cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4754
Views
0
Helpful
17
Replies

PBR on ASA to Interface Without Directly Connected Next Hop

Steve Gaede
Level 1
Level 1

I have an ASA on which I'm trying to use PBR to route to one of two ISPs which

I'll call "slow" and "fast."


The interface to the slow ISP is connected to a subnet on which the next-hop

address is clearly in the subnet and it would count as "directly connected."

The interface to the fast ISP is connected via pppoe. The interface address

is on a different subnet than the next-hop address so it would not be directly

connected.


The default route is to the slow ISP.

When I create route maps to send traffic to the slow ISP, I see the next-hop

address being selected and the egress interface selected in the first phase

of the packet trace.  That tells me that my rules are working.

When I switch the map's next-hop address to be the next-hop address of the fast

ISP interface, PBR is selecting the right next-hop address, but it leaves the

egress interface decision to the next processing step, which always selects

the slow ISP interface.  Using the recursive next-hop address selection in

the route map doesn't correct the problem.

Any suggestions on how to fix this?  The only thing I can think of is to set

the default route to the fast ISP and use PBR to route to the exceptions

that need to go over the slow ISP instead of now where the exceptions

are to route to the fast ISP.

17 Replies 17

>> First word back from TAC is that PBR+pppoe as the secondary route is a known limitation but not documented as such.

 

TAC was wrong. It works with PPPoE. 

For Example:

route-map RM-NAME permit 10
match ip address ACL_NAME
  set interface outside_2

Here is the output you wanted to see:

# show int ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 xxx.xxx.xxx.74 YES CONFIG up upGigabitEthernet1/2 yyy.yyy.yyy.209 YES manual up up
GigabitEthernet1/3 dmz YES CONFIG up up
GigabitEthernet1/4 192.168.21.4 YES CONFIG down down
GigabitEthernet1/5 unassigned YES unset down down
GigabitEthernet1/6 unassigned YES unset down down
GigabitEthernet1/7 unassigned YES unset down down
GigabitEthernet1/8 inside YES CONFIG up up
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up up
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Management1/1 unassigned YES unset up up
~

Not applicable

The default route is to the slow ISP,not use 0.0.0.0 0.0.0.0;

change to this two route 0.0.0.0 128.0.0.0 and 128.0.0.0 128.0.0.0 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: