02-23-2021 08:17 AM
Hi All,
I have a Cisco ASA 5516-X 9.6 pair on HA .
Inside 1 VLAN 100 10.10.10.0/24 -Prod
inside 2 VLAN 200 20.20.20.0/24 - Dev
Communication to a networks 30.30.30.0/24 & 40.40.40.0/24 in another DC is via MPLS
Now there is a DR planned wherein we will have Azure hosting same network 30.30.30.0/24 & 40.40.40.0/24 in their cloud.
4 interfaces on ASA
Inside 1
inside 2
Outside-MPLS
Outside-Internet
As of now internet is not used for any communication
Requirement :-For DR we would want only
inside 2 VLAN 200 to AZURE 30.30.30.0/24 & 40.40.40.0/24 via IPSEC Tunnel
Inside 1 VLAN 100 should continue to connect 30.30.30.0/24 & 40.40.40.0/24 via MPLS.
Can this be achieved using PBR via Policy based VPN ?
If not what's the recommended solution ?
I have static routes for 30.30.30.0/24 & 40.40.40.0/24 pointing towards MPLS
Solved! Go to Solution.
02-24-2021 01:05 AM - edited 02-24-2021 03:47 AM
The PBR ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The crypto ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The PBR is enabled on the INSIDE 2 network interface. Traffic entering the INSIDE 2 interface matching the PBR ACL would be routed via the Internet connection for the next hop and encrypted using the crypto ACL.
The VLAN 1 traffic would be routed via the existing static routes.
02-23-2021 12:21 PM
02-24-2021 12:52 AM
Hello Rob,
Thank you for taking time to answer my question.
For your query "is your intention to use the internet interface to establish the VPN tunnel." - Thats right.
Im planning to use policy based VPN via internet interface.
Now will there not be any conflict or overlap with ACLs?
For PBR , i need to use ACL to define traffic
For Policy based VPN i need another ACL to define interesting traffic.
Now the prefix defined in both ACLs are same.
02-24-2021 01:05 AM - edited 02-24-2021 03:47 AM
The PBR ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The crypto ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.
The PBR is enabled on the INSIDE 2 network interface. Traffic entering the INSIDE 2 interface matching the PBR ACL would be routed via the Internet connection for the next hop and encrypted using the crypto ACL.
The VLAN 1 traffic would be routed via the existing static routes.
02-24-2021 02:28 AM - edited 02-24-2021 02:29 AM
Hi Rob,
As of today we have VLAN 100 & 200 connecting to 30.x.x.x & 40.x.x.x via MPLS link i.e Outside-MPLS
We have static routes in place to reach above destination
For DR, Microsoft will replicate 30.x.x.x & 40.x.x.x in Azure cloud.
we want only VLAN 200 to connect 30.x.x.x & 40.x.x.x hosted in Azure. i.e via S2S IPSEC VPN over Outside-Internet
While VLAN 100 still uses MPLS link.(existing static routes)
02-24-2021 03:46 AM
Ok, I've corrected my last post above. Does that make sense now?
02-24-2021 04:46 AM
Thank you very much Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide