PBR no longer working - ASA5508X

Infuscomus · ‎09-22-2020

I replaced an ASA5508X which was totally fried and I did have a backup configuration saved so I managed to transfer it.

I have several VLANs of which 1 I need to get out through WAN2 instead of WAN1 like all the rest.

There is 1 LAN interface (Gi1/2, inside) and 2 WANs (Gi1/1 outside, Gi1/4 outside2).

Currently I progressed up to the point where I get correct routing towards WAN2 (outside2 int) but I get nat-xlate-failed error (in attachment).

What I checked so far:

policy-route route-map is correctly set

extended ACL for it is fine, all set, permitted

route-map with next-hop set is fine

internal interface has the PBR set

nat (inside,outside2) after-auto source dynamic is set for the target LAN segment

metrics are set to 1 for outside and 10 for outside2

So what am I missing ?

Georg Pauwen · ‎09-22-2020

Hello,

post the full running configuration of your ASA.

balaji.bandi · ‎09-22-2020

Not sure waht is went wrong, since we do not have any visibility of your configuration and setup. (other than packet tracer).

here is good example :

https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

if still has issue, please provide ASA verision, small network diagram, configuriaton to understand suggest - what we learn from your input.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Infuscomus · ‎09-22-2020

The complete configuration is immense, there are thousands of IPs in ACLs and other things that make a show run take half-hour to go through.

If there is anything that needs to be shown from the config in more brief manner I'll gladly post it.

Version: Cisco Adaptive Security Appliance Software Version 9.8(2).

Network diagram is pretty simple, as I initially said.

Gi 1/2 is LAN,

Gi 1/1 is primary WAN

Gi 1/4 is secondary WAN I want the special VLAN with the help of PBR to exit through.

Georg Pauwen · ‎09-22-2020

Hello,

the below is pretty much what you are looking for (IP addressing is arbitrary, obviously). Make sure the default route to WAN2 (the target of your policy routing) has a higher administrative distance:

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet1/4
nameif outside2
security-level 0
ip address 20.20.20.1 255.255.255.252
policy-route route-map RM_PBR
!
access-list ACL_PBR extended permit ip 192.168.1.0 255.255.255.0 any
!
route-map RM_PBR permit 10
match ip address ACL_PBR
set ip next-hop 20.20.20.2
!
nat (inside,outside) 1 source dynamic any interface
nat (inside,outside2) 2 source dynamic any interface
!
route outside 0.0.0.0 0.0.0.0 10.10.10.2
route outside2 0.0.0.0 0.0.0.0 20.20.20.2 10

Infuscomus · ‎09-23-2020

Everything seems to be like in your post, except policy-route route-map RM_PBR was on the LAN interface, not on WAN2. Switching it there made no difference.

nat (inside,outside) breaks my VPN from detecting internal computers.

There is an outside,outside NAT for the Anyconnect VPN.

One bug I notice now is that route outside2 0.0.0.0 0.0.0.0 20.20.20.2 10 is not being added. I add it from CLI but when I test a "show route" it does not show (it shows in ASDM though, which is quite strange).

Also,

Georg Pauwen · ‎09-23-2020

Hello,

sorry, that was a typo. The PBR needs to go on the LAN interface. The problem with not seeing the entire configuration is that we don't know what IP addresses you are using for the VPN, and which IP addresses are going through the LAN interface (you say there are several Vlans, how are they reaching the ASA), so it is a lot of guesswork. If there are several Vlans behind the LAN interface, you need a second route map statement that permits everything (else), for the default routing to take place:

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
policy-route route-map RM_PBR
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet1/4
nameif outside2
security-level 0
ip address 20.20.20.1 255.255.255.252
!
access-list ACL_PBR extended permit ip 192.168.1.0 255.255.255.0 any
!
route-map RM_PBR permit 10
match ip address ACL_PBR
set ip next-hop 20.20.20.2
!

route-map RM-PBR permit 20

!
nat (inside,outside) 1 source dynamic any interface
nat (inside,outside2) 2 source dynamic any interface
!
route outside 0.0.0.0 0.0.0.0 10.10.10.2
route outside2 0.0.0.0 0.0.0.0 20.20.20.2 10

Infuscomus · ‎09-23-2020

Yes, there's a Catalyst switch with multiple VLANs connected inside on the Gi1/2.

192.168.1.0/24

to

192.168.21.0/24

and a few others different class.

I only need 192.168.21.0/24 to reach WAN2 (outside2 int).

I have the route-map PBR permitted, no other route-map. What should be in the second one to match everything else ? Note that in the old config I did not had a secondary route map.

As for the Anyconnect VPN, it uses another range 10.1.0.0/24. VPN breaks if I use any nat (inside,outside).

I only have the

(inside) to (outside2) source dynamic LAN-21 interface

where LAN-21 is the desired VLAN mentioned above.