Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5316
Views
35
Helpful
9
Replies

PBR and Static NAT (Cisco ASA)

Go to solution
lyutov_dv
Level 1
Level 1

‎01-27-2016 05:20 PM - edited ‎03-12-2019 12:11 AM

Hello!

I have a problem with working PBR and Static NAT together on ASA.

I have two ISP. I use the first one to provide internet access for users. The second one i want to use to publish SMTP server. I need to use PBR to make it work.

I configured Static NAT and ACL to publish SMTP server.

To provide routing I use PBR, because default route uses ISP_1.

I created ACL to match traffic from SMTP server and to set default next hop.

If SMTP server open a connection to any external server everything works good (traffic goes through ISP_2)

But when i try to connect from test server in Internet it doesn't work... But when i configure static route to inside server through ISP_2 everything works great (it means ACL and NAT work correctly).

I think this problem because ASA can't match traffic when an external server establishes a connection. (works stateful inspection). But i'm not sure and i don't know how to fix it.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Syed Taukir
Level 1
Level 1

‎01-28-2016 12:45 AM

try this

Create a default route with higher Admin Distance

Route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10

Let me know if this works ?

Thanks

Syed

View solution in original post

Go to solution
Syed Taukir
Level 1
Level 1
In response to Syed Taukir

‎01-28-2016 12:51 PM

A very good question and it helps increase our understanding about the FW.

The reason why it has worked is because firewall does stateful inspection and builds connection whereas router doesn't do that.

When traffic comes from ISP_2 to the Server on the DMZ, a connection is trying to be formed from ISP_2 to the DMZ, the forward traffic is sent to the DMZ and the return path should also be via the same interface (ISP_2) and not ISP_1.

For the return traffic, the ASA looks at it's fast path "show asp table routing" and since there's no route via ISP_2, it drops the traffic.

Now you would tell me that the PBR is applied so the ASA should forward the traffic based on the policy-route. On the ASA, the PBR is applied on to the initial packet and that's why when connection is initiated from DMZ it takes the ISP_2 but when the traffic is initiated from the ISP_2, the return path doesn't consult the policy-route.

So when you applied the a route with higher AD "route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10" and if you check the ASP routing table, the ASA now has a route via ISP_2 and without it, the ASA was dropping the traffic due to no route via ISP_2.

Reference

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

HTH

Syed Taukir

View solution in original post

9 Replies 9

Go to solution
jagmeesi
Level 1
Level 1

‎01-27-2016 05:35 PM

HI

Is it possible if you can share the configuration

Regards

Jagmeet.

0 Helpful

Go to solution
lyutov_dv
Level 1
Level 1
In response to jagmeesi

‎01-27-2016 05:49 PM

Hi. My configuration is too big because it working ASA and i wouldn't share the whole one. 

But I can share certain partitions... Which one would you like to see?

I'm not sure only about PBR, because with the static route everything is OK.

0 Helpful

Go to solution
jagmeesi
Level 1
Level 1
In response to lyutov_dv

‎01-28-2016 12:24 AM

show run nat

show run route-map

show run interface

show route

show run route

show run track

show run access-list

show run access-group

Regards

Jagmeet.

0 Helpful

Go to solution
Syed Taukir
Level 1
Level 1

‎01-28-2016 12:45 AM

try this

Create a default route with higher Admin Distance

Route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10

Let me know if this works ?

Thanks

Syed

Go to solution
lyutov_dv
Level 1
Level 1
In response to Syed Taukir

‎01-28-2016 01:02 AM

Thank you! It works but i don't understand...

Could you explain it? Why does it work?

'sh route' shows only ome default route through ISP_1

0 Helpful

Go to solution
Syed Taukir
Level 1
Level 1
In response to Syed Taukir

‎01-28-2016 12:51 PM

A very good question and it helps increase our understanding about the FW.

The reason why it has worked is because firewall does stateful inspection and builds connection whereas router doesn't do that.

When traffic comes from ISP_2 to the Server on the DMZ, a connection is trying to be formed from ISP_2 to the DMZ, the forward traffic is sent to the DMZ and the return path should also be via the same interface (ISP_2) and not ISP_1.

For the return traffic, the ASA looks at it's fast path "show asp table routing" and since there's no route via ISP_2, it drops the traffic.

Now you would tell me that the PBR is applied so the ASA should forward the traffic based on the policy-route. On the ASA, the PBR is applied on to the initial packet and that's why when connection is initiated from DMZ it takes the ISP_2 but when the traffic is initiated from the ISP_2, the return path doesn't consult the policy-route.

So when you applied the a route with higher AD "route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10" and if you check the ASP routing table, the ASA now has a route via ISP_2 and without it, the ASA was dropping the traffic due to no route via ISP_2.

Reference

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

HTH

Syed Taukir

Go to solution
lyutov_dv
Level 1
Level 1
In response to Syed Taukir

‎01-28-2016 06:28 PM

Thank you very much for your explanation.

I thought about stateful inspection but i had never heard about ASP before.

It seems to be very useful for troubleshooting.

0 Helpful

Go to solution
Taras Manko
Level 1
Level 1
In response to Syed Taukir

‎02-13-2016 05:30 AM

Thank you very much, it realy helped me! I have one OUTSIDE and two DMZ interfaces from another ISP with PBR default next hop policy. During a week, i tried do it using TCP state bypass, but the solution is much simpler.

0 Helpful

Go to solution
Deniz Miscioglu
Level 1
Level 1
In response to Syed Taukir

‎05-26-2019 09:30 AM

Thank you for the explanation.

One question:

If the main ISP link goes down, will this second higher cost route not cause all the inside network devices to use the backup ISP?

 

(In our case, we are planning to link a second cellular 4G connection to the ASA to only route the voice vlan telephones and dont want all the users etc consume the limited bandwidth of the backup link. Any advise on this would be appreciated)

 

Regards

Deniz

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card