cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco ASA Policy-Based Routing

83950
Views
0
Helpful
29
Comments

We have five network connections; Inside, Outside1, Outside2, Outside3, & DMZ.

Outside1, 2 and 3 are different networks for backup routes.  Because Outside1 is now becoming over utilized,and Outside 2 and 3 is not being utilized much at all, we wanted to route traffic based on several aspects.  one the source & two destination port.  We also wanted to throttle the bandwidth on outgoing traffic.

is there Policy Based Routing available on the ASA 5510 as of yet?  and if not, is there any plans for it in the near future?

Thanks,

Daniel

Comments

Ditmar, pre 8.3 I have tested the PBR workaround for years and had implemented it in several customer networks. There has been an architectural change after 8.3 in how we decide the next hop interface and if that process is dependent on nat. I haven't tested this feature post 8.3. Let me get to that when possible and I will let you know how that goes.

Beginner

Dear Aniket, could u please share that workaround with us?

Tnx

Beginner

Crickets...

Mentor

Hi,

Cisco doesnt officially have any Policy Based Routing on the ASA in any software as of yet. In the new ASA softwares 8.3+ there is however a chance to manipulate the ASA egress interface of specified source addresses and therefore for example forward some LAN networks traffic through another ISP while forwarding another LANs traffic through another ISP.

However this document isnt the best place to go over such configurations so please go to the Security/Firewall section of Cisco Support Community and start a discussion.

https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions

- Jouni

Beginner

So are we back into a 2 ASAs and one cheap router land? LOL The cheap router supports regular IOS based PBR and each ASA does NAT for it's corresponding ISP. I guess that could get expensive; each ISP having it's own ASA plus the rotuer. Ehh life

Mentor

Hi,

I have personally always left PBR for actual routers either at customer premises or in our ISP core. I guess the Cisco firewalls were never planned for this functionality. I'd imagine one reason might be that to my understanding the PIX wasnt originally even a Cisco product. Then again one might ask why it wasnt implemented when ASAs came.

On the other hand I have been told by Cisco that PBR for ASA has been in the works. Though I dont have any idea when that would come out.

I have only fooled around with the ASA NAT related to situations that people ask on the Firewall section of the forums. I never had to use it in a production environment to this day. But I can naturally understand why someone might be forced to try to implement this on an ASA/PIX

- Jouni

Cisco Employee

Policy Based Routing is now available in Cisco ASA software version 9.4(1).

See the New Features section in the Release Notes, under Routing Features:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116518

Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.

 

Beginner

Thank's a great news mwenstro,

However how big of a deal is it to upgrade 8.x to 9.x ?? Will hell break loose? Tony of commands unsupported etc etc? Or is there a tool to convert the configuration? Or could it be a utopian simple image replacement and all works?

Depending on your current version, you might need to go via an upgrade path. As always you should check the release notes with each version to find out what has changed. You are able to see the release notes even if you're not entitled to download the software.

Cheers to Cisco for finally making a HUGE step the industry has been waiting for years.

Cisco Employee

The 9.4 Release Notes has an Upgrade the Software section showing from/to paths. A main change is upgrade to 8.3 or above due to improved NAT functionality.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116998

Upgrade to ASA 9.4 and ASDM 7.4 Guide has details:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/upgrade/upgrade94.html

Beginner

The ASA 5510 does not support 9.4 code.  You can see the older models and the highest code rev they can go via this link:

 

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Hello,

Its supported now in 9.4 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

Cisco Employee

Andrew, that's right. Release 9.1.5 is the highest release that supports ASA 5500 series. ASA5500-X supports 8.6.1 and higher. http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn86.html#wp71052

 

Hello.

I have cisco 5540. Current version is 9.1(7)6.

Can i upgrade it to 9.4, or it's still impossible?

Is there any other way to use PBR on 9.1?