01-27-2016 05:20 PM - edited 03-12-2019 12:11 AM
Hello!
I have a problem with working PBR and Static NAT together on ASA.
I have two ISP. I use the first one to provide internet access for users. The second one i want to use to publish SMTP server. I need to use PBR to make it work.
I configured Static NAT and ACL to publish SMTP server.
To provide routing I use PBR, because default route uses ISP_1.
I created ACL to match traffic from SMTP server and to set default next hop.
If SMTP server open a connection to any external server everything works good (traffic goes through ISP_2)
But when i try to connect from test server in Internet it doesn't work... But when i configure static route to inside server through ISP_2 everything works great (it means ACL and NAT work correctly).
I think this problem because ASA can't match traffic when an external server establishes a connection. (works stateful inspection). But i'm not sure and i don't know how to fix it.
Solved! Go to Solution.
01-28-2016 12:45 AM
try this
Create a default route with higher Admin Distance
Route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10
Let me know if this works ?
Thanks
Syed
01-28-2016 12:51 PM
A very good question and it helps increase our understanding about the FW.
The reason why it has worked is because firewall does stateful inspection and builds connection whereas router doesn't do that.
When traffic comes from ISP_2 to the Server on the DMZ, a connection is trying to be formed from ISP_2 to the DMZ, the forward traffic is sent to the DMZ and the return path should also be via the same interface (ISP_2) and not ISP_1.
For the return traffic, the ASA looks at it's fast path "show asp table routing" and since there's no route via ISP_2, it drops the traffic.
Now you would tell me that the PBR is applied so the ASA should forward the traffic based on the policy-route. On the ASA, the PBR is applied on to the initial packet and that's why when connection is initiated from DMZ it takes the ISP_2 but when the traffic is initiated from the ISP_2, the return path doesn't consult the policy-route.
So when you applied the a route with higher AD "route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10" and if you check the ASP routing table, the ASA now has a route via ISP_2 and without it, the ASA was dropping the traffic due to no route via ISP_2.
Reference
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html
HTH
Syed Taukir
01-27-2016 05:35 PM
HI
Is it possible if you can share the configuration
Regards
Jagmeet.
01-27-2016 05:49 PM
Hi. My configuration is too big because it working ASA and i wouldn't share the whole one.
But I can share certain partitions... Which one would you like to see?
I'm not sure only about PBR, because with the static route everything is OK.
01-28-2016 12:24 AM
show run nat
show run route-map
show run interface
show route
show run route
show run track
show run access-list
show run access-group
Regards
Jagmeet.
01-28-2016 12:45 AM
try this
Create a default route with higher Admin Distance
Route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10
Let me know if this works ?
Thanks
Syed
01-28-2016 01:02 AM
Thank you! It works but i don't understand...
Could you explain it? Why does it work?
'sh route' shows only ome default route through ISP_1
01-28-2016 12:51 PM
A very good question and it helps increase our understanding about the FW.
The reason why it has worked is because firewall does stateful inspection and builds connection whereas router doesn't do that.
When traffic comes from ISP_2 to the Server on the DMZ, a connection is trying to be formed from ISP_2 to the DMZ, the forward traffic is sent to the DMZ and the return path should also be via the same interface (ISP_2) and not ISP_1.
For the return traffic, the ASA looks at it's fast path "show asp table routing" and since there's no route via ISP_2, it drops the traffic.
Now you would tell me that the PBR is applied so the ASA should forward the traffic based on the policy-route. On the ASA, the PBR is applied on to the initial packet and that's why when connection is initiated from DMZ it takes the ISP_2 but when the traffic is initiated from the ISP_2, the return path doesn't consult the policy-route.
So when you applied the a route with higher AD "route ISP_2 0.0.0.0 0.0.0.0 <default gateway> 10" and if you check the ASP routing table, the ASA now has a route via ISP_2 and without it, the ASA was dropping the traffic due to no route via ISP_2.
Reference
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html
HTH
Syed Taukir
01-28-2016 06:28 PM
Thank you very much for your explanation.
I thought about stateful inspection but i had never heard about ASP before.
It seems to be very useful for troubleshooting.
02-13-2016 05:30 AM
Thank you very much, it realy helped me! I have one OUTSIDE and two DMZ interfaces from another ISP with PBR default next hop policy. During a week, i tried do it using TCP state bypass, but the solution is much simpler.
05-26-2019 09:30 AM
Thank you for the explanation.
One question:
If the main ISP link goes down, will this second higher cost route not cause all the inside network devices to use the backup ISP?
(In our case, we are planning to link a second cellular 4G connection to the ASA to only route the voice vlan telephones and dont want all the users etc consume the limited bandwidth of the backup link. Any advise on this would be appreciated)
Regards
Deniz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide