ASA 5525-X Policy Based Routing

Orico Newbourn · ‎10-15-2016

Hi,

I'm having trouble setting up the PBR on my ASA (latest OS and ASDM). Here is the scenario:

4 interfaces up, two internal, two external (separate ISP connections), i will call them IN1, IN2, OUT1, OUT2.

Default route points to OUT1 so clients from IN1 and IN2 are reaching internet via that interface. I want to redirect clients from IN2 to go out via OUT2 but preserve other rules that are allowing clients form IN2 to reach resources in IN1.

Clients from IN2 are also using some resources from IN1 (DNS and file shares).

When I apply PBR to clients in IN2 they are rerouted via OUT2 and that is fine but then rules for reaching resources in IN1 doesn't work anymore.

ACL for inerface IN2:

- allow hosts to reach DNS in IN1

- allow hosts to reach file shares in IN1

- deny hosts from reaching all other resources in IN1

- allow any other traffic to go via default route

So when I enforce my PBR, clients from IN2 are going out fine but problem is that all rules are matched from ACL of IN2 so my DNS requests and requests for accessing file shares are rerouted too.

Is there any way to isolate only clients requests to reach Internet and apply PBR on that?

Thank you very much!

Regards!

Orico Newbourn · ‎10-16-2016

Solved,

I used "Set default next-hop IP address" to redirect traffic going via default route only.

Regards!

Richard Burts · ‎10-17-2016

Thank you for posting back to the forum to let us know that you have found the solution for your own problem and for sharing the solution with us. This provides a good insight into the operation of PBR and should be helpful to other readers in the forum. +5 to you.

HTH

Rick

HTH

Rick