Solved: Re: PBR config questions on ASA

tim829 · ‎06-02-2020

I'm about to implement PBR on our ASA to route guest network traffic out of our secondary WAN connection. I do have a couple questions about the configuration though.

Primary WAN Gateway: 165.XXX.XXX.129

Secondary WAN Gateway: 206.XXX.XXX.1

Guest Network: 10.192.172.0/22

This is what the config will look like:

ciscoasa(config)# access-list acl-1 permit ip 10.15.0.0 255.255.0.0 
ciscoasa(config)# access-list acl-2 permit ip 10.21.0.0 255.255.0.0
ciscoasa(config)# access-list acl-3 permit ip 192.168.0.0 255.255.0.0
ciscoasa(config)# access-list acl-4 permit ip 172.0.0.0 255.0.0.0
ciscoasa(config)# access-list acl-5 permit ip 10.192.172.0 255.255.252.0

ciscoasa(config)# route-map PBR-1 permit 5
ciscoasa(config-route-map)# match ip address acl-1
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 10
ciscoasa(config-route-map)# match ip address acl-2
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 15
ciscoasa(config-route-map)# match ip address acl-3
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 20
ciscoasa(config-route-map)# match ip address acl-4
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 25
ciscoasa(config-route-map)# match ip address acl-5
ciscoasa(config-route-map)# set ip next-hop 206.XXX.XXX.1

ciscoasa(config)# route-map PBR-1 permit 30
ciscoasa(config-route-map)# set ip interface Null0

ciscoasa(config)# interface GigabitEthernet1/2 
ciscoasa(config-if)# policy-route route-map PBR-1

So I guess the first question is does this configuration look good?

Second, doesn't the set ip next-hop override the routes in the routing table? Are those routes even needed anymore after implementing PBR?

Third, and just out of curiosity, what does set ip interface Null0 do and why is it needed?

Thanks

Chakshu Piplani · ‎06-03-2020

Hi,

After reviewing your question, this is all the config you need for PBR.

--Create ACL for interesting traffic::

access-list PBR_ACL extended permit ip 10.192.172.0 255.255.252.0 any

--Create route-map
Route-maps are similar to access list but unlike access-lists, route-map has the “set” actions that change the packet

ciscoasa(config)# route-map PBR_ROUTE_MAP permit 10
ciscoasa(config-route-map)# match ip address PBR_ACL
ciscaasa(config-route-map)# set ip next-hop 206.XXX.XXX.1

--Attach route-map to INSIDE interface or the Guest where ever the source is

ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)#nameif Guest
ciscoasa(config-if)#ip address 10.192.172.1 255.255.255.0
ciscoasa(config-if)#policy-route route-map PBR_ROUTE_MAP

--

route outside1 0.0.0.0 0.0.0.0 165.XXX.XXX.129
route outside2 0.0.0.0 0.0.0.0 206.XXX.XXX.1 50

Rest of the traffic will automatically take 165.XXX.XXX.129 as the next hope because that's the default route.

Note we have set the distance metric of 50 for route via outside2 so that default traffic does not take that route.

HTH

Chakshu

View solution in original post

Chakshu Piplani · ‎06-03-2020

Hi,

After reviewing your question, this is all the config you need for PBR.

--Create ACL for interesting traffic::

access-list PBR_ACL extended permit ip 10.192.172.0 255.255.252.0 any

--Create route-map
Route-maps are similar to access list but unlike access-lists, route-map has the “set” actions that change the packet

ciscoasa(config)# route-map PBR_ROUTE_MAP permit 10
ciscoasa(config-route-map)# match ip address PBR_ACL
ciscaasa(config-route-map)# set ip next-hop 206.XXX.XXX.1

--Attach route-map to INSIDE interface or the Guest where ever the source is

ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)#nameif Guest
ciscoasa(config-if)#ip address 10.192.172.1 255.255.255.0
ciscoasa(config-if)#policy-route route-map PBR_ROUTE_MAP

--

route outside1 0.0.0.0 0.0.0.0 165.XXX.XXX.129
route outside2 0.0.0.0 0.0.0.0 206.XXX.XXX.1 50

Rest of the traffic will automatically take 165.XXX.XXX.129 as the next hope because that's the default route.

Note we have set the distance metric of 50 for route via outside2 so that default traffic does not take that route.

HTH

Chakshu

tim829 · ‎06-08-2020

Thank you! I was hoping I wouldn't have to define all the VLANS and could just do the one I wanted to route outside differently.