PBR&ASA 3560

Stewart Thomas · ‎03-09-2013

I have a 3560-48ps running IPBASE. I am wanting to do some PBR on this device. Will I have to change the Image to the IPservices for this to work.

Here is a description of what I'm trying to do. I have two internet connections connecting to two differnet 5510 ASA's. The two ASA connect to the 3560.

All my internet traffic is going out one ASA. Also on this asa I have a static ip range n for internal servers, this asa is working properly with no probelms.

The second ASA is were I'm having my issues. On the second asa my vpn traffic comes in and works fine. I also have a static ip from the ISP. This range I can not get to work. When I do a Nat translation on the second ASA and If I try ping from the ouside world the ping comes in but i do not get a reply. After trouble shooting the issue it seems that i have some asymetric routing. So the ping comes in the second asa and tries to go out the first asa. This is because I have a default route in the 3560 going back to the first ASA. I have this route there for the users to get back to the internet. So I think the issue can be solved with some PBR in the 3560.

jawad-mukhtar · ‎03-10-2013

What is got from u

Two ISP u have

and you want to spilit traffice to ASA1 and ASA2.

If this is the case

in 3560 U have to do PBR.

ACLA (For Routing Traffic Towards ASA1)

Permit ip 192.168.x.10 any

ACLB (For Routing Traffice Towards ASA2)

permit ip 192.168.x.20 any

Create Router map

Router-map RM-AB permit 10

match ip address ACLA

set ip next hop (ASA1 interface IP)

Router-map RM-AB permit 20

match ip address ACLb

set ip next hop (ASA2 Interface IP)

Apply Route map to vlan

int vlan x

ip policy route-map RM-AB

*** Do Rate Helpful Posts***

Jawad