Cisco Support Community
Community Member

3560 IP Services Enhanced PBR ASA5512 2 ISP's


I'm hoping someone can help me with some configuration assistance. I'd like to see if the proposed scenario is possible. We have a customer who would like to phase out their SonicWall firewall with an ASA5512. They currently have 2 ISP's, a standard T1 for their servers and FiOS which is used for some server NAT's and internet access for client workstations. I've seen this question asked many times but the config I'm going to propose is slightly different. Before getting into the details I'd like to point out I began configuring this and ran into a ton of strange occurrences with PBR on the 3560. ACL's which weren't being matched, some VLANs matching the policies and other's not.. I'm used to PBR being flaky and applied/unapplied/reapplied many times to no avail.


The internal networks are something like:

vlan 1          mainly servers, some workstations
vlan 2          workstations, a couple servers
vlan 3          workstations
vlan 4          workstations

The ASA would be and is the default route on the 3560.

Int Gig0/0 nameif T1 directly connected neighbor

Int Gig0/0 nameif FiOS directly connected neighbor

There are NATs setup for servers on both interfaces. The default route on the ASA is


Since the default route would lead out the T1, I need PBR to send specific devices through the FiOS connection. Could I configure something like this on the 3560 and have the routing table consulted to locate the PBR next-hop.


ip route


access-list 101 deny ip host

access-list 101 deny ip host

access-list 101 deny ip host

access-list 101 permit ip any any


access-list 101 permit ip

route-map PBR permit 10

 match ip address 101

 set ip next-hop


So essentially, I'd deny servers and so they continue to follow the path out the T1. Local traffic would be denied just incase, and then permit any so all other internal traffic destined for the internet would change gateways. Please note the main purpose of this question is the fact I'm using the directly connected neighbor on the ASA. So the path in my head would look like..

ingress interface VLAN 1

ip policy route-map PBR

matches policy, changes next hop to

3560 does not have a connected neighbor, static route points to

packet sent to ASA destined for, the ASA has a directly connected interface and forwards the traffic out the appropriate interface

CreatePlease to create content