07-26-2022 04:06 AM
Hi all,
Have 2 ISP and need one internal subnet i.e 192.168.101.0/24 should go to Secondary isp for internet access. I have followed the below configuration and achieve what i required but somehow my internal dns (192.168.103.0/24 ) subnet not working for users and i have to use global dns (8.8.8.8) to open website. Can anyone addressed me what im missing.
Please find my below configuration.
access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs
route-map pbr-map permit 10
match ip address inside_access
set ip next-hop 14.143.19.xx
interface Ethernet1/9.101
vlan 101
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
policy-route route-map pbr-map
08-01-2022 11:46 PM - edited 08-01-2022 11:50 PM
The configuration you posted has no PBR configuration. Have you actually tried applying your configuration?
The configuration you have in your original post looks correct, the only thing that might be missing is NAT. Try the following, remember to change any values that are incorrect.
access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs
object network 192.168.101.0_24
nat (inside,outside1) dynamic interface
route-map pbr-map permit 10
match ip address inside_access
set ip next-hop 14.143.19.xx
interface Ethernet1/9.101
vlan 101
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
policy-route route-map pbr-map
For scripting automatic switchover you could look into using Embedded Event Manager (EEM)
08-02-2022 05:30 AM
Hi,
I have the nat statements which you have pointed out. But still my dns server subnet becomes unreachable if i apply the route-map. My acl is like below
access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs
08-02-2022 05:51 AM
You need to add deny statements for the DNS servers. So you could do something like the following
access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 10.0.0.0 255.0.0.0 logs
access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 172.16.0.0 255.240.0.0 logs
access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.0.0 logs
access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs
This would allow you to access all private IPs and as well as internet.
08-02-2022 01:50 AM
where is PBR and where you apply it???
https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/
08-02-2022 05:27 AM
Hi,
I have remove it as it making the dns subnet 192.168.103.0/24 unreachable after applying it
08-02-2022 06:01 AM
then only mention Config without PBR
and then add PBR separately.
08-01-2022 10:19 PM
Check below document...
https://integratingit.wordpress.com/2020/03/01/asa-policy-based-routing/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide