Solved: Re: Policy based Routing via IPSEC VPN (Policy based)

Raj Sh · ‎02-23-2021

Hi All,

I have a Cisco ASA 5516-X 9.6 pair on HA .

Inside 1 VLAN 100 10.10.10.0/24 -Prod

inside 2 VLAN 200 20.20.20.0/24 - Dev

Communication to a networks 30.30.30.0/24 & 40.40.40.0/24 in another DC is via MPLS

Now there is a DR planned wherein we will have Azure hosting same network 30.30.30.0/24 & 40.40.40.0/24 in their cloud.

4 interfaces on ASA

Inside 1

inside 2

Outside-MPLS

Outside-Internet

As of now internet is not used for any communication

Requirement :-For DR we would want only

inside 2 VLAN 200 to AZURE 30.30.30.0/24 & 40.40.40.0/24 via IPSEC Tunnel

Inside 1 VLAN 100 should continue to connect 30.30.30.0/24 & 40.40.40.0/24 via MPLS.

Can this be achieved using PBR via Policy based VPN ?

If not what's the recommended solution ?

I have static routes for 30.30.30.0/24 & 40.40.40.0/24 pointing towards MPLS

Rob Ingram · ‎02-24-2021

@Raj Sh

The PBR ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.

The crypto ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.

The PBR is enabled on the INSIDE 2 network interface. Traffic entering the INSIDE 2 interface matching the PBR ACL would be routed via the Internet connection for the next hop and encrypted using the crypto ACL.

The VLAN 1 traffic would be routed via the existing static routes.

View solution in original post

Rob Ingram · ‎02-23-2021

@Raj Sh

If "outside-interface" then all traffic is routed over the MPLS? Or is your intention to use the internet interface to establish the VPN tunnel. If so, then yes you could enable PBR, here is an example of PBR.

Raj Sh · ‎02-24-2021

Hello Rob,

Thank you for taking time to answer my question.

For your query "is your intention to use the internet interface to establish the VPN tunnel." - Thats right.

Im planning to use policy based VPN via internet interface.

Now will there not be any conflict or overlap with ACLs?

For PBR , i need to use ACL to define traffic

For Policy based VPN i need another ACL to define interesting traffic.

Now the prefix defined in both ACLs are same.

Rob Ingram · ‎02-24-2021

@Raj Sh

The PBR ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.

The crypto ACL would be the source of the VLAN 2 network 20.20.20.0/24 with a destination of the Azure networks.

The PBR is enabled on the INSIDE 2 network interface. Traffic entering the INSIDE 2 interface matching the PBR ACL would be routed via the Internet connection for the next hop and encrypted using the crypto ACL.

The VLAN 1 traffic would be routed via the existing static routes.

Raj Sh · ‎02-24-2021

Hi Rob,

As of today we have VLAN 100 & 200 connecting to 30.x.x.x & 40.x.x.x via MPLS link i.e Outside-MPLS

We have static routes in place to reach above destination

For DR, Microsoft will replicate 30.x.x.x & 40.x.x.x in Azure cloud.

we want only VLAN 200 to connect 30.x.x.x & 40.x.x.x hosted in Azure. i.e via S2S IPSEC VPN over Outside-Internet

While VLAN 100 still uses MPLS link.(existing static routes)

Rob Ingram · ‎02-24-2021

Ok, I've corrected my last post above. Does that make sense now?

Raj Sh · ‎02-24-2021

Thank you very much Rob