Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
143
Views
0
Helpful
0
Replies

POLICY-BASED ROUTING

fmugambi
VIP
VIP

‎04-16-2025 08:28 AM

Hello team,

I have a topology as attached,

fmugambi_0-1744816916815.png

On ASA I have natted ftd interface [172.16.40.25] > asa 41.206.58.2 ; the idea of port-forwarding, for vpn traffic, such that remote branch uses the 41.206.58.2 ip to peer with, but this gets translated to 172.16.40.25 on ftd, where i have the site-to-site vpn configuration.
with a default route on ftd [0.0.0.0/0 172.16.40.29] the tunnel negotiations work and the tunnel comes up.
but my ideal scenario/use-case is the default route should be [0.0.0.0/0 102.69.239.9]. then i can have a policy-based route on the ftd to ensure traffic coming from remote branch for ipsec negotiations is sent to next hop 172.16.40.29, so that i dont affect the current flow of default route via dmz-ipsec zone.

with this the vpn does not work, on the remote end when i capture traffic i see [no incoming packets]

on the asa when i capture traffic from remote branch to ftd 172.16.40.25, traffic comes in but does not flow back.
what am i missing?

Someone please guide me on the pbr on the ftd. NB:// i use fmc to manage this ftd, i run on version 7.4.5 on both.

 

Regards,

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents