cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
942
Views
0
Helpful
4
Replies

PBR on ASA 9.5.2

ring zer0
Level 1
Level 1

I am using ASA OS 9.5.2

Have 2 Internet links terminated and have 2 different LAN subnets , need one subnet to exit from first internet while the second one should use second internet.

I believed PBR with NAT could do the work here but in PBR I would need to assign ACL with ANY destination address e.g. "source_address_1 to ANY_Destination" and source_address_2 to "ANY_destination" and then map them to route-maps with set next hop as respective interfaces gateway .

The problem is that route-map will not accept ACL with ANY as destination ( it gives error ) and I am unsure how to achive this thing without using the ANY statement.

I have already configured dynamic PAT for both of those subnets with respective exit interfaces ( internet links ). Moreover I believe that in ASA the first packet route lookup is done based on the NAT configured and because that is here I still should be able to make requirement fullfil but while doing the packet-tracert command I see that both subnets are exiting from first interface.


Please advise.

4 Replies 4

jcockburn
Level 1
Level 1

Hi,

Can you paste in the error as well please.

Ciao

JC

access-list test extended permit ip 10.102.0.0 255.255.0.0 any

ASA(config)# route-map test 10
ASA(config-route-map)# match ip add
ASA(config-route-map)# match ip address test
WARNING: If access-list test having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.

Got it working , it was just a warning message and command was getting accepted . 

Thanks

Hi,

Cool,

I would still use the "any4" instead of just any...

eg

access-list test extended permit ip 10.102.0.0 255.255.0.0 any4

Ciao

JC

Review Cisco Networking for a $25 gift card