Router, ASA, PBR

Unanswered Question
Sep 7th, 2010

WAN1   WAN2

  1.1        2.1

    |            |

  1.2        2.2

    ------|------

       2900

          |

       ASA

          |

        LAN

I have WAN1 (1.1.1.1) and WAN2 (2.2.2.1) coming into a 2900, which is then connected to an ASA and to our LAN.  The LAN has an Exchange server, and we want all Exchange related traffic to go out WAN2, while having all other user traffic going out WAN1.

I understand this can be done via PBR, and I've been reading up on it.  My question comes in with the ASA.  Will the ASA know anything about the PBR that's taking place?  Or will all traffic just be routed through to the Router and the PBR be applied to the incoming interface on the LAN side?

access-list 101 permit ip any any

route-map GENERAL permit 10

match ip address 101

set ip next-hop 1.1.1.2

access-list 102 permit ip any any eq 25

access-list 102 permit ip any any eq 110

route-map EXCH permit 12

match ip address 102

set ip next-hop 2.2.2.2

Is this anything like how it should look?

I guess I should put the EXCH pbr first, else there will be no traffic left for the 102 ACL to tag?

Thanks for any time given!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 09/08/2010 - 06:40

scott.bridges wrote:

WAN1   WAN2

  1.1        2.1

    |            |

  1.2        2.2

    ------|------

       2900

          |

       ASA

          |

        LAN

I have WAN1 (1.1.1.1) and WAN2 (2.2.2.1) coming into a 2900, which is then connected to an ASA and to our LAN.  The LAN has an Exchange server, and we want all Exchange related traffic to go out WAN2, while having all other user traffic going out WAN1.

I understand this can be done via PBR, and I've been reading up on it.  My question comes in with the ASA.  Will the ASA know anything about the PBR that's taking place?  Or will all traffic just be routed through to the Router and the PBR be applied to the incoming interface on the LAN side?

access-list 101 permit ip any any

route-map GENERAL permit 10

match ip address 101

set ip next-hop 1.1.1.2

access-list 102 permit ip any any eq 25

access-list 102 permit ip any any eq 110

route-map EXCH permit 12

match ip address 102

set ip next-hop 2.2.2.2

Is this anything like how it should look?

I guess I should put the EXCH pbr first, else there will be no traffic left for the 102 ACL to tag?

Thanks for any time given!

Scott

You don't apply the PBR on the LAN side. You need to apply it on the interface of the 2900 that connects to the outside of the ASA. Obviously you need to change the next-hops to be 1.1.1.1 and 2.2.2.2. This way the ASA doesn't even get in the way of the PBR and yoir access-lists will still work.

One last point. Your PBR config could be simpler ie.

on the 2900 set the default-route to be 1.1.1.1 so all traffic is routed normally via WAN1 then just have a route-map for the non default-route traffic. So you don't need access-list 101 in your above example.

Jon

scott.bridges Thu, 09/09/2010 - 20:15

Thanks for the reply, Jon.  Very helpful.

I just threw up a mock config in notepad with the changes you suggested.  Does it look like it'll work?  (attached)

I'm hoping the ASA inside and Router fe0 is how to do it correctly.

If so, then I can just do:

access-list incoming extended permit tcp any host 1.1.1.2 eq 25

access-list incoming extended permit tcp any host 2.2.2.2 eq 25

access-group incoming in interface outside

static (inside,outside) tcp 2.2.2.2 25 192.168.1.5 25 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.2 25 192.168.1.5 25 netmask 255.255.255.255

I know I'm pointing both Static IP's to the same internal, but I'm hoping to implement failover once I get the PBR config figured out.

Thanks again, Jon!

Attachment: 

Actions

This Discussion