Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
0
Helpful
4
Replies

Policy Based Routing to ASA Inside Interface

Go to solution
rlesyshyn
Level 1
Level 1

‎03-05-2011 10:40 AM - edited ‎03-11-2019 01:01 PM

Hi,

Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?

Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?

At a high level, here's what we have:

  • ISP 1 - with /21 IP Prefix
  • No BGP Routing
  • 3845 Edge Router - Default Route to ISP 1
  • PIX535 Firewalls (HA) - Default Route to Edge Router
  • LAN Core/Distribution - Default Route to PIX535 Inside Interface
  • All applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.

Here's what we are adding:

  • ISP 2 - with /24 IP Prefix
  • No BGP Routing
  • 3925E Edge Router - Default Route to ISP 2
  • ASA5550 Firewalls (HA) - Default Route to Edge Router
  • Same connectivity to LAN Core/Distribution

Goals:

  • Maintain ISP 1 for now
  • Migrate only end user Internet traffic to ISP 2
  • No disruptions to applications/services using current DefGW to PIX535

Question:

So, my question again is how to best use PBR to selectively direct traffic to the ASA inside interface?

Also, please feel free to suggest other methods that might be more appropriate.

Thanks!

Rob

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rlesyshyn

‎03-05-2011 11:29 AM

If you have a router behind the ASA, you can configure PBR on that router to send a subset of traffic to the ASA's inside interface IP.

When configuring PBR, you can set the next-hop to be the inside IP of the ASA (the IP, not the actual interface of the ASA) but this should be no problem.

In this case it does not matter if the next-hop is an ASA, a router or any other device, you just set the next-hop to the IP address.

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-05-2011 10:55 AM

Rob,

Just to be clear you're asking on how to configure PBR on the routers correct?

The reason I ask is because there's no PBR functionality on ASAs.

Federico.

0 Helpful

Go to solution
rlesyshyn
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-05-2011 11:23 AM

Hi Federico,

Thanks for the reply!

I know how to use PBR and I do realize that PBR is not supported ON the ASA.

My question is can I use PBR to set an ip next-hop that points to the ASA inside interface?

In my scenario above, I do not want to make a wholesale default gateway change just yet to route all traffic away from our legacy PIX535.

I just want to selectively move traffic on a subnet by subnet to egress the new ASA.

Thanks!

Rob

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rlesyshyn

‎03-05-2011 11:29 AM

If you have a router behind the ASA, you can configure PBR on that router to send a subset of traffic to the ASA's inside interface IP.

When configuring PBR, you can set the next-hop to be the inside IP of the ASA (the IP, not the actual interface of the ASA) but this should be no problem.

In this case it does not matter if the next-hop is an ASA, a router or any other device, you just set the next-hop to the IP address.

Federico.

0 Helpful

Go to solution
rlesyshyn
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-05-2011 11:42 AM

Thanks Federico,

I thought that was in fact the case - that it is possible to policy route directly to the ASA interface ip address, but wanted to confirm.

Thanks again for your responses!

Best regards.

Rob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card