Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy routing on ASA firewalls

Sorry if this has been asked before but I couldn't find any conclusions on this:

Can a ASA firewall running latest firmware ever implement policy routing, say like force web traffic out interface 1 and all other traffic out interface 2, similar to a regular Cisco router with

ip policy route-map


Thanks in advance.


Re: Policy routing on ASA firewalls

Firewalls don't have the capability to do PBR. There are other ways to get a similar results depending on your setup.

If your not doing any VPN's, dynamic routing, or multicast you could do multiple contexts. This makes the ASA into 2 or more separate firewalls. You could then do PBR with a router or L3 switch prior to the firewall that sends traffic for Internet to one context and the rest to the other.

If your doing NAT you could use ACL's to control which traffic to nat to the coresponding outside interface. However, your routes (static, ospf, rip) must then send the traffic to the correct interface. You also need to make sure that traffic returns to the interface it was sent from or the connection won't get built. See Policy NAT.

Hope this helps! Please rate if it does!



New Member

Re: Policy routing on ASA firewalls

Actually other firewalls (like Fortinet) do have ability to have PBR, its a pity that Cisco's ASA doesn't.

Do you know if it supports ICMP redirects now as well, ie. if you point to the ASA as your default gateway and the ASA knows that the next hop should be a different router on your LAN it sends an ICMP redirect to you to inform of the correct next hop? In the PIX 6.x and 7.0 I could never get that going so wondering have they got it going for ASA 7.2 ?

Thanks again.


Re: Policy routing on ASA firewalls

Sorry, I meant Cisco Firewalls not all firewalls.

In 6.x code it would not be possible because you can't send traffic back out the same int it came in on.

7.X code has a new command to allow traffic to go out the int it came in on.

same-security-traffic permit intra-interface

I think (never tried it) ICMP redirects will work if you use this command and the firewall is the default gateway for the client. Which kind of limits the use since other then small businesses most people have more then 1 subnet so the the firwall can't be the default. Catch 22!