04-22-2015 10:51 AM - edited 03-11-2019 10:49 PM
FYI,
Hope this helps someone else. I was struggling trying to get PBR working on my ASA 5515-X 9.4.1. At first I tried adding it using ASDM, but that doesn't work at all. You can create the route-map, but it doesn't apply the policy-map to the interface. Additionally it only allows you to use a standard ACL which should work, but packets don't match the route-map for some reason. The only way I could get to work was to setup the acl, route-map, and policy-map, and assign the policy-route to the inside interface via CLI.
Also, when I added the ACL to the route-map, I got the following error, yet that's the only way it would work.
WARNING: If access-list pbracl_1 having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.
Here's my working config
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.X.X.X 255.255.255.0
policy-route route-map BGP
ospf cost 10
access-list pbracl_1 line 1 extended permit ip host 10.X.X.X any
route-map BGP permit 10
match ip address pbracl_1
set ip next-hop 192.X.X.X
set interface Internet
Solved! Go to Solution.
08-10-2015 05:38 AM
Updating this thread:
PBR extended ACLs not appearing in ASDM for route maps bug has been fixed and will be included in version ASDM 7.5(1).
This is the link for the bug filed to fix this problem:
https://tools.cisco.com/bugsearch/bug/CSCuu04312
04-22-2015 01:24 PM
Thanks for proactively sharing.
I imagine it will save many folks a TAC call for that first setup.
04-22-2015 03:33 PM
Hi dustinn3,
I'm following with the ASDM dev team the extended ACL problem. If you can give me a more detailed explanation on the other issues you've been having with the ASDM and PBR, that would be great.
- Cesar
04-23-2015 07:18 AM
Cesar,
I was finally able to get everything working within ASDM.
The issue with the ACL in ASDM is the lookup screen for the Access List on the Match Clause screen only lists standard ACL's. Additionally you cannot add an ACL from that screen. If you create an extended ACL and type in the name in the field it does work, but ideally you should be able to select the ACL from browse. I finally found where to assign the route-map to the interface as well on the interface settings.
Thanks,
04-23-2015 01:41 PM
A software defect has been filed for the inability to choose Extended Access Lists. I'll share the bug ID once I have a public one. This will be fixed for the next ASDM releases.
In the meantime, as you mention, the workarounds are to add manually the extended name or to create the route-map using CLI:
route-map test permit 10
match ip address extended-test
set interface inside
As you were able to discover, the route-map can be assigned to an interface at the Device Setup -> Interface -> Edit menu.
Thanks for your feedback Dustin! It is greatly appreciated.
06-21-2016 07:39 AM
Sorry to follow up on such an old thread: I am having the same problem on ASDM 7.6(1) with our 5585 running 9.4(2).11... The dialog to choose an access list from does not show any ACLs... Entering an ACL name by hand works.
04-29-2015 08:14 AM
I found another issue with PBR. If you have any h323 inspections turned on, you cannot make video calls. For some reason once you turn on the inspection it routes half of the traffic correctly and half through the default route. I tried setting the inspection globally and on the interface PBR is using and it has the same effect. I'm not sure if other inspections have the same issue.
08-10-2015 05:38 AM
Updating this thread:
PBR extended ACLs not appearing in ASDM for route maps bug has been fixed and will be included in version ASDM 7.5(1).
This is the link for the bug filed to fix this problem:
https://tools.cisco.com/bugsearch/bug/CSCuu04312
08-10-2015 05:58 AM
Thanks for the update, Cesar. Good to know!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide