cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
0
Helpful
20
Replies

Policy-based routing

smailmilak
Level 4
Level 4

Hi,

I have a quesiton. I want to make the users on remote sites to authenticate on the ASA when they want to surf on the web.

To accomplish this they have to go through the Central router, then through the ASA to authenticate (ASA is doing NAT too) and then back to the Central router and then to the Internet.

Right now they are using a proxy that should be disconnected soon.

I tried with route-maps, the packet came to the ASA and then back to the Central router, but then I got a loop error (debug ip policy)

Here is a picture.

20 Replies 20

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Smail,

you need another L3 link between ASA and the router probably the router sees the PBR traffic coming back on the same interface and thinks it is a loop.

hope to help

Giuseppe

ASA is doing NAT so the traffic will come back with a Public IP.

I know now why it detected a loop. I tested it with GNS and I had not NAT configured. Gonna try it now.

But I don't know how the traffic will come back.

Hello,

First, the NAT will use a public address, which means that you can use PBR based on the source remote ip addresses.

But you need to know that only one connection to the ASA means that you are connected to the outside which is not be possible!! you have-as Giussepe sais-two connections to the ASA. One with the inside or DMZ to send arriving packets, and an outside to send back the NATted packets.

If you don't have more than on possible physical connection, you may use sub-interfaces on both router and ASA.

Hope that can help.

Regards,

Omar

There are two interaces on the ASA that are connected to the central router.

One has a Public IP and one a private ip (OSPF routing in enabled on that one)

I forgot that when I made a lab with GNS.

I gonna try it again later, GNS does not work well on my laptop.

So do you guys have any tips how to solve this one without a lot complications in the configuration?

There is no complication.

On the router, you have to steams:

-Remote->router (managed with PBR and Route-maps)

-Local(ASA)->Internet (managed with default-route)

If you need more information, you have only to ask.

Regards,

Omar

Hi,

the remote router send the request to the central router and it sends it obviously to ASA. I've put a route-map on the LAN interface on the remote router and a route-map on the tunnel interface on the central router. With "debug ip policy" i get the info that it is policy routed to the next hop (ASA) but it seems that it don't reach the ASA.

I used traceroute on my laptop and I get only a respond from my LAN interface and the tunnel interface on the central router.

I tested it on GNS where I used a router as the ASA. I used a route-map on this router too and this configuration worked flawless.

I tried to configure a route-map on the ASA but there is no set ip next-hop and set interface statement.

Right, the ASA dont do any PBR like a router. You need to connect to a DMZ and not to the Outside.

On the ASA you need only a NAT from DMZ to Outside.

Any comment ?

Regards,

Omar

I have only 3 interfaces on the ASA.

LAN, Internet (connected to the central router) and one "for VPN" (connected to the central router with private IP).

Don't know what to do now, I don't have any ideas.

I don't have any ideas how to tell the ASA to send the traffic received on the VPN interface to the outside interface. A route-map would solve this problem but it does not support it.

It's not a problem my friend. You can still use sub-interfaces to create more than one in only a single physical interface.

If you have a more explained schema or configuration file, I can explain you how you can do in more details.

Regards,

Omar

I will do it tomorrow at work.

But I don't understand what I will get using sub-interfaces on ASA.

Please explain if it is not a problem.

Thank you in advance.

Hello,

I made a toplogy. I hope it explains a little bit better what I want to do.

With a route-map on ASA my problem would be solved, but unfortunatelly it does not support it.

Hello,

I think that you have to right configuration on the router as you are using the router-map to redirect traffic to Internet. And traffic from remote to the ASA.

Now the sub-interface connected to the ASA with private OSPF should have security level more than 0 (called remote) and the one connected with public IP address, need to be 0 as security level (called outside).

Now on the ASA you need to do NATting from (remote) to (outside). And this way you will receive traffic going to Internet from the ASA on the outside interface and the router will reroute it for the second time and now through Internet.

And now, is it clear ?? If not please, tell me where you have difficulties.

Regards,

Omar

Thank you for your response. I will give you the conf. of the ASA (I deleted some parts that are not necessary)

I usually configure routers, I don't have much experience with ASA firewalls.

Should I now the Ethernet0/1 interface split in two subinterfaces?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco