Policy routing on ASA firewalls

Unanswered Question
Sep 11th, 2007

Sorry if this has been asked before but I couldn't find any conclusions on this:

Can a ASA firewall running latest firmware ever implement policy routing, say like force web traffic out interface 1 and all other traffic out interface 2, similar to a regular Cisco router with

ip policy route-map

commands.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
cpembleton Tue, 09/11/2007 - 18:27

Firewalls don't have the capability to do PBR. There are other ways to get a similar results depending on your setup.

If your not doing any VPN's, dynamic routing, or multicast you could do multiple contexts. This makes the ASA into 2 or more separate firewalls. You could then do PBR with a router or L3 switch prior to the firewall that sends traffic for Internet to one context and the rest to the other.

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/contexts.html#wp1002608

If your doing NAT you could use ACL's to control which traffic to nat to the coresponding outside interface. However, your routes (static, ospf, rip) must then send the traffic to the correct interface. You also need to make sure that traffic returns to the interface it was sent from or the connection won't get built. See Policy NAT.

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042553

Hope this helps! Please rate if it does!

Thanks,

Chad

kenneth.liew Tue, 09/11/2007 - 19:11

Actually other firewalls (like Fortinet) do have ability to have PBR, its a pity that Cisco's ASA doesn't.

Do you know if it supports ICMP redirects now as well, ie. if you point to the ASA as your default gateway and the ASA knows that the next hop should be a different router on your LAN it sends an ICMP redirect to you to inform of the correct next hop? In the PIX 6.x and 7.0 I could never get that going so wondering have they got it going for ASA 7.2 ?

Thanks again.

cpembleton Tue, 09/11/2007 - 19:38

Sorry, I meant Cisco Firewalls not all firewalls.

In 6.x code it would not be possible because you can't send traffic back out the same int it came in on.

7.X code has a new command to allow traffic to go out the int it came in on.

same-security-traffic permit intra-interface

I think (never tried it) ICMP redirects will work if you use this command and the firewall is the default gateway for the client. Which kind of limits the use since other then small businesses most people have more then 1 subnet so the the firwall can't be the default. Catch 22!

Thanks,

Chad

Actions

This Discussion