Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3891
Views
5
Helpful
7
Replies

Policy based routing and Cisco ASA

Go to solution
dhickey
Level 1
Level 1

‎03-10-2006 11:20 AM - edited ‎03-03-2019 02:13 AM

Hi all,

I have the following problem..

I have a cisco 6509 switch which 4 networks are connected to it..

172.20.2.0

172.20.3.0

172.20.4.0

172.20.200.0

the default routed is pointed to our ISP's router. We are using NAT for address translation for these ranges.This works great

I now have a Cisco ASA that I want to deploy. I want the 172.20.200.0 network to go through the ASA to get to the internet. So I have created the following PBR setup..

The IP of the router gateway is 172.20.200.1

The IP of the ASA is 172.20.200.2.

access-list 172 permit ip 172.20.200.0 0.0.0.255 any

route-map pix-172-20-200 permit 10

match ip address 172

set ip default next-hop 172.20.200.2

interface vlan 172

ip address 172.20.200.1 255.255.255.0

ip policy route-map pix-172-20-200

This policy map is working fine..

Here is why my problem lies...

I have a server at 172.20.200.6 that I need to get to from outside the network (public IP).

I have made to correct configurations on the ASA.

I created a static mapping from 172.20.200.6 to an external address 64.53.55.55 - (not the real ip)

I allowed the correct ports on the ASA through for these addresses. I have about 7 yrs experience with the Pix Os.

The connection is permitted if I watch the debug logs on the ASA, but I can never get connected to the internal system. I am pretty sure it is related to the PBR on the 6509, but I can't think of a way around it. I only want the 172.20.200.0 addresses going through the ASA, but I also need access to other parts of hte network from the 172.20.200.0 network.

Thanks

Don Hickey

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to dhickey

‎03-11-2006 05:53 AM

OK. That confirmed my suspicsion as why your PBR didn't work.

There is a difference between using 'set ip next-hop' and 'set ip default next-hop' and that was your problem. Look at the explanation below.

The set ip next-hop and set ip default next-hop are similar commands but have a different order of operations. Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table. Configuring the set ip default next-hop command causes the system to use the routing table first and then policy route the specified next hop.

The reason why your PBR didn't work because you had a default route configured on your 6509 and the 'set ip default next-hop' was forcing the traffic to go that next hop instead of your ASA's inside interface.

Let me know if it helped.

Regards,

Sundar

View solution in original post

7 Replies 7

Go to solution
sundar.palaniappan
Level 10
Level 10

‎03-10-2006 03:14 PM

Who is doing the static NAT for the server - 6509 or ASA?

0 Helpful

Go to solution
dhickey
Level 1
Level 1
In response to sundar.palaniappan

‎03-10-2006 05:31 PM

The ASA is doing the static NAT for the server.

I can fix it by setting the GW of the PC's on the 172.20.200.0 network to the inside interface of the ASA, but then I cannot get to other parts of the internal network.

Thanks

Don

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to dhickey

‎03-10-2006 05:59 PM

No problem. Just reconfigure the route map on the 6509 as noted below.

Assuming the traffic from the Internet is making it to the Server on the INSIDE and it's just the return traffic failing, the following PBR config on the 6509 should force the traffic not local to your site to go to the ASA's inside interface.

Can you post the whole config from the 6509 after deleting any confidential data.

route-map pix-172-20-200 deny 10

match ip address 171

route-map pix-172-20-200 permit 20

match ip address 172

set ip next-hop 172.20.200.2

access-list 171 permit ip 172.20.200.0 0.0.0.255 172.20.2.0 0.0.1.255

access-list 171 permit ip 172.20.200.0 0.0.0.255 172.20.4.0 0.0.0.255

access-list 172 permit ip 172.20.200.0 0.0.0.255 any

HTH,

Sundar

0 Helpful

Go to solution
dhickey
Level 1
Level 1
In response to sundar.palaniappan

‎03-10-2006 08:31 PM

Here is the relvant parts. I took out the physical interface commands. As you can see I simplfied my first question as far as my networks go. They are actually different than my first post. There are a lot of "x"s that I started to change the names, but decided it wasn't that important to mask some things.

I notice in your example the set ip next-hop command. I am using set ip default next-hop instead. I will take a look and see what is going on there.

Thanks

Don

Preview file
8 KB
0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to dhickey

‎03-11-2006 05:53 AM

OK. That confirmed my suspicsion as why your PBR didn't work.

There is a difference between using 'set ip next-hop' and 'set ip default next-hop' and that was your problem. Look at the explanation below.

The set ip next-hop and set ip default next-hop are similar commands but have a different order of operations. Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table. Configuring the set ip default next-hop command causes the system to use the routing table first and then policy route the specified next hop.

The reason why your PBR didn't work because you had a default route configured on your 6509 and the 'set ip default next-hop' was forcing the traffic to go that next hop instead of your ASA's inside interface.

Let me know if it helped.

Regards,

Sundar

Go to solution
dhickey
Level 1
Level 1
In response to sundar.palaniappan

‎03-11-2006 08:07 AM

Ok I will see if I can run out to work and try this today..

After thinking about this, If I need to get to local ip addresses (192.168.1.0 and 192.168.128.0), I might have to change my route map to include those ranges in an ACL, then assign the 172.20.200.1 as the gateway to get to those networks, with the last statement being the traffic to be sent out the firewall

for instance

# Access to one of my local networks

access-list 101 permit ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255

# Send Internet traffic to ASA/PIX

access-list 172 permit ip 172.20.200.0 0.0.0.255 any

route-map pix-172-20-200 permit 10

match ip address 101

set ip next-hop 172.20.200.1

route-map pix-172-20-200 permit 20

match ip address 172

set ip next-hop 172.20.200.2

and so on?

I know I need to be in front of my switch to test the change from set ip default next-hop to set ip next-hop...

I wantto make sure I can still get to the local networks I need to get to.

I appreciate all your help, and I will test this later on today..

Thanks

Don Hickey

0 Helpful

Go to solution
dhickey
Level 1
Level 1
In response to dhickey

‎03-11-2006 03:39 PM

Ok this sort of works...

The light finally came on. The set ip next-hop fix my problems going through the firewall and I fix the loca networks by denying them in the accesslist mentioned in the match statement..

So here is a small part of the ACL for people that might come across this in the future..

ccess-list 172 remark don not policy route 172.20.200 going to 192.168.1.0

access-list 172 deny ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 172 remark Send 172.20.200 traffic through Pix

access-list 172 permit ip 172.20.200.0 0.0.0.255 any

route-map pix-172-20-200 permit 10

match ip address 172

set ip next-hop 172.20.200.2

Thanks for all your help!

Don

0 Helpful
Customers Also Viewed These Support Documents