Hey,

I have one of our locations connected to our headquarter via VTI Tunnel Interface over our Cisco ASA VPN-Firewall. Now I have the need to PBR that incoming traffic at the ASA in our headquarter (Software Version 9.14(4)17). So I configured the extended ACL matching the incoming traffic that shall be pbr'ed. Then created a Route-Map connected with the extended ACL and pointing its Next-Hop to the specific Gateway. So far so fine.

Now I am struggeling with where to connect the Route-Map. I learned that you must link the Route Map on the Interface where the traffic is coming from. First I thought of linking it to the VTI Tunnel Interface, but this is not possible. It seems only to be possible on physical Interfaces on the ASA. Then I thought, ok the physical Interface on which the Tunnel-Interface terminates is the Outside-Interface on which the ASA has its public IP. Connected the Route-Map to that Interface, but PBR is not working for the Traffic coming via the VTI Tunnel Interface. Then I tried the same on our Inside-Interface of the ASA, no luck!

So now I do not know, how to get PBR working for the traffic coming inbound on the VTI Tunnel Interface. Is there a way to get that done? Appreciate your help!