Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1443
Views
5
Helpful
21
Replies

Policy base routing on ASA

sv7
Level 3
Level 3

ā€Ž07-26-2022 04:06 AM

Hi all,

Have 2 ISP and need one internal subnet i.e 192.168.101.0/24 should go to Secondary isp for internet access. I have followed the below configuration and achieve what i required but somehow my internal dns (192.168.103.0/24 ) subnet not working for users and i have to use global dns (8.8.8.8) to open website. Can anyone addressed me what im missing.

Please find my below configuration.

access-list inside_access extended permit ip  192.168.101.0 255.255.255.0 any logs

route-map pbr-map permit 10
match ip address inside_access 
set ip next-hop 14.143.19.xx

interface Ethernet1/9.101
vlan 101
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
policy-route route-map pbr-map

 

0 Helpful
21 Replies 21

Marius Gunnerud
VIP
VIP
In response to sv7

ā€Ž08-01-2022 11:46 PM - edited ā€Ž08-01-2022 11:50 PM

The configuration you posted has no PBR configuration.  Have you actually tried applying your configuration?

The configuration you have in your original post looks correct, the only thing that might be missing is NAT.  Try the following, remember to change any values that are incorrect.

access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs

object network 192.168.101.0_24
nat (inside,outside1) dynamic interface

route-map pbr-map permit 10
match ip address inside_access 
set ip next-hop 14.143.19.xx

interface Ethernet1/9.101
vlan 101
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
policy-route route-map pbr-map

For scripting automatic switchover you could look into using Embedded Event Manager (EEM)

EEM - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

sv7
Level 3
Level 3
In response to Marius Gunnerud

ā€Ž08-02-2022 05:30 AM

Hi,

I have the nat statements which you have pointed out. But still my dns server subnet becomes unreachable if i apply the route-map. My acl is like below

access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs

0 Helpful

Marius Gunnerud
VIP
VIP
In response to sv7

ā€Ž08-02-2022 05:51 AM

You need to add deny statements for the DNS servers.  So you could do something like the following

access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 10.0.0.0 255.0.0.0 logs

access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 172.16.0.0 255.240.0.0 logs

access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.0.0 logs

access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs

This would allow you to access all private IPs and as well as internet.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP
In response to sv7

ā€Ž08-02-2022 01:50 AM

where is PBR and where you apply it???
https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

0 Helpful

sv7
Level 3
Level 3
In response to MHM Cisco World

ā€Ž08-02-2022 05:27 AM

Hi, 

I have remove it as it making the dns subnet 192.168.103.0/24 unreachable after applying it

0 Helpful

MHM Cisco World
VIP
VIP
In response to sv7

ā€Ž08-02-2022 06:01 AM

then only mention Config without PBR 
and then add PBR separately.

0 Helpful

Jitendra Kumar
Spotlight
Spotlight

ā€Ž08-01-2022 10:19 PM

Check below document...

https://integratingit.wordpress.com/2020/03/01/asa-policy-based-routing/

 

Thanks,
Jitendra
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card