Solved: Re: PBR issue with accessing DMZ

tgillon · ‎05-23-2022

ello,

I have a new Firepower 1150 that has 2 internet connections. I'm using PBR to force certain traffic out the 2nd internet connection. Works great, except the problem I'm experiencing is that any traffic from the sources being forced out the 2nd connection that is destined for my DMZ servers does not reach those servers. As soon as PBR sees traffic from a certain source, it immediately sends it to the outside interface even though the destination address is on my DMZ. I'm racking my brain trying to figure out a way around this, and I'm wondering if anyone has come across this issue and developed a solution?

Jon Marshall · ‎05-23-2022

You just need a deny line before the permit line in your acl -

access-list Force2Edge extended deny object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 <DMZ subnet> <subnet mask> log disable
access-list Force2Edge extended permit object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 any log disable

Jon

View solution in original post

Flavio Miranda · ‎05-23-2022

Hi

PBR does not take precedence over static routes, so, have you tried add static route for those server on the DMZ?

Jon Marshall · ‎05-23-2022

Flavio

Is that specific to the ASA because with routers and switches PBR overrides the routing table (static or dynamic routes) if you use the

set ip next-hop ...

command.

Jon

MHM Cisco World · ‎05-23-2022

Because NAT done before route lookup,

and NAT is (dmz any) then the traffic already take the isp1,

so what you need I is

route-lookup in NAT of dmz this make FP depend on pbr not NAT to decide outlet interface.

Georg Pauwen · ‎05-23-2022

Hello,

what are you using as destination in the access list that matches the PBR sequence ? 'Any' would obviously send all traffic out the second connection. Can you post a screenshot (GUI) or the CLI part for the PBR you have configured ?

tgillon · ‎05-23-2022

Hi Georg,

Thanks for the quick reply. Here is an access-list entry for a VLAN that I'm forcing out the 2nd connection. Yes I do have ANY as the destination:

access-list Force2Edge extended permit object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 any log disable

Here is the route-map entry:

route-map Edge permit 10
match ip address Force2Edge
match interface edge2
set ip next-hop <edge2 router ip address>

I'm not sure how I would specifically exclude DMZ traffic

Jon Marshall · ‎05-23-2022

You just need a deny line before the permit line in your acl -

access-list Force2Edge extended deny object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 <DMZ subnet> <subnet mask> log disable
access-list Force2Edge extended permit object-group ProxySG_ExtendedACL_4294971815 object 10.80.0.0 any log disable

Jon

tgillon · ‎05-23-2022

That did it, Jon. Thanks to you and the other respondents, appreciate the assistance!