cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
697
Views
5
Helpful
7
Replies

PBR issue with accessing DMZ

tgillon
Level 1
Level 1

ello,

 

I have a new Firepower 1150 that has 2 internet connections.  I'm using PBR to force certain traffic out the 2nd internet connection.  Works great, except the problem I'm experiencing is that any traffic from the sources being forced out the 2nd connection that is destined for my DMZ servers does not reach those servers. As soon as PBR sees traffic from a certain source, it immediately sends it to the outside interface even though the destination address is on my DMZ.  I'm racking my brain trying to figure out a way around this, and I'm wondering if anyone has come across this issue and developed a solution?

 

 

1 Accepted Solution

Accepted Solutions

 

You just need a deny line before the permit line in your acl - 

 

access-list Force2Edge extended deny object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 <DMZ subnet> <subnet mask> log disable
access-list Force2Edge extended permit object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 any log disable

 

Jon

View solution in original post

7 Replies 7

Hi

 PBR does not take precedence over static routes, so, have you tried add static route for those server on the DMZ?

 

Flavio 

 

Is that specific to the ASA because with routers and switches PBR overrides the routing table (static or dynamic routes) if you use the

set ip next-hop ...

command. 

 

Jon

Because NAT done before route lookup,

and NAT is (dmz any) then the traffic already take the isp1,

so what you need I is

route-lookup in NAT of dmz this make FP depend on pbr not NAT to decide outlet interface.

Hello,

 

what are you using as destination in the access list that matches the PBR sequence ? 'Any' would obviously send all traffic out the second connection. Can you post a screenshot (GUI) or the CLI part for the PBR you have configured ?

Hi Georg,

 

Thanks for the quick reply.  Here is an access-list entry for a VLAN that I'm forcing out the 2nd connection.  Yes I do have ANY as the destination:

 

access-list Force2Edge extended permit object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 any log disable

 

Here is the route-map entry:

 

route-map Edge permit 10
match ip address Force2Edge
match interface edge2
set ip next-hop <edge2 router ip address>

 

I'm not sure how I would specifically exclude DMZ traffic

 

You just need a deny line before the permit line in your acl - 

 

access-list Force2Edge extended deny object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 <DMZ subnet> <subnet mask> log disable
access-list Force2Edge extended permit object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 any log disable

 

Jon

That did it, Jon.  Thanks to you and the other respondents, appreciate the assistance!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: