cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
461
Views
0
Helpful
2
Replies

ASA+PBR trouble

david_farre
Level 1
Level 1

Hi,

Actually i'm working with the following topology outside my firewall:

ASA         <------>    Rtr1    <------> WAN-IPSEC-2

                <------>    Rtr2    <------> WAN-PUBLIC 

                <------>    GW-WAN        <------> WAN-1

                                                     <------> WAN-2

I explain it. The ASA default gateway is GW-WAN and this router via Policy-Based-Routing redirects the traffic to Rtr-1, Rtr-2 or two balanced local interfaces (WAN-1,WAN-2). GW-WAN is a 1812 router. Rtr1and Rtr2 are 877 routers. Rtr1 is user to bypass IPSec site-to-site traffic from our remote sites to ASA. Rtr2 is used to allow all ingress services (http, https, dns, smtp,...) and WAN-1 / WAN-2 is used for egress traffic (web navigation,...).

My trouble is if a user of any remote IPSec site tries to access any remote service via WAN-PUBLIC link don't works because ASA redirects the come-back way to Rtr1 according PBR policy but in GW-WAN the policy is only for the ESP traffic and the other traffic are denied.

If i analyze the traffic beween ASA and WAN i see that the ASA unit sents all traffic to remoter IPSec peer through Rtr1 and not to the default gateway(GW-WAN). Surely i have any problem in ASA or GW-WAN configuration but i couldn't find it.

I hope that i explained well...

Regards,

David.

2 Replies 2

spremkumar
Level 9
Level 9

Hi David

The diagrammatic representation which you have posted in your mail is not giving much clarity about your environment and the problem you are facing.

can try posting out clear diagram with ip addressing and the output of show ip route/ show route taken from all the devices.

regds

Hi,

Sorry, i attach the network diagram.

David.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: