Cisco ASA Policy Based Routing for Anyconnect clients from two address pools.

nethat · ‎02-06-2020

I am using: ASA 5555-X with 9.10 code

i have 2 Anyconnect tunnel groups defined with 2 different group-policies with 2 different IP address pools. Lets call these DeptA and DeptB address pools.

I want to send any packets from DeptA pool out of interface-A with nexthop Hop-A, and any packets from DeptB pool out of interface-B with nexthop Hop-B.

Is this possible?

From my reading of PBR on the ASA, policy based routing has to be applied to an ingress interface. With Anyconnect clients this doesn't help me. The input interface is the outside interface of the ASA to the internet (encrypted tunnel traffic), but I don't care about the pre-decryption packets. I want to policy route based on the decrypted client traffic which comes from 2 different address pools.

If PBR isn't possible in this scenario, is there some work around using some kind of NAT which would effectively do the same thing and allow me to choose the next hop and egress interface based on the source address pool of the Anyconnect clients.

Any assistance would be appreciated.

balaji.bandi · ‎02-06-2020

if they are terminating same ASA ( you should be able to achieve the same I believe - never tried with remote dial-in VPN with 2 profiles) - incorporate network with dual ISP it works confirmed it works, so I believe the concept is same - based on the source IP you set up next hop.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/route-policy-based.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help