Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
198
Views
0
Helpful
2
Replies

POLICY-BASED ROUTING- FTD

fmugambi
VIP
VIP

‎04-23-2025 08:52 AM

Hello Team,
I have topology as attached,

fmugambi_0-1745423185905.png

I have introduced another interface on the ftd [172.16.40.25] . this is where have configured the new tunnel to the branch site.

on the asa have natted 41.206.58.2> 172.16.40.25 on 4500/500 services.

i then use the asa outside interface as peer on the branch site, ideally doing port-forwarding.

the challenge is the branch site vpn only comes up when i ammend the default route to 0.0.0.0/0 172.16.40.29, which is not what i want. i want the default route remain 0.0.0.0/0 102.6.239.9 , then have a policy-route for remote branch traffic/ response to the branch peer, for the vpn tunnel to come up.

when i capture traffic from branch office on the asa, am able to see traffic , but no response traffic from ftd.

i have created a pbr on ftd saying traffic destined for branch office with source as ftd [172.16.40.25] be sent to next hop 172.16.40.29.

but using capture i see this traffic trying to flow over the dmz-ipsec zone.

what could i be missing.

Thank you in advance.

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎04-23-2025 11:04 AM

@fmugambi what have you configured, can you provide screenshots.

Run packet-tracer from the CLI to simulate the traffic flow, it will show all the steps and indicate where the issue is.

Check your NAT configuration to ensure traffic is not unintentially translated. The packet-tracer output would confirm which NAT rule traffic matched (if any).

0 Helpful

fmugambi
VIP
VIP
In response to Rob Ingram

‎04-23-2025 10:21 PM

fmugambi_0-1745471919203.pngfmugambi_1-1745471950271.png

ICOLO-FTDv# packet-tracer input Icolo_to_GCP udp 172.16.40.25 500 34.242.85.1 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 40140 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14c15c128f90, priority=1, domain=permit, deny=false
hits=1046943, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Icolo_to_GCP, output_ifc=any

Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Elapsed time: 76266 ns
Config:
route-map FMC_GENERATED_PBR_1744811918364 permit 5
match ip address FTDv-To-GCP
set ip next-hop 172.16.40.29
Additional Information:
Matched route-map FMC_GENERATED_PBR_1744811918364, sequence 5, permit
Found next-hop 172.16.40.29 using egress ifc Icolo_to_GCP

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 21742 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14c15c138a30, priority=501, domain=permit, deny=true
hits=3066, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.16.40.25, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Icolo_to_GCP(vrfid:0), output_ifc=any

Result:
input-interface: Icolo_to_GCP(vrfid:0)
input-status: up
input-line-status: up
output-interface: Icolo_to_GCP(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 138148 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562c256fd518 flow (NA)/NA

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card