Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
171
Views
0
Helpful
0
Replies

Can you set source only PBR? And How?

MillerX
Level 1
Level 1

‎10-21-2022 09:40 AM

Hello, And:

Can you set PBR with only source? And even with NAT?

Lets say this demo

Internet1 —— ASA —— inside_default

Internet2 —— ASA —— inside_secret

route outside1 0 0 111.0.0.1  for default gateway

nat (inside_default,outside1) after-auto source dynamic OBJ_INSIDE interface for PAT with only one ip

nat (inside_secret,outside1) after-auto source dynamic OBJ_INSIDE interface

nat (inside_default,outside2) after-auto source dynamic OBJ_INSIDE interface nat for isp2

nat (inside_secret,outside2) after-auto source dynamic OBJ_INSIDE interface 

Then the port forwarding

object network secret_server

host 10.0.0.100

nat (inside_secret,ouside2) static interface service 12345 12345

Then, That's the problem

access-list PBR_test extend permit host 10.0.0.111 any

route-map test

set ip next-hop 222.0.0.1 the gateway for ISP2

match ip PBR_test

WARNING: If access-list PBR_test having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.
 
interface po 1.20

policy-route route-map test

And PBR is not working.

Question: Can ASA setting up source only PBR?

 

And extra info:

I simplify this networking, In origin design ( Similar but not same)

ASA1 is FRP 4100
ASA2 is FRP 2110
ISP1 is a lot of cheap home internet but fast
ISP2 is enterprise internet with single ip address

ISP1 has frontend device for combine internet bandwith, So equal an single ip gateway.

Most server access internet with ISP1, And expose some service to IPS2 with port forwarding.

There are 8 zone of server ( more in future ) , They all cluster, Can't change their toplogy, Same group must stay in same network. Then with PBR in switch, ASA1 apply ACL to horizon and connect office and server.

There are 10 paralle wire ( Use vlan as virtual wire ) from CoreSW to ASA1, 8 of them represent server zones, one for office, last one for ISP1 called ouside_default is default gateway interface.

There are 3 parralle wire from ASA1 to ASA2, 2 of them are service_zone_1 amd 2, Then ouside_default metioned before, contains internet access traffic because some service provider use whitelist so require static address.

In design, ASA2 service_zone contains only accress from public to inside ( DMZ/Port Forward )p

So, ASA1 is acting kind of "Software defined LAN"
CoreSW send non server area traffic to ASA1 in paralle, Then ASA1 will check source and send them to different route table, Then different gateway.

Then is the question:
ASA not allow any/any4/any6 desnation for PBR, Then how to re-route traffic by source-address only ( Or sources-address and source-port ) ?

PS: If use only one wire between ASA1 ASA2 and without PBR, Its already working.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card