Cisco ASA 5525

netbeginner · ‎11-26-2015

Hi Team,

Stucked with a problem and seeking valuable inputs.

We have two sites i.e Location A and Location B.

There are two different links between these two locations , one is Point to Point (P2P) link and other is MPLS connectivity. SOme of the IP/Pool are advertized on on MPLS (BGP) and some are routed towards P2P link. We are purely on STATIC routing. Problem is to make communication happening between Pool Advertised on MPLS (BGP) from Location A to Pool routed on P2P from Location B.For Eg

172.16.99.0/24 (Advertised on BGP MPLS at Location A) need to communicate with 10.10.100.0/24 (Pool routed on P2P link at Location B).

With StatiC routing it's not possible for us to route/point single pool towards both the link. Cab PBR be a feasible solution. Pls suggest other options as well.

Diagram attached for reference.

Karsten Iwen · ‎11-26-2015

It can be solved with PBR, but perhaps it can be even easier.

You could configure the ASAs to route one remote subnet over MPLS and one over the P2P-Link. You'll get asymetric routing here, but if the routers don't run any firewall functions, it sould not harm. And if you get a more or less well balanced load on both links it could be solution that is "good enough".

With PBR, you could also remove the asymetric routing. For PBR, your ASAs need to run at least version 9.4(1).

netbeginner · ‎11-26-2015

Hi Karsten,

Just for information Image on ASA is 9.3.2

Requesting to pls elaborate your reply with some eg.

Karsten Iwen · ‎11-26-2015

For PBR you have to upgrade. I would use 9.4(2)3 in that case.

What kind of more info do you need?

netbeginner · ‎11-26-2015

Looking for PBR commands

Karsten Iwen · ‎11-26-2015

There are a couple of examples in the Configuration-Guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html

netbeginner · ‎11-28-2015

Hello Karsten,

Thxns for valuable suggestion.

But i m stll confuse with my scnerio.

Requesting to pls refer diagram once, I am sitting at Location A (which is the central /Data Center for all remote location.

Let assume a example..

There are multiple IPs / pool running at location -A inside zone.

172.16.99.0/24 , 172.16.17.0/24, 172.16.100.0/24 and many more.

MPLS setup is created for some specific requirement (Voice traffic) and for some specific IP only. let say 172.16.99.2/3/4/5/6/7. These specific IPs are routed toward MPLS gateway as we require them to use for Voice traffic, rest all IPs or Pool routed toward P2P gateway. Similar way things are done at remote side i.e Location-B.

There are some IPs hosted at Location-B (lets say 10.10.100.5/6/7) which are routed on P2P link from from location -B and reverse route for these 10.10.100.5/6/7 IP from our end i.e Location -A is also on P2P.

Now, problem is.... Voice Traffic IPs which are routed toward new MPLS link from location-A (172.16.99.2/3/4/5/6/7) also need to communicate with IPs at Location-B (10.10.100.5/6/7 ) which are routed on P2P (both forward & reverse route on P2P. However 172.16.99.2/3/4/5/6/7 will also communicate with Location-B those IPs which are advertised on MPLS from their end.

Requirement is to divert/route traffic from source 172.16.99.2/3/4/5/6/7 to destination - 10.10.100.5/6/7 through MPLS link only instead of P2P link(as of now it's going on P2P which should not be ) . Communication for rest of the IPs/pool excluding above mention sources & destination should be as it is on existing P2P link as it currently happening

Hope, You may have some clarity on problem now.

Karsten Iwen · ‎11-28-2015

That's exactly what can be achieved with PBR. In an ACL you describe the traffic that should flow a different way from "normal" routing. For symmetric routing this has to be done on both sides with mirrored definitions.

netbeginner · ‎11-29-2015

Hello Karsten,

For symmetric routing this has to be done on both sides with mirrored definitions. ?

We understand that PBR has to be implemet at Location A (our end only).

netbeginner · ‎11-30-2015

Pls suggest, If below we can good to go with below PBR commands.

Source(inside Zone IP- 172.16.99.2/3, Location A) --> Destination(10.10.100.5, Location B) => ROuting over MPLS with below PBR

PBR for Inside Zone (Interface Gig0/0) Source IP

C0re_Asa(config)# access-list V01ce permit ip 172.16.99.2 255.255.255.255 10.10.100.5 255.255.255.255
C0re_Asa(config)#access-list V01ce permit ip 172.16.99.2 255.255.255.255 10.10.100.5 255.255.255.255

C0re_Asa(config)# route-map VoiveTraffic permit 10
C0re_Asa(config-route-map)# match ip address V01ce
C0re_Asa(config-route-map)# set ip next-hop 10.12.19.22

C0re_Asa(config)# route-map VoiveTraffic permit 20
C0re_Asa(config-route-map)# set ip interface Null0

Now, this route-map has to be attached to an interface.

C0re_Asa(config)# interface Gi0/0
C0re_Asa(config-if)# policy-route route-map VoiveTraffic

++++++++++++++++++++++++++++++++++++++++++

Source(DMZ IP- 172.16.100.19/20, Location A) --> Destination(10.10.100.5, Location B) => Routing over MPLS with below PBR

PBR for DMZ Zone (Interface Gig0/1) Source IPs

C0re_Asa(config)# access-list V01ce-1 permit ip 172.16.100.19 255.255.255.255 10.10.100.5 255.255.255.255
C0re_Asa(config)#access-list V01ce-1 permit ip 172.16.100.20 255.255.255.255 10.10.100.5 255.255.255.255

C0re_Asa(config)# route-map VoiveTraffic1 permit 10
C0re_Asa(config-route-map)# match ip address V01ce-1
C0re_Asa(config-route-map)# set ip next-hop 10.12.19.22

C0re_Asa(config)# route-map VoiveTraffic1 permit 20
C0re_Asa(config-route-map)# set ip interface Null0

Now, this route-map has to be attached to an interface.

C0re_Asa(config)# interface Gi0/1
C0re_Asa(config-if)# policy-route route-map VoiveTraffic1

Rest of the traffic (which is already flowing over point to point ) will flow as it is , there would not be any impact on the same due to above PBRs. Please validate.

Karsten Iwen · ‎12-01-2015

I'm not sure how the ASA bahaves with your route-map sequence 20 where you send the remainding traffic to Null0. I can't lab it at the moment, but I would expect that this matches all other traffic and that you blackhole all traffic that should flow over the P2P link with that config. Better test it in a lab environment or while scheduing a downtime.

netbeginner · ‎12-03-2015

Hi Karsten,

Finally applied below PBR (without interface Null0) and all worked. Thanks.

C0re_Asa(config)# access-list V01ce permit ip 172.16.99.2 255.255.255.255 10.10.100.5 255.255.255.255
C0re_Asa(config)#access-list V01ce permit ip 172.16.99.2 255.255.255.255 10.10.100.5 255.255.255.255

C0re_Asa(config)# route-map VoiveTraffic permit 10
C0re_Asa(config-route-map)# match ip address V01ce
C0re_Asa(config-route-map)# set ip next-hop 10.12.19.22

Now, this route-map has to be attached to an interface.

C0re_Asa(config)# interface Gi0/0
C0re_Asa(config-if)# policy-route route-map VoiveTraffic

Karsten Iwen · ‎12-01-2015

>> For symmetric routing this has to be done on both sides with mirrored definitions. ?

>We understand that PBR has to be implemet at Location A (our end only).

After reading it again I think you are right. I thought that there is also traffic from voice-related systems in B talking to "normal" systems in A. To have this traffic on MPLS you would need PBR on ASA-B.