Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3155
Views
5
Helpful
4
Replies

ASA Anyconnect with PBR

Go to solution
Regis Alberto Reis
Level 1
Level 1

‎10-05-2015 12:43 PM - edited ‎02-21-2020 08:29 PM

Hello,

We have a customer which has upgraded its ASA to version 9.5.1 and now would like to use PBR for users connected by Anyconnect.
Today, ASA is configured with a ACL Filter which only local networks are permitted on Tunnel.
We tried to use the PBR in order to set all traffic through Tunnel and next-hop another device on LAN side.

Anyconnect Network: 172.18.18.0/24
Lan Network: 172.18.16.0/24
Default gateway to be used for anyconnect clients: 172.18.16.202

It was created a standard ACL for match traffic as 172.18.18.0, a route-map which next-hop is 172.18.16.202 and applied to outside interface.

Gateway 172.18.16.202 knows that net 172.18.18.0/24 is on ASA (static route)

Is my understanding right? I have configured as mentioned above, but didn't work.

Regards,

Regis

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎10-05-2015 09:33 PM

Hi Regis , 

If you want to send all the Anyconnect traffic to an specific host on the LAN site (next-hop) you can use the "route tunneled"  feature instead of the PBR.

Check more information below:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

Hope it helps

-Randy-

View solution in original post

4 Replies 4

Go to solution
rvarelac
Level 7
Level 7

‎10-05-2015 09:33 PM

Hi Regis , 

If you want to send all the Anyconnect traffic to an specific host on the LAN site (next-hop) you can use the "route tunneled"  feature instead of the PBR.

Check more information below:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html

Hope it helps

-Randy-

Go to solution
Florin Barhala
Level 6
Level 6
In response to rvarelac

‎10-06-2015 04:36 AM

Interesting workaround, nice!

0 Helpful

Go to solution
Regis Alberto Reis
Level 1
Level 1
In response to rvarelac

‎10-13-2015 07:24 AM

Tks Randy.

 

It worked as expected.

 

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to rvarelac

‎10-16-2015 02:16 AM

Hello gentlemen,

I have an Active-Standby 5515 cluster used by several SSL tunnel-groups. All is fine until I need to add several small ASAs using EasyVPN.

 

I would like to send traffic from Easy Connect ONLY use inside default route, but NOT affect/catch any other RemoteVPN access traffic which uses outside default route and NAT.

So can I do this with a custom tunnel-group or group-policy option or should I employ PBR?

 

Thanks in advance!

 

0 Helpful
Customers Also Viewed These Support Documents