09-07-2018 09:31 AM
Hello,
The goal is to route all traffic coming from VLAN200 via ASA VTI tunnel.
In this case, I wanted to apply PBR at ASA Group-Channel Interface and to use VTI Peer IP as next hop.
Please see information below.
Any help is much appreciated.
10.20.200.0/24 [HQ, rtr-core]----[HQ-ASA, VTI IP 10.70.0.1]===VTI===[VTI IP10.70.0.3,DC-ASA [DC] inside 10.28.121.218---[DC,rtr-core]....
I assigned PBR to Po48 which is the inside interface adjacent to njo1p-rtr-core.
I tried to use both, Tunnel Peer's inside IP [10.28.121.218] and Tunnel Peer's IP 10.70.0.3]
But I am not able to see any traffic related to VLAN200 passing the tunnel.
To my knowledge, I am able to use a next-hop IP as long as this IP is present in Local RIB see output below.
However, I don't know whether the same is true, when using VTI Tunnel Peer IP as next hop.
At ASA, HQ:
interface Port-channel48
lacp max-bundle 8
nameif inside
security-level 100
ip address 10.50.0.6 255.255.255.252
policy-route route-map VLAN200
route-map VLAN200 permit 10
match ip address VLAN200Route
set ip next-hop 10.70.0.3
or: set ip next-hop 10.28.121.218 |
access-list VLAN200Route extended permit 10.20.200.0 255.0.0.0 any
ASA-HQ# sh route 10.70.0.3
Routing entry for 10.70.0.0 255.255.255.248
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via NWK-ndj1p-fw-vpn2
Route metric is 0, traffic share count is 1
ASA-HQ# sh route 10.28.121.218
Routing entry for 10.28.121.0 255.255.255.0
Known via "bgp 64514", distance 20, metric 100
Tag 64512, type external
Last update from 10.70.0.3 3:02:50 ago
Routing Descriptor Blocks:
* 10.70.0.3, from 10.70.0.3, 3:02:50 ago
Route metric is 100, traffic share count is 1
AS Hops 1
Route tag 64512
MPLS label: no label string provided
The PBR ACL got hit, but I am not able to see any traffic traversing the VTI tunnel:
access-list VLAN200Route; 2 elements; name hash: 0xb6c462d5
access-list VLAN200Route line 1 extended permit ip 10.20.200.0 255.255.255.0 any (hitcnt=7) 0x56cfe80a
access-list VLAN200Route line 2 extended deny ip any any (hitcnt=2439) 0xccb0ae2f
Please advise.
Thanks
09-07-2018 01:23 PM
Hello,
assuming you are using 9.4 or higher (that is when PBR was introduced), you need a static host route to the other tunnel endpoint in order to avoid the outside interface being the outgoing interface.
If your tunnel interface's name is 'vpn', the static route would look like this:
route vpn 10.70.0.3 255.255.255.255 10.70.0.1 1
You need that route in any case, whether you use PBR or route based VPN.
Does a static route work ? If your remote network is 10.28.121.0/24, the static route would be:
route vpn 10.28.121.0 255.255.255.255 10.70.0.1 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide