09-11-2020 11:23 AM
Hi Guys,
I have two Outside interfaces:
interface GigabitEthernet0/5
nameif GSNoutside
security-level 0
ip address 10.198.5.133 255.255.255.128
and
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.241 255.255.255.0 standby 192.168.100.242
!
and this is the inside:
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.230.241 255.255.255.0 standby 10.10.230.242
the topology attached.
I have two outside interfaces, one is connected with ISR (nameif outside) and other connect with another network called GSN (GSNooutside).
I want to route those hosts (10.10.3.150, 10.10.3.151) and these network ( 10.178.0.0 255.255.0.0, 10.196.0.0 255.252.0.0 10.198.5.129) to GSNoutside interfaces and the rest of inside traffic want to send to outside interface.
because now have one default route is direct all traffic to ISR (outside) and cannot forward the two hosts to GSNoutside interface.
route outside 0.0.0.0 0.0.0.0 192.168.100.243 >> this default route to ISR
and lastly need to make a NAT between (10.10.3.150 >>10.198.5.224) (10.10.3.151 >> 10.198.5.244)
I am thinking to be like this:
route GSNoutside 10.178.0.0 255.255.0.0 10.198.5.129 route GSNoutside 10.196.0.0 255.252.0.0 10.198.5.129 object network NETWORK_10.10.3.150 host 10.10.3.150 object network NETWORK_10.198.5.244 host 10.198.5.244 object network NETWORK_10.10.3.151 host 10.10.3.151 object network NETWORK_10.198.5.224 host 10.198.5.224 access-list PBR_TESTSRVR extended permit ip host 10.10.3.151 any <– matches TEST SERVER access-list PBR_PRODSRVR extended permit ip host 10.10.3.150 any <– matches PRODUCTION SERVER access-list PBR_ISR extended permit ip any any <– matches Any network to ISR route-map PBR permit 2 match ip address PBR_TESTSRVR set ip next-hop 10.198.5.129 route-map PBR permit 3 match ip address PBR_PRODSRVR set ip next-hop 10.198.5.129 route-map PBR permit 4 match ip address PBR_ISR set ip next-hop 192.168.100.243 interface GigabitEthernet0/1 policy-route route-map PBR nat (inside,GSNoutside) source static NETWORK_10.198.5.244 NETWORK_10.198.5.224 destination static NETWORK_10.10.3.150 NETWORK_10.10.3.151 no-proxy-arp route-lookup
Is it correct ?
Thanks,
Mohammad Saeed
09-11-2020 11:39 AM - edited 09-11-2020 11:50 AM
Your NAT rule seems incorrect, 10.10.3.x is inside your network?
If you want to NAT (10.10.3.150 >>10.198.5.224) (10.10.3.151 >> 10.198.5.244) then try this:-
object network HOST1
host 10.10.3.150
nat (inside,GSNoutside) static 10.198.5.224
object network HOST2
host 10.10.3.151
nat (inside,GSNoutside) static 10.198.5.244
HTH
09-11-2020 11:42 AM
Hi @Rob Ingram many thanks for assist
yes 10.10.3.x are inside in ASA.
what about the routing issue is it correct?
09-11-2020 12:19 PM - edited 09-11-2020 12:20 PM
It might be better to merge the PBR_TESTSRVR and PBR_PRODSRVR into one ACL and 1 route-map entry, as they route is to the same destination. Any amendments you just modify the ACL.
You don't necessarily need the 3rd route-map entry and associated ACL for all other traffic, just define a static route, any traffic that doesn't match the PBR for TEST/PROD would be routed out the default route.
09-11-2020 11:45 AM
i got with route below with weight and NAT interface based ( along with your PBR)
route GSNoutside 0.0.0.0 0.0.0.0 ISP1GatewayIP 1
route outside 0.0.0.0 0.0.0.0 ISP2GatewayIP 2
nat (inside,outside) dynamic interface
nat (inside,GSNoutside) dynamic interface
09-11-2020 11:54 AM - edited 09-11-2020 12:11 PM
but here ISP1Gateway is the first one? and the second is ISP2gateway? how can ASA know the network 10.10.3.x ? or network :( 10.178.0.0 255.255.0.0, 10.196.0.0 255.252.0.0 10.198.5.129) ?
09-11-2020 12:25 PM
So if I used this way will not work?:
access-list PBR_TESTSRVR extended permit ip host 10.10.3.151 any access-list PBR_PRODSRVR extended permit ip host 10.10.3.150 any access-list PBR_178 extended permit ip 10.178.0.0 255.255.0.0 any access-list PBR_196 extended permit ip 10.196.0.0 255.252.0.0 any access-list PBR_ISR extended permit ip any any route-map PBR permit 2 match ip address PBR_TESTSRVR set ip next-hop 10.198.5.129 route-map PBR permit 3 match ip address PBR_PRODSRVR set ip next-hop 10.198.5.129 route-map PBR permit 4 match ip address PBR_178 set ip next-hop 10.198.5.129 route-map PBR permit 5 match ip address PBR_196 set ip next-hop 10.198.5.129 route-map PBR permit 6 match ip address PBR_ISR set ip next-hop 192.168.100.243 interface GigabitEthernet0/1 policy-route route-map PBR
09-11-2020 12:33 PM - edited 09-11-2020 12:35 PM
Yes it will work. I was suggesting an alternate method, to reduce configuration and less overhead to process multiple PBR route-maps. This was what I was suggesting.
access-list PBR_ISP2 extended permit ip host 10.10.3.151 any
access-list PBR_ISP2 extended permit ip host 10.10.3.150 any
access-list PBR_ISP2 extended permit ip 10.178.0.0 255.255.0.0 any
access-list PBR_ISP2 extended permit ip 10.196.0.0 255.252.0.0 any
route-map PBR permit 2
match ip address PBR_ISP2
set ip next-hop 10.198.5.129
09-11-2020 12:39 PM
@Rob Ingram Thanks for make it simple, but you forgot the :
access-list PBR_ISR extended permit ip any any
which I want any traffic except the specified to be directed to ISR.
09-11-2020 12:42 PM - edited 09-11-2020 12:43 PM
I left it out intentionally. If not specified in the PBR it will be routed via the default route (as mentioned in previous post above).
09-11-2020 12:46 PM
@Rob Ingram you mean I have to use this Default gateway:
route outside 0.0.0.0 0.0.0.0 ISP2GatewayIP 2
nat (inside,outside) dynamic interface
09-11-2020 12:52 PM
Use this default route:-
route outside 0.0.0.0 0.0.0.0 192.168.100.243
Anything that doesn't match the PBR ACL above would be routed via the outside interface using the route above.
If you need to NAT then NAT rule above would work.
09-11-2020 12:55 PM
I got it..thank you
09-11-2020 11:39 PM
@Rob Ingram there is no set ip next-hop under
route-map PBR permit 2
04-15-2021 12:08 AM - edited 04-15-2021 12:09 AM
If am seeking to get right of entry to phone offerings on jabber from cucm, connected to VPN, CuCM is LDAP integrated without a SSO , does it suggest i may not need to provide smartphone service credentials on jabber?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide