To illustrate the basic network infrastructure (each net has its own interface):

- net_x  ... ISP A (default gateway )

- net_y ... dmz

- net_z ...ISP B, where all traffic from the dmz should be routed via PBR

Traffic to dmz originates only from ISP B.

As already mentioned all outbound connections from net_y to net_z are working, when they are initiated from net_y.

The relevant config parts are:

interface GigabitEthernet0/0
 nameif net_x
 security-level 60
 ip address ip_net_x netmask_net_x 
!
interface GigabitEthernet0/1
 nameif net_y
 security-level 15
 ip address ip_net_y netmask_net_y 
 policy-route route-map rm_pbr
!
 interface GigabitEthernet0/2
 nameif net_z
 security-level 10
 ip address ip_net_z netmask_net_z 
!
access-list acl_pbr standard deny net_y netmask_net_y 
access-list acl_pbr standard permit any4 
!
route-map rm_pbr permit 10
 match ip address acl_pbr
 set ip next-hop gw_net_z
 set default interface Null0
!
route net_x 0.0.0.0 0.0.0.0 gw_net_x 1

If ISP A is the default gateway why is your default route pointing to ISP B ?

That aside I suspect as you say the issue is that there is an entry in the state table so the ASA will use that for return traffic but (apart from the default route question above) it's not clear why the ASA then drops the traffic rather than just forward it to ISP A.

Jon

You're right. That was a typo, when editing the config for the discussion. The correct default gw is:

route net_x 0.0.0.0 0.0.0.0 gw_net_x 1

Can you just clarify something.

For the DMZ devices are you using static NATs ?

If so I would have thought they would only be configured from the DMZ to the ISP B interface so how is traffic for those DMZ hosts coming in via the ISP A interface ?

Is it because the IP address space is owned by ISP A or am I not understanding the actual problem ?

Jon

There is not NAT at all. It's all done within public IP address spaces.

There is no traffic from ISP A to the DMZ. All traffic to the DMZ comes from ISP B.

The 'rest' of the traffic, not related to the DMZ, should flow via default gw to ISP B.

Presumably that last line should be the rest of the traffic flows via ISP A ?

That aside if traffic is coming in via ISP B to the DMZ then I can't understand why the return traffic is being dropped.

Certainly TCP state bypass won't work here because the traffic is using the correct interface and only the one interface.

Jon

Again, you're right. The rest of the traffic should flow via ISP A.

Right. We do not understand why the packets, which are allowed when coming via ISP B and reach the service are blocked by the ASA on their way back.

It seems that the ASA can not match the SYN-ACK message to the corresponding SYN message, which was allowed when reaching the ASA via ISP B. Maybe SYN-ACK messages, which can not matched by the ASA to existing connections are dropped by the ASA without notice in the logs?

It may be that PBR behaves slightly differently on the ASA because of it being stateful.

What you may want to do is either move this thread to Firewalling or start a new thread there because there are Cisco TAC guys who participate in that forum and they may know what is happening.

Jon

Thanks for getting back on this.

It does indeed look like the problem although interestingly the bug makes no mention of the packet being dropped, just that PBR doesn't select the right interface.

I assume it gets passed to PBR then because it cannot select the interface it does not fall back to any other method of forwarding.

Surprised we haven't seen this on the forums before.

Jon