ASA+PBR trouble

Unanswered Question
Apr 29th, 2010
User Badges:


Actually i'm working with the following topology outside my firewall:

ASA         <------>    Rtr1    <------> WAN-IPSEC-2

                <------>    Rtr2    <------> WAN-PUBLIC 

                <------>    GW-WAN        <------> WAN-1

                                                     <------> WAN-2

I explain it. The ASA default gateway is GW-WAN and this router via Policy-Based-Routing redirects the traffic to Rtr-1, Rtr-2 or two balanced local interfaces (WAN-1,WAN-2). GW-WAN is a 1812 router. Rtr1and Rtr2 are 877 routers. Rtr1 is user to bypass IPSec site-to-site traffic from our remote sites to ASA. Rtr2 is used to allow all ingress services (http, https, dns, smtp,...) and WAN-1 / WAN-2 is used for egress traffic (web navigation,...).

My trouble is if a user of any remote IPSec site tries to access any remote service via WAN-PUBLIC link don't works because ASA redirects the come-back way to Rtr1 according PBR policy but in GW-WAN the policy is only for the ESP traffic and the other traffic are denied.

If i analyze the traffic beween ASA and WAN i see that the ASA unit sents all traffic to remoter IPSec peer through Rtr1 and not to the default gateway(GW-WAN). Surely i have any problem in ASA or GW-WAN configuration but i couldn't find it.

I hope that i explained well...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Thu, 04/29/2010 - 03:12
User Badges:
  • Red, 2250 points or more

Hi David

The diagrammatic representation which you have posted in your mail is not giving much clarity about your environment and the problem you are facing.

can try posting out clear diagram with ip addressing and the output of show ip route/ show route taken from all the devices.



This Discussion