Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
5
Helpful
4
Replies

PBR config questions on ASA

tim829
Level 1
Level 1

‎06-02-2020 11:03 AM

I'm about to implement PBR on our ASA to route guest network traffic out of our secondary WAN connection. I do have a couple questions about the configuration though.

 

Primary WAN Gateway: 165.XXX.XXX.129

Secondary WAN Gateway: 206.XXX.XXX.1

Guest Network: 10.192.172.0/22

 

This is what the config will look like: 

 

ciscoasa(config)# access-list acl-1 permit ip 10.15.0.0 255.255.0.0 
ciscoasa(config)# access-list acl-2 permit ip 10.21.0.0 255.255.0.0
ciscoasa(config)# access-list acl-3 permit ip 192.168.0.0 255.255.0.0
ciscoasa(config)# access-list acl-4 permit ip 172.0.0.0 255.0.0.0
ciscoasa(config)# access-list acl-5 permit ip 10.192.172.0 255.255.252.0

ciscoasa(config)# route-map PBR-1 permit 5
ciscoasa(config-route-map)# match ip address acl-1
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 10
ciscoasa(config-route-map)# match ip address acl-2
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 15
ciscoasa(config-route-map)# match ip address acl-3
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 20
ciscoasa(config-route-map)# match ip address acl-4
ciscoasa(config-route-map)# set ip next-hop 165.XXX.XXX.129

ciscoasa(config)# route-map PBR-1 permit 25
ciscoasa(config-route-map)# match ip address acl-5
ciscoasa(config-route-map)# set ip next-hop 206.XXX.XXX.1

ciscoasa(config)# route-map PBR-1 permit 30
ciscoasa(config-route-map)# set ip interface Null0

ciscoasa(config)# interface GigabitEthernet1/2 
ciscoasa(config-if)# policy-route route-map PBR-1

 

 

So I guess the first question is does this configuration look good?

Second, doesn't the set ip next-hop override the routes in the routing table? Are those routes even needed anymore after implementing PBR?

 

Third, and just out of curiosity, what does set ip interface Null0 do and why is it needed?

 

Thanks

 

Labels:
0 Helpful
4 Replies 4

pieterh
VIP
VIP

‎06-03-2020 04:02 AM

"does this configuration look good"
it could work, but I'd make it more simple, you only need one access-list for each next-hop

ciscoasa(config)# access-list acl-1 permit ip 10.15.0.0 255.255.0.0
ciscoasa(config)# access-list acl-1 permit ip 10.21.0.0 255.255.0.0
ciscoasa(config)# access-list acl-1 permit ip 192.168.0.0 255.255.0.0
ciscoasa(config)# access-list acl-1 permit ip 172.0.0.0 255.0.0.0
ciscoasa(config)# access-list acl-2 permit ip 10.192.172.0 255.255.252.0

tim829
Level 1
Level 1
In response to pieterh

‎06-03-2020 06:25 AM

I didn't think about that, thanks for the pointer!
0 Helpful

Georg Pauwen
VIP
VIP

‎06-03-2020 04:30 AM

Hello,

 

in addition to the other post, if you have NAT configured, you would probably still need the static routes. Can you post the full configuration of your ASA ?

0 Helpful

tim829
Level 1
Level 1
In response to Georg Pauwen

‎06-03-2020 06:24 AM

Ahh, didn't think about the NATs needing the routes. The config is attached, I removed some info some it but the guts of it are still there. I haven't added in the PBR config to it though. 

 

!
ASA Version 9.8(4) 
!
hostname xxxxxxx-asa
domain-name xxxxxxx.com
enable password *************** encrypted
passwd **************** encrypted
names
no mac-address auto

!
interface GigabitEthernet1/1
 description WAN1
 nameif outside
 security-level 0
 ip address 165.XXX.XXX.XXX 255.255.255.240 
!
interface GigabitEthernet1/2
 description Inside
 nameif inside
 security-level 100
 ip address 10.15.10.254 255.255.255.0 
!
interface GigabitEthernet1/3
 description WAN2
 nameif backup
 security-level 0
 ip address 206.XX.XXX.XXX 255.255.255.0 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 description FirePower
 management-only
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa984-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.15.60.2 inside
 name-server 10.15.60.3 inside
 domain-name xxxxxxx.com
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network VPN_POOL
 subnet 10.15.65.0 255.255.255.0
object network obj_any_backup
 subnet 0.0.0.0 0.0.0.0
access-list SPLIT_VPN_TUNNEL standard permit 172.17.1.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.15.100.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.11.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.12.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.15.60.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.15.67.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.15.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.18.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.21.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.21.67.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.23.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.31.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.32.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.45.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.85.56.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 192.168.210.0 255.255.255.0 
access-list SPLIT_VPN_TUNNEL standard permit 10.21.20.0 255.255.255.0 
access-list outside_access_in extended permit tcp any object BMA-SMTP eq smtp 
access-list outside_access_in extended permit tcp any object BMA-WWW eq https 
pager lines 24
logging enable
logging timestamp
logging list default level informational
logging trap critical
logging asdm default
logging from-address no-reply@xxxxxxx.com
logging host inside 172.17.1.3
logging class auth trap critical asdm informational 
mtu outside 1500
mtu inside 1500
mtu backup 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 4.2.2.2 outside
icmp permit 69.162.124.0 255.255.255.0 outside
icmp permit 63.143.42.0 255.255.255.0 outside
icmp permit 216.245.221.0 255.255.255.0 outside
icmp permit host 165.XXX.XXX.XXX outside
icmp permit host 4.2.2.2 backup
icmp permit 69.162.124.0 255.255.255.0 backup
icmp permit 63.143.42.0 255.255.255.0 backup
icmp permit 216.245.221.0 255.255.255.0 backup
icmp permit host 165.XXX.XXX.XXX backup
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.15.65.0_24 NETWORK_OBJ_10.15.65.0_24 no-proxy-arp route-lookup description *DO NOT DELETE* NAT for AnyConnect VPN
!
object network obj_any
 nat (any,outside) dynamic interface
object network BMA-SMTP
 nat (any,outside) static 165.166.210.136 service tcp smtp smtp 
object network BMA-WWW
 nat (any,outside) static 165.166.210.136 service tcp https https 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 165.XXX.XXX.XXX 99 track 1
route backup 0.0.0.0 0.0.0.0 206.XX.XXX.X 254
route inside 10.11.56.0 255.255.255.0 10.15.10.1 1
route inside 10.12.56.0 255.255.255.0 10.15.10.1 1
route inside 10.15.56.0 255.255.255.0 10.15.10.1 1
route inside 10.15.60.0 255.255.255.0 10.15.10.1 1
route inside 10.15.67.0 255.255.255.0 10.15.10.1 1
route inside 10.15.68.0 255.255.255.0 10.15.10.1 1
route inside 10.15.94.0 255.255.255.0 10.15.10.1 1
route inside 10.15.100.0 255.255.255.0 10.15.10.1 1
route inside 10.15.101.0 255.255.255.0 10.15.10.1 1
route inside 10.18.56.0 255.255.255.0 10.15.10.1 1
route inside 10.21.20.0 255.255.255.0 10.15.10.1 1
route inside 10.21.56.0 255.255.255.0 10.15.10.1 1
route inside 10.21.67.0 255.255.255.0 10.15.10.1 1
route inside 10.23.56.0 255.255.255.0 10.15.10.1 1
route inside 10.31.56.0 255.255.255.0 10.15.10.1 1
route inside 10.32.56.0 255.255.255.0 10.15.10.1 1
route inside 10.42.56.0 255.255.255.0 10.15.10.1 1
route inside 10.42.67.0 255.255.255.0 10.15.10.1 1
route inside 10.45.56.0 255.255.255.0 10.15.10.1 1
route inside 10.46.56.0 255.255.255.0 10.15.10.1 1
route inside 10.85.56.0 255.255.255.0 10.15.10.1 1
route inside 10.192.172.0 255.255.252.0 10.15.10.1 1
route inside 172.17.1.0 255.255.255.0 10.15.10.1 1
route inside 172.17.2.0 255.255.255.0 10.15.10.1 1
route inside 172.17.20.0 255.255.255.0 10.15.10.1 1
route inside 172.18.200.0 255.255.255.0 10.15.10.1 1
route inside 172.21.20.0 255.255.255.0 10.15.10.1 1
route inside 192.168.1.0 255.255.255.0 10.15.10.1 1
route inside 192.168.168.0 255.255.255.0 10.15.10.1 1
route inside 192.168.169.0 255.255.255.0 10.15.10.1 1
route inside 192.168.170.0 255.255.255.0 10.15.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.15.60.2
 key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 radius-common-pw XXXXXXXXXXXXXXXXXXXXXXXXX
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication login-history
http server enable
http 10.15.67.0 255.255.255.0 inside
http 10.15.56.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
 num-packets 10
 frequency 30
sla monitor schedule 123 life forever start-time now
service sw-reset-button
track 1 rtr 123 reachability
telnet timeout 120
no ssh stricthostkeycheck
ssh 10.15.56.0 255.255.255.0 inside
ssh 10.15.67.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 source outside
ntp server 129.6.15.29 source outside
ntp server 129.6.15.28 source outside prefer
webvpn
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_VPN_TUNNEL
group-policy GroupPolicy_vpn.xxxxxxx.com internal
group-policy GroupPolicy_vpn.xxxxxxx.com attributes
 wins-server none
 dns-server value 10.15.60.2 10.15.60.3
 dhcp-network-scope 10.15.65.0
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_VPN_TUNNEL
 default-domain value xxxxxxx.com
 webvpn
  anyconnect profiles value vpn.xxxxxxx.com_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username xxxxxxxxxx password $sha512$5000$41mdV24jfdMmvfrx/WrnLolkA== pbkdf2 privilege 15
username xxxxxxxxxx password $sha512$5000$41iQ4WgzdcToGcb$9OlaDqpgjzDXyXvTWCzjrg== pbkdf2
username xxxxxxxxxx attributes
 vpn-group-policy GroupPolicy_vpn.xxxxxxx.com
 password-storage disable
tunnel-group vpn.xxxxxxx.com type remote-access
tunnel-group vpn.xxxxxxx.com general-attributes
 authentication-server-group RADIUS
 default-group-policy GroupPolicy_vpn.xxxxxxx.com
 dhcp-server 10.15.60.2
tunnel-group vpn.xxxxxxx.com webvpn-attributes
 group-alias vpn.xxxxxxx.com enable
!
class-map inspection_default
 match default-inspection-traffic
class-map XXXXXXX-SFR
 match any
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class XXXXXXX-SFR
  sfr fail-open
 class class-default
  user-statistics accounting
!
service-policy global_policy global
smtp-server 172.17.1.15
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:b2137e6268d6f24ea56bd457abc719b9
: end
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card