Policy-based routing

Unanswered Question
Apr 6th, 2009


I have a quesiton. I want to make the users on remote sites to authenticate on the ASA when they want to surf on the web.

To accomplish this they have to go through the Central router, then through the ASA to authenticate (ASA is doing NAT too) and then back to the Central router and then to the Internet.

Right now they are using a proxy that should be disconnected soon.

I tried with route-maps, the packet came to the ASA and then back to the Central router, but then I got a loop error (debug ip policy)

Here is a picture.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Mon, 04/06/2009 - 23:29

Hello Smail,

you need another L3 link between ASA and the router probably the router sees the PBR traffic coming back on the same interface and thinks it is a loop.

hope to help


smailmilak Mon, 04/06/2009 - 23:35

ASA is doing NAT so the traffic will come back with a Public IP.

I know now why it detected a loop. I tested it with GNS and I had not NAT configured. Gonna try it now.

But I don't know how the traffic will come back.

omar.elmohri Tue, 04/07/2009 - 02:35


First, the NAT will use a public address, which means that you can use PBR based on the source remote ip addresses.

But you need to know that only one connection to the ASA means that you are connected to the outside which is not be possible!! you have-as Giussepe sais-two connections to the ASA. One with the inside or DMZ to send arriving packets, and an outside to send back the NATted packets.

If you don't have more than on possible physical connection, you may use sub-interfaces on both router and ASA.

Hope that can help.



smailmilak Tue, 04/07/2009 - 04:53

There are two interaces on the ASA that are connected to the central router.

One has a Public IP and one a private ip (OSPF routing in enabled on that one)

I forgot that when I made a lab with GNS.

I gonna try it again later, GNS does not work well on my laptop.

So do you guys have any tips how to solve this one without a lot complications in the configuration?

omar.elmohri Tue, 04/07/2009 - 05:14

There is no complication.

On the router, you have to steams:

-Remote->router (managed with PBR and Route-maps)

-Local(ASA)->Internet (managed with default-route)

If you need more information, you have only to ask.



smailmilak Mon, 04/13/2009 - 03:54


the remote router send the request to the central router and it sends it obviously to ASA. I've put a route-map on the LAN interface on the remote router and a route-map on the tunnel interface on the central router. With "debug ip policy" i get the info that it is policy routed to the next hop (ASA) but it seems that it don't reach the ASA.

I used traceroute on my laptop and I get only a respond from my LAN interface and the tunnel interface on the central router.

I tested it on GNS where I used a router as the ASA. I used a route-map on this router too and this configuration worked flawless.

I tried to configure a route-map on the ASA but there is no set ip next-hop and set interface statement.

omar.elmohri Mon, 04/13/2009 - 03:59

Right, the ASA dont do any PBR like a router. You need to connect to a DMZ and not to the Outside.

On the ASA you need only a NAT from DMZ to Outside.

Any comment ?



smailmilak Mon, 04/13/2009 - 04:03

I have only 3 interfaces on the ASA.

LAN, Internet (connected to the central router) and one "for VPN" (connected to the central router with private IP).

Don't know what to do now, I don't have any ideas.

smailmilak Mon, 04/13/2009 - 04:37

I don't have any ideas how to tell the ASA to send the traffic received on the VPN interface to the outside interface. A route-map would solve this problem but it does not support it.

omar.elmohri Mon, 04/13/2009 - 09:51

It's not a problem my friend. You can still use sub-interfaces to create more than one in only a single physical interface.

If you have a more explained schema or configuration file, I can explain you how you can do in more details.



smailmilak83 Mon, 04/13/2009 - 11:17

I will do it tomorrow at work.

But I don't understand what I will get using sub-interfaces on ASA.

Please explain if it is not a problem.

Thank you in advance.

smailmilak83 Tue, 04/14/2009 - 05:29


I made a toplogy. I hope it explains a little bit better what I want to do.

With a route-map on ASA my problem would be solved, but unfortunatelly it does not support it.

omar.elmohri Wed, 04/15/2009 - 02:34


I think that you have to right configuration on the router as you are using the router-map to redirect traffic to Internet. And traffic from remote to the ASA.

Now the sub-interface connected to the ASA with private OSPF should have security level more than 0 (called remote) and the one connected with public IP address, need to be 0 as security level (called outside).

Now on the ASA you need to do NATting from (remote) to (outside). And this way you will receive traffic going to Internet from the ASA on the outside interface and the router will reroute it for the second time and now through Internet.

And now, is it clear ?? If not please, tell me where you have difficulties.



smailmilak83 Wed, 04/15/2009 - 02:51

Thank you for your response. I will give you the conf. of the ASA (I deleted some parts that are not necessary)

I usually configure routers, I don't have much experience with ASA firewalls.

Should I now the Ethernet0/1 interface split in two subinterfaces?

omar.elmohri Wed, 04/15/2009 - 03:11


I see that you have no need to make sub-interfaces as the router is connected on Fa0/0 and Fa0/1.

I think that your configuration is OK. You tried it right now ?

Try to debug the routing on the ASA and also NAT translations.



smailmilak83 Wed, 04/15/2009 - 04:09

Well I tried to debug NAT on ASA but there is no such command or similar. Can you give an advice?

omar.elmohri Wed, 04/15/2009 - 06:29

Are use using ASDM ?

you can use it with HTTPS it will permit you doing better debugging and configuration.


This Discussion