Cisco ASA incoming Policy-based Routing on VTI Tunnel Interface

Harald Farinato · ‎02-27-2023

Hey,

I have one of our locations connected to our headquarter via VTI Tunnel Interface over our Cisco ASA VPN-Firewall. Now I have the need to PBR that incoming traffic at the ASA in our headquarter (Software Version 9.14(4)17). So I configured the extended ACL matching the incoming traffic that shall be pbr'ed. Then created a Route-Map connected with the extended ACL and pointing its Next-Hop to the specific Gateway. So far so fine.

Now I am struggeling with where to connect the Route-Map. I learned that you must link the Route Map on the Interface where the traffic is coming from. First I thought of linking it to the VTI Tunnel Interface, but this is not possible. It seems only to be possible on physical Interfaces on the ASA. Then I thought, ok the physical Interface on which the Tunnel-Interface terminates is the Outside-Interface on which the ASA has its public IP. Connected the Route-Map to that Interface, but PBR is not working for the Traffic coming via the VTI Tunnel Interface. Then I tried the same on our Inside-Interface of the ASA, no luck!

So now I do not know, how to get PBR working for the traffic coming inbound on the VTI Tunnel Interface. Is there a way to get that done? Appreciate your help!

MHM Cisco World · ‎02-27-2023

can I know the topology please ? please mention the interface you want to force the traffic through?

City of Fort Collins Telecommunications · ‎12-18-2024

Same thing here, almost 2 years later.

Topology:

Remote site has a Checkpoint FW with an IPSec tunnel to the Cisco ASA (tunnel 10) at HQ.

The ASA has an outside and inside interface. The default route points to a next hop attached to the outside interface. The RFC1918 route points to a next hop attached to the inside interface.

The ASA doesn't NAT so I need to point 0/0 destined traffic to the next hop attached to the inside interface, which connects to our NAT device.

Is it possible to do PBR for ingress traffic on a VTI?