Showing results for 
Search instead for 
Did you mean: 

PBR Not working properly on ASA2110 with Ikev2 VPN


I have an ASA2110 for multiple VPN customer's which are accessing different servers in our cloud environment.

I will make this as simple as I can, my scenario is like this:


1 - On the ASA there is a DMZ sub-interface configured on subnet.

interface Ethernet1/2.2721
vlan 2721
nameif vpn-xxx-xxx
security-level 90
ip address


2 - This interface is the default gateway for the servers in our cloud, and there is a VPN connection for the customer ( using subnet locally) to connect on ASA using ikev2 and then access the servers on subnet.


3 - No there is another customer who needs access to ( cloud server subnet) via VPN coming from a remote subnet of (his local subnet)

interface Ethernet1/2.2782
vlan 2782
nameif vpn-xxx-xxx
security-level 90
ip address


4 - VPN gets connected no issues but when they access from network it doesn't work because on the ASAs routing table is a connected route 

is directly connected, vpn-xxx-xxx


5 - Now as an alternate I have configured PBR in a way that anything coming from source going to will go via outside interface (VPN). 

route-map xxx-pbr-map permit 10
match ip address xxx-pbr
set ip next-hop ---- IP of the outside Interface gateway


access-list xxx-pbr extended permit ip

Then I have called that route-map on the interface Ethernet1/2.2782 (


Now I can see the access-list xxx-pbr having matches, and when I check traffic flow in packet tracer tool in ASA it does PBR-LOOKUP and it matches with the route-map defined but still use the global routing table which has as connected interface.


The question is, does PBR works for remote subnet if there is a connected interface with the same IP address.

I think it will not work as the connected interface will take precedence always but then what's the use of source-based routing if there is no workaround for this scenario!!!!  


CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards