Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
1
Replies

Policy based routing problems or perhaps bug?

mis_dept1
Level 1
Level 1

‎07-14-2015 08:32 PM - edited ‎03-05-2019 01:52 AM

Ok, I have successfully configured PBR on my ASA 5515x with the help from the community here. :D

As shown below is my configuration in GUI Based as well as CLI Based (Both are the same)

 

Problem: 

1. What does the warning mean (scroll down)? It says that the ACL has no effect?

2. When I am downloading large files for testing, (from http://www.thinkbroadband.com/download.html or any other test sites) my download will be stuck halfway, and it does not resumes. (Download speed is about 7MB/s)

When I connect my laptop directly to the ISP2 router, I am able to download successfully.

This eliminates the following:

- My ISP is having issues.

- thinkbroadband.com is having issues.


I am using CX module for my IPS. I suspect that the IPS is unable to keep up with the speed of the download, and it drops the packets?

3. After applying the extended ACL to the route map, I am not able to access my web server in my DMZ zone anymore, (RDP, ping, http/https). In fact, all of my DMZ servers are not accessible unless I remove myself from the ACL.

This is happening because my next hop is set to ISP2ROUTER. In my case, is there any way to add another rule like: Do not use next hop from INSIDE to DMZ.

 

 

GUI based- configuration

Step 1: Created Extended ACL

 

Step 2: Created Route Map

 

When I attempted to click on the next tab, a warning appears, and I clicked OK.

Not sure what does this mean.

 

Step 3: Add the next hop. (ISP 2 Router IP.) and set it to ISP2 Outside interface

 

When I click on Apply:

 

Step 4: Apply route map to INSIDE interface:

 

CLI BASED configuration

ciscoasa(config)# access-list TESTACL permit ip 172.16.1.53 255.255.255.255 any
ciscoasa(config)# route-map TESTROUTEMAP permit 1
ciscoasa(config-route-map)# match ip address TESTACL
WARNING: If access-list TESTACL having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.
ciscoasa(config-route-map)# set ip next-hop 1.1.1.1
ciscoasa(config-route-map)# set interface ISP2UNTRUST
ciscoasa(config-route-map)# exit
ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)# policy-route route-map TESTROUTEMAP

Labels:
0 Helpful
1 Reply 1

mis_dept1
Level 1
Level 1

‎07-15-2015 07:10 PM

Bump up. 

0 Helpful
Customers Also Viewed These Support Documents