PBR On Cisco ASA

NetworkGuy! · ‎11-29-2018

Hi All

I have the following topology

Internet

|

Cisco ASA

|

Core Switch------------Router1----Backup Internet

All my traffic goes out through Cisco ASA but I want only certain traffic (for example) telnet traffic to go through backup Internet. I cannot assign PBR on the Core switch as it needs certain SDM version which I cant do it now

I am trying to do this on the Cisco ASA using ACL and matching that to a PBR to setip next hop as the Router1 - so basically traffic goes from Core Switch to Cisco ASA and hairpains back to R1 - will this work? (Cisco ASA and R1 and Cisco Switch run routing protocol so know about each other)

Daniele Giordano · ‎11-29-2018

Hi, yes should work if Router 1 and ASA are in the same IP subnet.

If Router 1 and ASA are in a different network the ASA will not be able to find the next-hop.

You can find a configuration example of PBR on the firewall at this link:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf

Regards.

NetworkGuy! · ‎11-29-2018

They are on same subnet and has following config but does not work on the ASA

access-list Test-ACL extended permit ip any object-group Test

route-map Test-Routemap permit 10
 match ip address Test-ACL
 set ip default next-hop 192.168.1.3 (192.168.1.3 is the R1 where backup internet is connected)

assume 192.168.1.1 is core switch and 192.168.1.2 is firewall

if I do a traceroute from R1 to address where I want to go, its routing out locally through backup internet so i know that circuit works
is there anything that i am missing?

Just did a packet tracer and see its being denied as second phase as Access-List dropped

Test(config-pmap-c)# packet-tracer input inside tcp 192.168.1.100 80 13.67.180.4

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map Test-Routemap permit 10
match ip next-hop Test
set ip next-hop 192.168.1.3
Additional Information:
Matched route-map Test-routemap sequence 10, permit
Found next-hop 192.168.1.3 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90370a9f90, priority=111, domain=permit, deny=true
hits=32401, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Daniele Giordano · ‎11-29-2018

Where is applied the route map?

Is in the NAT operations?

The packets must be routed without NAT.

Check the order of operations of the ASA.

Regards.

NetworkGuy! · ‎11-29-2018

route-map applied on inside direction - it shouldnt NAT

its dropping as default ACL drop - implicit deny

NetworkGuy! · ‎11-29-2018

ok found it!

it needs the following enabled (same security traffic)

same-security-traffic permit intra-interface

once enabled it seems to be ok

Daniele Giordano · ‎11-29-2018

Yes, you have right.

It's necessary for the hairpinning.

Regards.

NetworkGuy! · ‎11-30-2018

The traffic seems to be routing via the backup circuit however

I get Deny TCP no connection from 192.168.1.x to x.x.x.x flags RST on interface inside, any thoughts?