Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3763
Views
0
Helpful
8
Replies

PBR 9.4.1 ASA 5515-X

Go to solution
dustinn3
Level 1
Level 1

‎04-22-2015 10:51 AM - edited ‎03-11-2019 10:49 PM

 

FYI,

Hope this helps someone else. I was struggling trying to get PBR working on my ASA 5515-X 9.4.1.  At first I tried adding it using ASDM, but that doesn't work at all.  You can create the route-map, but it doesn't apply the policy-map to the interface.  Additionally it only allows you to use a standard ACL which should work, but packets don't match the route-map for some reason.  The only way I could get to work was to setup the acl, route-map, and policy-map, and assign the policy-route to the inside interface via CLI.  

Also, when I added the ACL to the route-map, I got the following error, yet that's the only way it would work.

WARNING: If access-list pbracl_1 having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.

Here's my working config

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.X.X.X 255.255.255.0 
 policy-route route-map BGP
 ospf cost 10

access-list pbracl_1 line 1 extended permit ip host 10.X.X.X any

route-map BGP permit 10
 match ip address pbracl_1
 set ip next-hop 192.X.X.X
 set interface Internet

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cesar Gustavo Lopez Zamarripa
Cisco Employee
Cisco Employee

‎08-10-2015 05:38 AM

Updating this thread:

PBR extended ACLs not appearing in ASDM for route maps bug has been fixed and will be included in version ASDM 7.5(1). 

This is the link for the bug filed to fix this problem:

https://tools.cisco.com/bugsearch/bug/CSCuu04312

 

 

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-22-2015 01:24 PM

Thanks for proactively sharing.

I imagine it will save many folks a TAC call for that first setup.

0 Helpful

Go to solution
Cesar Gustavo Lopez Zamarripa
Cisco Employee
Cisco Employee

‎04-22-2015 03:33 PM

Hi dustinn3,

 

I'm following with the ASDM dev team the extended ACL problem. If you can give me a more detailed explanation on the other issues you've been having with the ASDM and PBR, that would be great. 

 

- Cesar

0 Helpful

Go to solution
dustinn3
Level 1
Level 1
In response to Cesar Gustavo Lopez Zamarripa

‎04-23-2015 07:18 AM

Cesar,

I was finally able to get everything working within ASDM. 

The issue with the ACL in ASDM is the lookup screen for the Access List on the Match Clause screen only lists standard ACL's.  Additionally you cannot add an ACL from that screen.  If you create an extended ACL and type in the name in the field it does work, but ideally you should be able to select the ACL from browse.  I finally found where to assign the route-map to the interface as well on the interface settings.

Thanks,

0 Helpful

Go to solution
Cesar Gustavo Lopez Zamarripa
Cisco Employee
Cisco Employee
In response to dustinn3

‎04-23-2015 01:41 PM

A software defect has been filed for the inability to choose Extended Access Lists. I'll share the bug ID once I have a public one. This will be fixed for the next ASDM releases.

In the meantime, as you mention, the workarounds are to add manually the extended name or to  create the route-map using CLI:

route-map test permit 10
 match ip address extended-test
 set interface inside


As you were able to discover, the route-map can be assigned to an interface at the Device Setup -> Interface -> Edit menu.

Thanks for your feedback Dustin! It is greatly appreciated.

 

0 Helpful

Go to solution
Peter Stamfest
Level 1
Level 1
In response to Cesar Gustavo Lopez Zamarripa

‎06-21-2016 07:39 AM

Sorry to follow up on such an old thread: I am having the same problem on ASDM 7.6(1) with our 5585 running 9.4(2).11... The dialog to choose an access list from does not show any ACLs... Entering an ACL name by hand works.

0 Helpful

Go to solution
dustinn3
Level 1
Level 1

‎04-29-2015 08:14 AM

I found another issue with PBR.  If you have any h323 inspections turned on, you cannot make video calls. For some reason once you turn on the inspection it routes half of the traffic correctly and half through the default route.  I tried setting the inspection globally and on the interface PBR is using and it has the same effect.  I'm not sure if other inspections have the same issue.

0 Helpful

Go to solution
Cesar Gustavo Lopez Zamarripa
Cisco Employee
Cisco Employee

‎08-10-2015 05:38 AM

Updating this thread:

PBR extended ACLs not appearing in ASDM for route maps bug has been fixed and will be included in version ASDM 7.5(1). 

This is the link for the bug filed to fix this problem:

https://tools.cisco.com/bugsearch/bug/CSCuu04312

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Cesar Gustavo Lopez Zamarripa

‎08-10-2015 05:58 AM

Thanks for the update, Cesar. Good to know!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card