04-21-2020
08:30 AM
- last edited on
02-01-2023
12:57 AM
by
Translator
Hello for everybody.
We are going to install new ASA in one of the offices - current scheme in attach. But before installing, i would like to make sure that all the new settings are working. For these purposes, i plan to create a test vlan 100 (192.168.100.0 / 24) and use the PBR to install the internal interface of the new asa for nat from this vlan.
Is this correct way use PBR for these purposes?
Basic settings from the router below.
ISR#sh run | s ospf
...
router ospf 1 vrf office
...
redistribute connected subnets
...
default-information originate always
ISR#
ISR#sh run | i 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0 1.2.3.4 external ip of ISR
ip route vrf office 0.0.0.0 0.0.0.0 10.10.20.2 current interface old asa inside for nat
ISR#
Solved! Go to Solution.
04-22-2020
10:30 AM
- last edited on
02-01-2023
01:00 AM
by
Translator
Hello
You don’t even need to create a access list as it looks like you wish to policy route all of the new subnet 100 towards the ASA, you could also apply some resiliency to the policy route in case the link to that asa fail or the next hop is unreachable and you wish to failover to the other ASA next hop however in the interim the below config is all what you need to do for basic policy routing
conf t
route-map PBR
set ip next-hop 10.10.10.2
int gig0/0/0.100
ip policy route-map PBR
04-21-2020 08:39 AM - edited 04-21-2020 08:54 AM
I can't work out how the first default route relates to your diagram but in answer to your question yes PBR can be used to test before you go live.
Are you asking for help with the PBR configuration ?
Jon
04-21-2020
09:04 AM
- last edited on
02-01-2023
12:59 AM
by
Translator
Thanks for answer.
First default route, which without any vrf, there is because, on this router comes a pair of gre tunnels. A default route in the vrf office - for nat in this office.
In this case the procedure should be something like this.
1) Create sub interface on the ISR router
interface GigabitEthernet0/0/0.100
encapsulation dot1Q 100
ip vrf forwarding office
ip address 192.168.100.1 255.255.255.0
2) Create acl
access-list extended vlan100
permit ip 192.168.100.0 0.0.0.255 any
3) Create PBR and set next hope 10.10.10.2 - inside interface of new ASA.
04-21-2020 09:10 AM
That should work fine.
Any problems let us know.
Jon
04-21-2020
11:11 AM
- last edited on
02-01-2023
12:59 AM
by
Translator
and im not sure about need to implement this PBR to the subinterface
interface GigabitEthernet0/0/0.100
ip policy route-map <name>
04-22-2020 03:30 AM
Yes, you need to create the route map and then apply that route map just as your configuration suggests.
Jon
04-22-2020
10:30 AM
- last edited on
02-01-2023
01:00 AM
by
Translator
Hello
You don’t even need to create a access list as it looks like you wish to policy route all of the new subnet 100 towards the ASA, you could also apply some resiliency to the policy route in case the link to that asa fail or the next hop is unreachable and you wish to failover to the other ASA next hop however in the interim the below config is all what you need to do for basic policy routing
conf t
route-map PBR
set ip next-hop 10.10.10.2
int gig0/0/0.100
ip policy route-map PBR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide