Cisco ASA Policy-Based Routing

Document

Tue, 01/26/2016 - 11:07
Sep 28th, 2009
User Badges:

We have five network connections; Inside, Outside1, Outside2, Outside3, & DMZ.


Outside1, 2 and 3 are different networks for backup routes.  Because Outside1 is now becoming over utilized,and Outside 2 and 3 is not being utilized much at all, we wanted to route traffic based on several aspects.  one the source & two destination port.  We also wanted to throttle the bandwidth on outgoing traffic.


is there Policy Based Routing available on the ASA 5510 as of yet?  and if not, is there any plans for it in the near future?


Thanks,

Daniel

Loading.
Aniket Rodrigues Fri, 10/09/2009 - 22:04
User Badges:
  • Cisco Employee,

The ASA 5510 does not support PBR. It is very likely that a feature request for PBR has been placed already, but no announcements have been made yet. There is a workaround which lets you send all email and/or web traffic through one ISP and rest of the traffic through the other. The workaround however does not apply to your requirement


Thanks

AR

vilaxmi Sun, 11/01/2009 - 13:26
User Badges:
  • Cisco Employee,

If you want all your web traffic to go over your primary ISP link (x.x.x.x) and mail (smtp) traffic to go over the backup link (y.y.y.y), then please proceed with the following workaround on ASA:-


route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route backup 0.0.0.0 0.0.0.0  y.y.y.y 2


nat (inside) 1 0 0
global (outside) 1 interface
global (backup) 1 interface


static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0


HTH


Vijaya

srdjankatic Thu, 11/05/2009 - 05:33
User Badges:

Hi,


i have same problem with my ASA since there is no PBR. My asa has two internet interfaces and one LAN if. I have following requirement


Internet if 01: for default route and backup for Internet if 02

Internet if 02: VPN traffic,  but VPN clients are coming from unknown addresses, from various locations.


My problem is when CISCO VPN client initiate VPN  session to if02 ASA respond through if01 since if01 holds default route. Is there any way to work around this without waiting PBR and without using transparent mode? I am desperate since this is one month old problem.


Any Help is appreciated


tnx

mwenstro Mon, 04/06/2015 - 13:55
User Badges:
  • Cisco Employee,

Policy Based Routing is now available in Cisco ASA software version 9.4(1).

See the New Features section in the Release Notes, under Routing Features:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116518

Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.

 

bbiandov Mon, 04/06/2015 - 15:02
User Badges:

Thank's a great news mwenstro,

However how big of a deal is it to upgrade 8.x to 9.x ?? Will hell break loose? Tony of commands unsupported etc etc? Or is there a tool to convert the configuration? Or could it be a utopian simple image replacement and all works?

Michael Papalabrou Thu, 04/16/2015 - 04:13
User Badges:

Depending on your current version, you might need to go via an upgrade path. As always you should check the release notes with each version to find out what has changed. You are able to see the release notes even if you're not entitled to download the software.

Cheers to Cisco for finally making a HUGE step the industry has been waiting for years.

ahalwani Wed, 07/07/2010 - 01:46
User Badges:

I tried your workaround but It didn't work. I think beause the AD on the backup link is higher than the outside link so the ASA is always choosing the outside path. Am I right?

Aniket Rodrigues Wed, 07/07/2010 - 06:57
User Badges:
  • Cisco Employee,

Even though the metric is higher on the backup route, the firewall will still use it to route smtp traffic over that link, since the static nat [ static (backup,inside) ...] is applied to the packets before the routing decision is made. As a result, when the destination matches the static NAT, the firewall will look for a route pointing out of the backup interface, which exists.


Can you paste the output of 'show run static, show run route and show route' ?


AR

This is helpful, thank you Vijaya. As a newbie operating in ASDM, I think we've figured out the routes. Can you tell me where we do the following in ASDM?


nat (inside) 1 0 0
global (outside) 1 interface
global (backup) 1 interface


static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0

andyirving Fri, 11/19/2010 - 05:18
User Badges:

Vijaya, your suggestion unfortunately will not work as the selection of a NAT rule is taken after the internal routing decision.  Therefore the use of multiple NAT translations does not influence the way the traffic is forwarded.  The route with the lowest metric is always used if eligible.

The only way to do this is with multiple contexts, each one can use a different IP default gateway, each context can handle traffic from internal sources and direct it out of the seperate gateways.

The only other way of doing this is to have an external router connected to the outside of the ASA running PBR, traffic would hit this router and be forwarded out of either interface based on policy.

Aniket Rodrigues Fri, 11/19/2010 - 08:13
User Badges:
  • Cisco Employee,

Andy, that is not true. While the routing decision is taken first, that holds true only for source NAT. When performing destination nat, the Nat decides the routed interface. As a result, the packet is sent to the natted interface for routing and the firewall checks its asp table to see if a route to the destination exists in the table out that interface. Based on this asp entry, the packet is routed. Therefore, in this configuration, you are essentially creating and matching a destination NAT rule for all web and smtp traffic. The static nat rule then decides the next hop interface as 'outside' in the first case and 'backup' in the other static. Once these natted interfaces are selected, the asp table would be checked for routing entries.


HTH,

AR

andyirving Fri, 11/19/2010 - 08:20
User Badges:

Aniket, thanks for that, I was not aware of the destination NAT forwarding flow, that is a neat way of utilising both links assuming it is split based on a service such as web or email.  Not true load sharing but will at least utilise both external interfaces.  Have Cisco ever expressed a view to add PBR to the ASA feature set?

Dan Jay Mon, 01/09/2012 - 00:04
User Badges:

Has someone already accomplished this on 8.3 or newer ?

Ditmar Tavares Thu, 05/17/2012 - 20:56
User Badges:

Aniket, I believe you are wrong, as I'm having this issue and I have contacted cisco TAC, and as per cisco the routing table is checked, so even if we have static mapping, the traffic will always leave to the default route,

with this configuration you will creat asymetric routing, cusing the secondary link not to work.

Aniket Rodrigues Thu, 06/28/2012 - 19:47
User Badges:
  • Cisco Employee,

Ditmar, pre 8.3 I have tested the PBR workaround for years and had implemented it in several customer networks. There has been an architectural change after 8.3 in how we decide the next hop interface and if that process is dependent on nat. I haven't tested this feature post 8.3. Let me get to that when possible and I will let you know how that goes.

bbiandov Thu, 06/28/2012 - 19:33
User Badges:

Ok so posting opinions at this point is useless. Hard evidence would be useful.


However there does NOT appear to be a single case where this has been tested successfully.


What does that tell us? IMHO it tells us that the theory of using static as a vehicle to split translation into separate outside interfaces is flawed. That's because even after the translation takes place as a result of the static into the proper public IP we are back to square zero which is that the lack of PBR prevents us from properly routing that translated traffic out of the desired Internet connection.


Therefore unless PBR is implemeted into the ASA image this issue is still open....

Jouni Forss Sat, 04/20/2013 - 10:00
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Cisco doesnt officially have any Policy Based Routing on the ASA in any software as of yet. In the new ASA softwares 8.3+ there is however a chance to manipulate the ASA egress interface of specified source addresses and therefore for example forward some LAN networks traffic through another ISP while forwarding another LANs traffic through another ISP.


However this document isnt the best place to go over such configurations so please go to the Security/Firewall section of Cisco Support Community and start a discussion.


https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions


- Jouni

bbiandov Sat, 04/20/2013 - 10:09
User Badges:

So are we back into a 2 ASAs and one cheap router land? LOL The cheap router supports regular IOS based PBR and each ASA does NAT for it's corresponding ISP. I guess that could get expensive; each ISP having it's own ASA plus the rotuer. Ehh life

Jouni Forss Sat, 04/20/2013 - 10:17
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I have personally always left PBR for actual routers either at customer premises or in our ISP core. I guess the Cisco firewalls were never planned for this functionality. I'd imagine one reason might be that to my understanding the PIX wasnt originally even a Cisco product. Then again one might ask why it wasnt implemented when ASAs came.


On the other hand I have been told by Cisco that PBR for ASA has been in the works. Though I dont have any idea when that would come out.


I have only fooled around with the ASA NAT related to situations that people ask on the Firewall section of the forums. I never had to use it in a production environment to this day. But I can naturally understand why someone might be forced to try to implement this on an ASA/PIX


- Jouni

Actions

This Document

Related Content