Solved: NAT AND PBR On ASA 9.8

NETAD · ‎01-29-2018

Hello, On a ASA we have a internet circuit and an MPLS circuit. Currently the ASA has a default route towards the MPLS. The Inside interface is sliced into multiple sub-interfaces. One of the them is for the guest wireless. We would like to send the guest wireless out of the internet circuit. Can this be accomplished through PBR on ASA. I read that PBR is supported as of 9.4(1). I also read that this might not work with NAT. Here's what I'm planning on doing.

Apply object nat to the guest wireless subnet (NAT to the outside interface)

Create an ACL to match the guest wireless subnet

access-list TEST1 extended permit ip 172.16.12.0 255.255.255.0 any4

create a route-map and match the ACL

!
route-map match-TEST1 permit 10
match ip address TEST1
set ip next-hop <ISP>
set interface outside

apply PBR under sub-interface for the guest wireless.

inter

policy-route route-map <match-TEST1>

Flavio Miranda · ‎01-29-2018

Well, I dont know how your topology looks like. But, I thing you got the point. Local mode traffic is sent to the WLC and the WLC is responsible for send the traffic out through some interface.

Flexconnect local switching ( keep in mind that you need to configure the SSID as flexconnect Local Switching and the AP as flexconnect ) the AP is responsible to send the traffic out through some vlan.

-If I helped you somehow, please, rate it as useful.-

View solution in original post

Flavio Miranda · ‎01-29-2018

Hi @NETAD

It is correct. Did you try ?

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf

-If I helped you somehow, please, rate it as useful.-

NETAD · ‎01-29-2018

I just did this in my lab and it worked. I'm about to test it on the real ASA. I'll keep you posted.

Flavio Miranda · ‎01-29-2018

Yeah, must work fine.

-If I helped you somehow, please, rate it as useful.-

NETAD · ‎01-29-2018

Ok so the issue now is that we're trying to do this for the guest wireless. So looks like the AP is hiding the source IP for the guest traffic and the ASA is not able to match that traffic. I tried configuring the AP in flexconnect mode but that didn't do it.

Flavio Miranda · ‎01-29-2018

I assume that the WLC dynamic interface, mapped to the Guest SSID, connect to the ASA subinterface, right?

The communication between AP and WLC is tunneled so that the traffic that should be used as source is on the WLC interface.

Flexconnect could work as well. You can put the AP in trunk and the users traffic in a specific vlan.

-If I helped you somehow, please, rate it as useful.-

NETAD · ‎01-29-2018

The WLC is actually over the WAN and the guest users get their IP's assigned from a DHCP over the over.

Flavio Miranda · ‎01-29-2018

Humm... then you need to use flexconnect. This way the users traffic will be send locally (behind firewall I suppose) and then you can use the PRB.

Otherwise, in Local mode, all the traffic wil be send over the WAN to the WLC.

-If I helped you somehow, please, rate it as useful.-

NETAD · ‎01-29-2018

Correct and I did but the ASA still didn't match the traffic. Don't know if I missed anything for the flexconnect configuration in the WLC or should the clients subnet be local to the remote office?

Flavio Miranda · ‎01-29-2018

Well, I dont know how your topology looks like. But, I thing you got the point. Local mode traffic is sent to the WLC and the WLC is responsible for send the traffic out through some interface.

Flexconnect local switching ( keep in mind that you need to configure the SSID as flexconnect Local Switching and the AP as flexconnect ) the AP is responsible to send the traffic out through some vlan.

-If I helped you somehow, please, rate it as useful.-

NETAD · ‎01-29-2018

Thank you so much.