Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1971
Views
5
Helpful
7
Replies

Does ASA support PBR? and site-to-site vpn question.

Go to solution
syjeon
Level 1
Level 1

‎06-26-2011 06:42 PM

Hello.

We have to seperate the traffic based on source network. It is possible to seperate the network on Cisco ASA?

or not, if we just establish the lan to lan vpn with HQ VPN device, the traffic matched the access-list revert to vpn tunnel automatically with any routing?

then it's ok, but I think Cisco ASA does not support PBR(policy-base-routing) yet, I wonder if there is no specific route is required to point out IPSEC tunnel.

Please review attached the file and let us know what is the best solution to solve our problem.

Thanks vevery one

Labels:
Preview file
65 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎06-26-2011 07:31 PM

Not quite sure what you mean by:

in conclustion, even through same destination, the Crypto map(not static  route configure at specific) will be launched first than normal  routing?

If you have static route on the ASA towards a remote/destination subnet via a different interface than the VPN, then it does make a different. It will check the routing in this instance.

Pls confirm if you have static route on the ASA for destination network towards a different inteface than where the VPN will be terminated.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-26-2011 06:48 PM

You are right, ASA does not support PBR.

To establish VPN tunnel, will you be using the same Internet connection off the ASA, or you will be using a different internet connection and different interface on the ASA?

If you are using the same Internet connection/outside interface for the VPN connection on the ASA, then as long as route towards the remote end is pointing towards the default gateway, then VPN can be established.

If you are using 2 different interfaces on the ASA, ie: 1 for normal internet connection, and 2nd interface just to terminate the VPN, then you would need to configure static route for the VPN peer and remote subnet pointing towards this 2nd interface next hop (for VPN).

Hope that makes sense.

0 Helpful

Go to solution
syjeon
Level 1
Level 1
In response to Jennifer Halim

‎06-26-2011 07:16 PM

Hi jeniffer.

Thanks for your quick reply.

I just want to make sure rest of things.

Cisco ASA does not support PBR, it's ok.

According to diagram, the destination is same in case of intranet and VPN.

we need to seperate the traffic based on source n/w. it's mean PBR.. ..

there is no way to solve the our issue without change network infrastructure?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to syjeon

‎06-26-2011 07:19 PM

Sorry, not quite sure what you mean.

For VPN, you would need to configure crypto ACL anyway to determine the source network and destination network that you would like to encrypt/pass through the VPN tunnel. So only network that you determine in the crypto ACL will be encrypted and pass through the VPN tunnel, the rest of the other network if it doesn't match the crypto ACL, will just pass through the ASA as is.

0 Helpful

Go to solution
syjeon
Level 1
Level 1
In response to Jennifer Halim

‎06-26-2011 07:25 PM

ah..ok, then in case of the traffic match crypto ACL doesn't require to configure static route? it is not routing base. right?

In manner of Crypto ACL, just the traffic match the ACL, then the traffic will go VPN tunnel and others only passed routing based?

in conclustion, even through same destination, the Crypto map(not static route configure at specific) will be launched first than normal routing?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to syjeon

‎06-26-2011 07:29 PM

Correct, it's not routing base. As long as the traffic reaches the ASA, and it matches the crypto ACL, and it's going via the same default route, then all you need to do is to configure the VPN configuration on the ASA and on the remote VPN side for the VPN to work.

Well, you mention that the destination network is the same, ie: via the ASA default gateway, so that doesn't matter.

For VPN, what matter is, the traffic reaches ASA first, then it checks crypto ACL since your destination route is the same whether it's via VPN or via normal route.

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎06-26-2011 07:31 PM

Not quite sure what you mean by:

in conclustion, even through same destination, the Crypto map(not static  route configure at specific) will be launched first than normal  routing?

If you have static route on the ASA towards a remote/destination subnet via a different interface than the VPN, then it does make a different. It will check the routing in this instance.

Pls confirm if you have static route on the ASA for destination network towards a different inteface than where the VPN will be terminated.

0 Helpful

Go to solution
syjeon
Level 1
Level 1
In response to Jennifer Halim

‎06-26-2011 08:02 PM

Thanks Halim have a good day.

0 Helpful
Customers Also Viewed These Support Documents