Solved: [Configuration help] Policy Based Routing

mis_dept1 · ‎07-10-2015

Hello Community,

Heres the scenario:

Recently, we have subscribed a second internet line from a different ISP on top of our existing line.

Lets named it ISP1 (existing) and ISP2 (new).

Problem:

Now, I am being tasked to do policy based routing.

Eg: HR and IT dept, when access http/https, it is to go through ISP2.

And so, I googled and it leads me to PBR:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/route-policy-based.html

What I have done:

Is there anyone out there who has the same scenario as myself? Would appreciate if anyone could guide me please.

ciscoasa(config)# access-list testacl permit ip 172.16.0.0 255.255.0.0

ciscoasa(config)# route-map testmap permit 1

ciscoasa(config-route-map)# match ip address testacl

ciscoasa(config-route-map)# set ip default next-hop <ISP2 Router LAN IP>

ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-route-map)#

I am stuck.. :(

Thank you very much.

Richard Burts · ‎07-11-2015

It would help if the original poster would tell us what version of code is running on this ASA. Note that support for PBR was added in 9.4 and anything earlier would not support the set command in the route map.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎07-12-2015

I believe that the answer is that yes PBR is not supported in 9.3(1) and that you do need to upgrade to at least 9.4 to use the PBR feature.

HTH

Rick

HTH

Rick

View solution in original post

Mark Malone · ‎07-10-2015

hI Do you get the same results if you set just the set ip next-hop without default?

For what your trying to do as well you need to tweak that acl that will send all traffic to next hop not just http/https

You need to do at the end eq 80 and 443 so only that type of traffic goes to the ISP 2

Richard Burts · ‎07-11-2015

It would help if the original poster would tell us what version of code is running on this ASA. Note that support for PBR was added in 9.4 and anything earlier would not support the set command in the route map.

HTH

Rick

HTH

Rick

mis_dept1 · ‎07-12-2015

This is my ASA version from show run.

ASA Version 9.3(1)

Does that mean that PBR is not supported in 9.3(1)?

Do I need to upgrade my ASA to 9.4 in order to use the PBR feature?

Richard Burts · ‎07-12-2015

I believe that the answer is that yes PBR is not supported in 9.3(1) and that you do need to upgrade to at least 9.4 to use the PBR feature.

HTH

Rick

HTH

Rick

mis_dept1 · ‎07-12-2015

Alright thank you. Ill post if I need help again (once I upgrade to 9.4)

mis_dept1 · ‎07-13-2015

Okay, I have upgraded my ASA to 9.4(1) and my ASDM to 7.4(3)

For a start I would like to test PBR for my IP 192.168.1.111.

Requirements: For Http/https traffic, only my IP will be routed to ISP2 instead of ISP1. These are my commands:

1. ciscoasa(config)# access-list testacl permit ip 192.168.1.111 255.255.255.255 (what should I put as destination?) do I put "any" here?

2. Next, I will create a route map:

ciscoasa(config)# route-map testmap permit 10

ciscoasa(config-route-map)# match ip address testacl

ciscoasa(config-route-map)# set ip default next-hop <is this the ISP2 Router LAN IP?>

3. Do I need to set DF or DSCP?

4. Set the ISP2 outside interface to bind to the route map

interface physical_interface

ciscoasa(config)# interface GigabitEthernet0/4

ciscoasa(config-if)# policy-route route-map testmap

I tried the commands above, but when I googled "What is my IP address" I am still seeing the IP address from ISP1

So, what am I doing wrong?

Mark Malone · ‎07-14-2015

I would debug ip policy see whats happening when you come from the source ip that's supposed to be matched , you can use a standard acl in pbr as well if you do need to use an extended

Also running a traceroute is a better way to see when it hit the interface where the policy is set does it get redirected

aswell some routers depending on ios hardware use fast-switched instead of process switched pbr , process pbr does not support certain set commands such as set ip default next-hop but it does support set ip next-hop not sure if its the same for asas but you could try both

Richard Burts · ‎07-14-2015

I have several comments about this:

- Note that this is being done on an ASA and not on an IOS router. So fast switching/process switching/CEF switching is not an issue here.

- there are several problems in the proposed logic for PBR:

_ the proposed ACL is permitting ip but the suggested requirement was to forward http/https. So the ACL needs to be extended and should permit tcp eq 80 and tcp eq 443. Permitting any destination probably makes sense.

_ in the route map I would suggest set ip next-hop rather than set ip default next-hop (though it may work with either of these alternatives, but I think that set ip next-hop is more sure to affect the traffic). And the address specified would be the IP address of the ISP router that connects to you and probably not its LAN IP.

_ setting DF or DSCP is optional and I would suggest that you not bother with these options. It should work ok without either.

_ The policy is set on the interface where the traffic arrives (your inside interface) and not on the interface connecting to the ISP.

Fix these issues and let us know if it works better.

HTH

Rick

HTH

Rick

mis_dept1 · ‎07-14-2015

Spot on! After setting the policy on my inside interface (was on my outside interface previously). My PBR works!

I have also changed from default next-hop to next hop. (Both way works.)

I'll have more questions but ill start another thread on it.

Thank you very much!

Richard Burts · ‎07-14-2015

Thanks for the update. Yes it is an important part of PBR (and one that new users frequently miss) that the route map is applied on the interface where the traffic arrives and not on the outbound interface. Here is the way that I think about it and keep straight which interface to use. If we apply the route map to the inbound interface then the route map evaluates the traffic before we make a routing decision and we are able to apply policy to the routing decision. If we were to apply the route map to the outbound interface then the route map could evaluate the traffic only after the routing decision has been made (and the outbound interface selected) and that is too late to apply policy to the routing decision.

It is good to know that both set ip next-hop and set ip default next-hop work.

I hope that you do have more questions and that you will continue to be active in these forums. They are wonderful places to learn more about networking.

Congratulations on finding the solution to this problem. I am glad that our suggestions were able to guide you to this solution.

HTH

Rick

HTH

Rick