Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3752
Views
65
Helpful
25
Replies

PBR for 1 IP

fbeye
Level 4
Level 4

‎02-22-2022 10:41 AM

Hello!!!

 

So I was wondering if I was  able to create a 3rd PBR for a specific LAN to a specific WAN.

 

Currently;

 

One Subnet; 192.168.5.0

PBR 1, 192.168.5.1-192.168.5.32 use 192.168.1.6 for Internet

PBR 2, 192.168.5.33-192.168.5.48 use 10.0.2.124 for Internet.

(both PBR addresses NAT to their own WAN IP’s).

 

I want to create a 3rd PBR where specific 192.168.5.50 will use 192.168.4.177 (which has its own WAN IP). I want this cause I want .50 to be a part of the 192.168.5.0 Subnrt but it in itself needs its own WAN IP as it is an Email Server. 

Labels:
25 Replies 25

fbeye
Level 4
Level 4
In response to Jon Marshall

‎02-23-2022 10:40 AM

That was my intention, I apologize Not "gateway" but he next HOP!

 

Does gateway to HOP definition change what I was trying to explain?

 

So 192.168.5.177 - 192.168.5.180 uses PBR and 192.168.4.2 is the HOP address to the ASA. On the ASA I just create (modify my existing) NAT fro WAN IP to each LAN (192.168.5.0) Address?

I realize the ASA needs to know "where" this 192.168.5.0 Subnet is so would an IP ROUTE of like '192.168.5.0 255.255.255.0 192.168.4.2' be sufficient? I know ASA ip route is more defined as in the interfaces etc but for idea sake would that do.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to fbeye

‎02-23-2022 10:44 AM

 

Yes, that is exactly what you would do. 

 

Only thing is the route on the ASA for the 192.168.5.0/24 subnet would presumably have a next hop IP of 192.168.4.1 (not 192.168.4.2 which is the ASA itself). 

 

Jon

fbeye
Level 4
Level 4
In response to Jon Marshall

‎02-23-2022 10:47 AM

Beautiful. I appreciate your patience on this. 

In case I do something wring and have to come back and ask more questions ;), I will do SOLUTION when I get home.

 

Thank you.

0 Helpful

MHM Cisco World
VIP
VIP
In response to fbeye

‎02-24-2022 06:01 AM - edited ‎02-24-2022 08:57 AM

....

 

Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎02-24-2022 07:00 AM

One thing that keeps coming up in this discussion is a concern of the original poster that he might need multiple cables to carry this traffic. So to make it clear - there is no need for multiple cables for the PBR/NAT to work. All of this traffic can be carried on a single cable. Traffic between the ASA and the switch is routed and a single cable can carry all of it.

HTH

Rick

fbeye
Level 4
Level 4

‎02-24-2022 08:23 AM

So I see there are 2 more posts since yesterday but I want to address this first.

On my ASA I made 4 NAT's

 

x.x.x.177 NAT 192.168.5.177

x.x.x.178 NAT 192.168.5.178

x.x.x.179 NAT 192.168.5.179

x.x.x.180 NAT 192.168.5.180

 

On my Switch I have;

 

access-list 101 permit ip 192.168.5.0 0.0.0.31 any

 

access-list 102 permit ip 192.168.5.32 0.0.0.15 any

 

access-list 103 permit ip 192.168.5.177 0.0.0.8 any

 

route-map ToInternet permit 10

match ip address 101

set ip next-hop 192.168.1.1

 

route-map ToInternet permit 20

match IP address 102

set ip next-hop 10.0.2.1

 

route-map ToInternet permit 30

match IP address 103

set ip next-hop 192.168.4.1

 

I connect my 4 devices to the Switch, and 192.168.5.177 is the only one that works towards the Internet. Each other machine (192.168.5.178-180) can PING whole 192.168.5.0 Subnet but only .177 can surf the WEB.

I did indeed do NAT all the same way and on each device the Gateway for their IP's are 192.168.5.1, same as .177.

 

Now, I will say that 178-180 are VM's residing within the Server of 192.168.5.177. It is a Linux Server with 4 NIC's. The configurations on the Servers, aside from the IP and GW changes are all the same, the only difference is I moved the connections from L2 to the SG550X using PBR.

Within the VM's as I said they can PING whole network so connectivity is legit... Is there something anyone sees where it would only allow Internet via 192.168.5.177 Only?

 

My only wonder would be this.

The ASA has 192.168.1.0 Subnet which is the ASA itself, x.x.x.182. I have a route '192.168.5.0 255.255.255.0 192.168.1.6 (IP on SG550X (which PBR 1 uses)) . I can not add a second route of '192.168.5.0 255.255.255.0 192.168.4.2' cause the route would conflict, but could maybe my other IP's (192.168.178-180) aren't seeing the internet cause the ASA isn't using the '192.168.5.0 255.255.255.0 192.168.4.2' to route back and can't find them via '192.168.5.0 255.255.255.0 192.168.1.6'.

 

I know this is a longshot! I meant to email myself the config files but forgot so I am hoping maybe something I am saying here reflects my issue.

And finally; Initially I had 192.168.4.177, 192.168.4.178, 192.168.4.179 and 192.168.4.180 being NAT'd to their WAN IP's. I am no longer going to be using that Subnet, so not sure how to correctly utilize it as the IP of the Interface leading back to the ASA. Like, 192.168.5.177-180 uses 192.168.4.2 (SG IP) to get to the ASA only to have NAT to external 0.0.0.177-180 IP's, so maybe this added subnet which is now insignificant is causing routing issues.

 

Yeah. Lot's here. My vision in my mind never comes out well in words. But everything prior has been resolved, this post is the issue at hand.

Jon Marshall
Hall of Fame
Hall of Fame
In response to fbeye

‎02-24-2022 09:48 AM - edited ‎02-24-2022 09:50 AM

 

You have confused me again. 

 

I thought the only connection between the ASA and your switch was using the 192.168.4.x subnet but now you are talking about 192.168.1.6 ? 

 

You only need one connection between the switch and your ASA and you can do all your PBR across that connection. 

 

Jon

fbeye
Level 4
Level 4
In response to Jon Marshall

‎02-24-2022 10:02 AM - edited ‎02-24-2022 11:28 AM

ASA -

 x.x.x.177 -server-   \ 

 x.x.x.178 -server       \

 x.x.x.179 -server       / 192.168.4.0 - NAT (On ASA)  x.x.x.177 - x.x.x.181 = 192.168.4.177-181

 x.x.x.180 -server     /   Connected to L2 Switch then to Servers.

 x.x.x.182 -ASA - 192.168.1.0 - PAT (On ASA) - Switch (192.168.1.6)  PBR 1 - 192.168.5.1-192.168.5.32

 

SG550X -

  PBR 1 - 192.168.1.6 (Using ASA IP for WAN) - 192.168.5.1 - 192.168.5.32

  PBR 2 - 10.0.2.124 (Irrelevant, goes 2 a different Internet)) - 192.168.5.33 - 192.168.5.48 

  PBR 3 -  Not sure which IP to use here, want 192.168.5.177-192.168.5.180 to use their ASA WAN IP's

 

So, prior to this, the ASA had a route '192.168.5.0 255.255.255.0 192.168.1.6' Which was its route to the SG550X w/ 192.168.5.0 Subnet. 

My goal is to eliminate the L2 Switch for the 4 IP's (178-180) and remove them from their 192.168.4.0 Subnet and Incorporate them onto the SG550X with 192.168.5.0 IP's, but they need to route back to the ASA using their original WAN IP's. Originally these 4 Server IP's were isolated from the LAN network, and mounting Samba shares and routing was becoming a pain so my idea was make EVERYONE One Network (192.168.5.0).

 

I so hope this clears some stuff up.

Richard Burts
Hall of Fame
Hall of Fame
In response to fbeye

‎02-25-2022 01:22 AM

In the email where you describe the current problem you tell us

route-map ToInternet permit 20

match IP address 102

set ip next-hop 10.0.2.1

So for this device you are forwarding its traffic with 10.0.2.1 as the next hop. Is 10.0.2.1 able to forward this traffic to the ASA? Perhaps the output of a traceroute attempting to get to Internet might shed some light?

And a similar comment about this one

route-map ToInternet permit 30

match IP address 103

set ip next-hop 192.168.4.1

I must admit that through this discussion it has been fairly clear what you want to do with NAT. But I do not understand why you need PBR. If the NAT for the 4 addresses is on the ASA, that sure sounds like all 4 devices need to use the ASA to get to the Internet. If all the devices need to go through the ASA then what benefit is there is PBR? Can you help me understand this?

HTH

Rick

fbeye
Level 4
Level 4
In response to Richard Burts

‎02-25-2022 06:29 AM

Morning

 

This is because currently the 4 IP’s are connected to an L2 Switch which connects to the ASA which as you mentioned have NAT. They are all on a 192.268.4.0 Network.

I am moving them to the SG550X Switch and converting them to the 192.168.5.0 Network to be local to all my other devices, one big single Network. So then being I have one huge network I would need a PBR to direct these 4 IPs to the ASA to their respective and static WAN IP’s.

As said, 192.168.5.1-32 PBR1, 192.168.33-45 PBR2 and then a PBR3 for these 4 IPS to go to their IP’s.

At least, this was how I assumed I’d need to do it. 
Like PBR 1 has its own WAN, PBR2 has its own WAN, these 4 IP’s need each their own WAN IP, which is on the ASA.

hmmm I hope that makes more sense 

Richard Burts
Hall of Fame
Hall of Fame
In response to fbeye

‎02-25-2022 07:10 AM

I am sorry but it does not make more sense. In the recent response you say " So then being I have one huge network I would need a PBR to direct these 4 IPs to the ASA to their respective and static WAN IP’s." Why do you think you need PBR for this?

So these 4 addresses will be devices connected on the SG550X switch. Will the switch have a default route? (I am assuming that it will - if not please clarify). Will the default route have the ASA as the next hop? (I am assuming that it will - if not please clarify). If these are true then traffic from the 4 IPs will get to the ASA, the ASA will translate addresses, and things should work - without needing PBR.

Perhaps it might help if we remember that we use PBR when we want to create an exception to normal routing logic. What in this situation needs anything different from normal routing logic?

 

HTH

Rick
Customers Also Viewed These Support Documents