02-23-2021 08:17 AM
Hi All,
I have a Cisco ASA 5516-X 9.6 pair on HA .
Inside 1 VLAN 100 10.10.10.0/24 -Prod
inside 2 VLAN 200 20.20.20.0/24 - Dev
Communication to a networks 30.30.30.0/24 & 40.40.40.0/24 in another DC is via MPLS
Now there is a DR planned wherein we will have Azure hosting same network 30.30.30.0/24 & 40.40.40.0/24 in their cloud.
4 interfaces on ASA
Inside 1
inside 2
Outside-MPLS
Outside-Internet
As of now internet is not used for any communication
Requirement :-For DR we would want only
inside 2 VLAN 200 to AZURE 30.30.30.0/24 & 40.40.40.0/24 via IPSEC Tunnel
Inside 1 VLAN 100 should continue to connect 30.30.30.0/24 & 40.40.40.0/24 via MPLS.
Can this be achieved using PBR via Policy based VPN ?
If not what's the recommended solution ?
I have static routes for 30.30.30.0/24 & 40.40.40.0/24 pointing towards MPLS
Solved! Go to Solution.
02-24-2021 01:05 AM - edited 02-24-2021 03:47 AM
The PBR ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The crypto ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The PBR is enabled on the INSIDE 2 network interface. Traffic entering the INSIDE 2 interface matching the PBR ACL would be routed via the Internet connection for the next hop and encrypted using the crypto ACL.
The VLAN 1 traffic would be routed via the existing static routes.
02-23-2021 12:21 PM
02-24-2021 12:52 AM
Hello Rob,
Thank you for taking time to answer my question.
For your query "is your intention to use the internet interface to establish the VPN tunnel." - Thats right.
Im planning to use policy based VPN via internet interface.
Now will there not be any conflict or overlap with ACLs?
For PBR , i need to use ACL to define traffic
For Policy based VPN i need another ACL to define interesting traffic.
Now the prefix defined in both ACLs are same.
02-24-2021 01:05 AM - edited 02-24-2021 03:47 AM
The PBR ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The crypto ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The PBR is enabled on the INSIDE 2 network interface. Traffic entering the INSIDE 2 interface matching the PBR ACL would be routed via the Internet connection for the next hop and encrypted using the crypto ACL.
The VLAN 1 traffic would be routed via the existing static routes.
02-24-2021 02:28 AM - edited 02-24-2021 02:29 AM
Hi Rob,
As of today we have VLAN 100 & 200 connecting to 30.x.x.x & 40.x.x.x via MPLS link i.e Outside-MPLS
We have static routes in place to reach above destination
For DR, Microsoft will replicate 30.x.x.x & 40.x.x.x in Azure cloud.
we want only VLAN 200 to connect 30.x.x.x & 40.x.x.x hosted in Azure. i.e via S2S IPSEC VPN over Outside-Internet
While VLAN 100 still uses MPLS link.(existing static routes)
02-24-2021 03:46 AM
Ok, I've corrected my last post above. Does that make sense now?
02-24-2021 04:46 AM
Thank you very much Rob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: