ASA 9.4.1 PBR Local Traffic

TheSlyOne · ‎07-30-2015

I want to have two ISP's connected to my firewall on two interfaces, each with a static IP range assigned by the respective ISP. I would like to terminate VPN tunnels on an IP address on each range. This is easy on a router, but seems impossible on the ASA.

My initial thought was to set equal cost default gateway, but this is not supported.

To my delight I saw Interface teaming would allow you to set equal cost routes, so I teamed the two Outside interfaces and set a route. Tested I could ping both from a mobile device and got a response from the correct address. This was great until I tried to configure VPN, and was told by ASDM that VPN is not supported on teamed interfaces. So no go with Teamed Interfaces

After racking my brains, I saw that in the very latest 9.4.1 ASA firmware Cisco had introduced Policy Based Routing. Happy again, I upgraded my firewall and configured the Policy's only to discover the "ip local policy route-map" command is not implemented, so you can not set a policy based on local traffic originating from the Firewall.

I briefly thought multiple contexts might work, but then I remembered it was rubbish and doesn't fully support many things.

After this roller coaster ride, the only thing I can think of is to use two firewalls, but I am loathed to give Cisco double the cash for putting stupid limitations on their hardware.

Any Ideas anyone?

Karsten Iwen · ‎07-30-2015

Don't know what you are doing, but on the ASA it's even easier then on a router. No PBR or so is needed for that.

Just enable VPN on both of your external interfaces. Configure two FQDNs for both public ASA IP addresses and connect to one or the other.

Ella Bella · ‎07-30-2015

Wont this still have a problem with asymmetric routing and multiple default gateway issues?

- As far as I know the only way to do this is to put both external interfaces into the same security-zone and have two equal cost default routes. However I think this will try to load balance the traffic and have asymmetric routing.

TheSlyOne · ‎07-31-2015

As Danlicari points out you still have no routes to the two ISP's. The core problem here is being able to route the two VPN's in 2 directions. I do not want it to be active standby, I want to be able to use both ISP's.

Karsten Iwen · ‎07-31-2015

That's done automatically. Lets assume that your default-route points to ISP1. Now you connect your VPN to the ASA-IP address on ISP2. The ASA will install a temporary route for your assigned IP-address via ISP2 and route your packets according to that route.

Michael Muenz · ‎08-12-2015

Hi Karsten,

no, I cannot agree with you. I created a TAC today and already had a live session with an engineer. The engineer told me PBR is only available for packet going through the firewall, not local destined ones but he will reproduce it in lab.

Are you really sure it works out of the box? Perhaps only with SSLVPN and not IPSEC?

Best regards,

Michael

( big fan of your blog :) )

Michael Please rate all helpful posts

Karsten Iwen · ‎08-12-2015

> Are you really sure it works out of the box? Perhaps only with SSLVPN and not IPSEC?

As the original poster didn't mention the transport, I assumed AnyConnect/TLS as that is the default. There it works out of the box and is not related to the new PBR function (it works also with older releases). I don't have it running with AnyConnect/IPsec anywhere but I would assume it to work too.

> ( big fan of your blog :) )

oh, you are my reader ... ;-)

Michael Muenz · ‎08-12-2015

The everyday newsfeeder, yes :)

OK, I'll check with AnyConnect (SSL) and come back ...

Michael

Michael Please rate all helpful posts

Michael Muenz · ‎08-12-2015

So, when there's a second default gateway with a higher metric AnyConnect works, but it always fails with IPSEC.

Michael Please rate all helpful posts