Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
0
Helpful
1
Replies

PBR at ASA as VTI Peer IP as next hop

Netmart
Level 1
Level 1

‎09-07-2018 09:31 AM

Hello,

The goal is to route all traffic coming from VLAN200 via ASA VTI tunnel.

In this case, I wanted to apply PBR at ASA Group-Channel Interface and to use  VTI Peer IP as next hop.

Please see information below.

Any help is much appreciated.

 

10.20.200.0/24 [HQ, rtr-core]----[HQ-ASA, VTI IP 10.70.0.1]===VTI===[VTI IP10.70.0.3,DC-ASA [DC] inside 10.28.121.218---[DC,rtr-core]....

 

I assigned PBR to Po48 which is the inside interface adjacent to njo1p-rtr-core.

I tried to use both, Tunnel Peer's inside IP [10.28.121.218] and Tunnel Peer's IP 10.70.0.3]

But I am not able to see any traffic related to VLAN200 passing the tunnel.

 To my knowledge, I am able to use a next-hop IP as long as this IP is present in Local RIB see output below.

However, I don't know whether the same is true, when using VTI  Tunnel Peer IP as next hop.

 

At ASA, HQ:

interface Port-channel48

lacp max-bundle 8

nameif inside

security-level 100

ip address 10.50.0.6 255.255.255.252

policy-route route-map VLAN200

 

 

route-map VLAN200 permit 10

match ip address VLAN200Route

set ip next-hop  10.70.0.3

 

or: set ip next-hop 10.28.121.218 |

 

access-list VLAN200Route extended permit 10.20.200.0 255.0.0.0 any

 

 

 

ASA-HQ# sh route 10.70.0.3

 

Routing entry for 10.70.0.0 255.255.255.248

  Known via "connected", distance 0, metric 0 (connected, via interface)

  Routing Descriptor Blocks:

  * directly connected, via NWK-ndj1p-fw-vpn2

      Route metric is 0, traffic share count is 1

 

 

ASA-HQ# sh route 10.28.121.218

 

Routing entry for 10.28.121.0 255.255.255.0

  Known via "bgp 64514", distance 20, metric 100

  Tag 64512, type external

  Last update from 10.70.0.3 3:02:50 ago

  Routing Descriptor Blocks:

  * 10.70.0.3, from 10.70.0.3, 3:02:50 ago

      Route metric is 100, traffic share count is 1

      AS Hops 1

      Route tag 64512

      MPLS label: no label string provided

 

The PBR ACL got hit, but I am not able to see any traffic traversing the VTI tunnel:

 

access-list VLAN200Route; 2 elements; name hash: 0xb6c462d5

access-list VLAN200Route line 1 extended permit ip 10.20.200.0 255.255.255.0 any (hitcnt=7) 0x56cfe80a

access-list VLAN200Route line 2 extended deny ip any any (hitcnt=2439) 0xccb0ae2f

 

Please advise.

 

Thanks

Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎09-07-2018 01:23 PM

Hello,

 

assuming you are using 9.4 or higher (that is when PBR was introduced), you need a static host route to the other tunnel endpoint in order to avoid the outside interface being the outgoing interface.

 

If your tunnel interface's name is 'vpn', the static route would look like this:

 

route vpn 10.70.0.3 255.255.255.255 10.70.0.1 1

 

You need that route in any case, whether you use PBR or route based VPN.

 

Does a static route work ? If your remote network is 10.28.121.0/24, the static route would be:

 

route vpn 10.28.121.0 255.255.255.255 10.70.0.1 1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card