cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
4
Replies

PBR on ASA with 2 instances

Hi All

 

I have a scenario where I have 3 routers and they are all connected to a switch, and I have all my traffic routed through an ASA.

One of the routers will be a primary for DC connectivity. One of the other routers will be a primary connection for the internet.

The DC connection is routed over a tunnel and the internet traffic goes out to the provider.

 

Ive been looking at using PBR with an access-list for both instances. 

 

I want to create a list of subnets for the DC in an ACL, and in in another ACL I want to do a default route to the internet.

 

Can I for the PBR DC instance use for the DC 

 

set ip next-hop verify-availability x.x.x.x 1 track 1 (router A)

 

set ip next-hop verify-availability x.x.x.x 2 track 2 (router B)

 

set ip next-hop verify-availability x.x.x.x 3 track 3 (router C)

 Then for the internet connectivity use 

 

set ip next-hop verify-availability x.x.x.x 1 track 1 (router C)

 

set ip next-hop verify-availability x.x.x.x 2 track 2 (router B)
set ip next-hop verify-availability x.x.x.x 3 track 3 (router A)

Thanks In Advance

 

 

4 Replies 4

 

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @JamesSimpson34554 ,

what do you mean with instances different security contexts or simply different interfaces ?

 

From your description I understand there is an interface towards the internal Data Center and there are three routers or multilayer switches named RA, RB, RC and you would like to send traffic destined to the DC to RA if RA is not available to RB and if RB is not avalaible to RC.

This can be achieved even with floating static routes ( with different AD values)

 

Then the part of the internet access is not clear as you say that you access the internet using a tunnel

 

>> One of the routers will be a primary for DC connectivity. One of the other routers will be a primary connection for the internet.

 

Again floating static routes can be used for the default route.

You need to clarify who is will do the NAT , this is really important

 

Hope to help

Giuseppe

 

I mean 2 diffrent routing instanes  as one needs to the internet and the other to the DC

Could I acheive this with a second permit statement changing the 

set ip next-hop verify-availability

 around

Review Cisco Networking for a $25 gift card