access-list Force2Outside2 extended permit object-group ProxySG_ExtendedACL_17179898444 object InsideDevice any

object network DMZdevice
nat (dmz,outside2) static obj-<unique outside2 public IP address>

object network InsideDevice
nat (Inside,outside2) static obj-<unique outside2 public IP address>

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎07-28-2022 07:24 AM

interface Ethernet1/2
nameif outside2 <- this NOT IN interface 
security-level 0
ip address <x.x.x.x> 255.255.255.0
policy-route route-map Edge <- this for INSIDE client 

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎07-27-2022 12:06 PM

are the Client in Host use UDP traffic ?
IF YES then clear conn and it will work as you want 

clear conn protocol udp address


 

0 Helpful

Go to solution
tgillon
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2022 04:26 AM

Thanks, but that did not work.  I also tried to clear xlate, but the route-map Edge never gets called.  The InsideDevice completely bypasses that and goes out the default connection.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-28-2022 07:24 AM

interface Ethernet1/2
nameif outside2 <- this NOT IN interface 
security-level 0
ip address <x.x.x.x> 255.255.255.0
policy-route route-map Edge <- this for INSIDE client 

Go to solution
tgillon
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2022 07:31 AM

Thank you, that was it!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to tgillon

‎07-28-2022 07:36 AM

You are so so welcome 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card