Policy base routing on ASA - Page 2

sv7 · ‎07-26-2022

Hi all,

Have 2 ISP and need one internal subnet i.e 192.168.101.0/24 should go to Secondary isp for internet access. I have followed the below configuration and achieve what i required but somehow my internal dns (192.168.103.0/24 ) subnet not working for users and i have to use global dns (8.8.8.8) to open website. Can anyone addressed me what im missing.

Please find my below configuration.

access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs

route-map pbr-map permit 10
match ip address inside_access
set ip next-hop 14.143.19.xx

interface Ethernet1/9.101
vlan 101
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
policy-route route-map pbr-map

Marius Gunnerud · ‎08-01-2022

The configuration you posted has no PBR configuration. Have you actually tried applying your configuration?

The configuration you have in your original post looks correct, the only thing that might be missing is NAT. Try the following, remember to change any values that are incorrect.

access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs

object network 192.168.101.0_24
nat (inside,outside1) dynamic interface

route-map pbr-map permit 10
match ip address inside_access
set ip next-hop 14.143.19.xx

interface Ethernet1/9.101
vlan 101
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
policy-route route-map pbr-map

For scripting automatic switchover you could look into using Embedded Event Manager (EEM)

EEM - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

--
Please remember to select a correct answer and rate helpful posts

sv7 · ‎08-02-2022

Hi,

I have the nat statements which you have pointed out. But still my dns server subnet becomes unreachable if i apply the route-map. My acl is like below

access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs

Marius Gunnerud · ‎08-02-2022

You need to add deny statements for the DNS servers. So you could do something like the following

access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 10.0.0.0 255.0.0.0 logs

access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 172.16.0.0 255.240.0.0 logs

access-list inside_access extended deny ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.0.0 logs

access-list inside_access extended permit ip 192.168.101.0 255.255.255.0 any logs

This would allow you to access all private IPs and as well as internet.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎08-02-2022

where is PBR and where you apply it???
https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

sv7 · ‎08-02-2022

Hi,

I have remove it as it making the dns subnet 192.168.103.0/24 unreachable after applying it

MHM Cisco World · ‎08-02-2022

then only mention Config without PBR
and then add PBR separately.

Jitendra Kumar · ‎08-01-2022

Check below document...

https://integratingit.wordpress.com/2020/03/01/asa-policy-based-routing/

Thanks,
Jitendra