Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PBR on 6509 and Cisco ASA

Hi all,

I have the following problem..

I have a cisco 6509 switch which 4 networks are connected to it..

172.20.2.0

172.20.3.0

172.20.4.0

172.20.200.0

the default routed is pointed to our ISP's router. We are using NAT for address translation for these ranges.This works great

I now have a Cisco ASA that I want to deploy. I want the 172.20.200.0 network to go through the ASA to get to the internet. So I have created the following PBR setup..

The IP of the router gateway is 172.20.200.1

The IP of the ASA is 172.20.200.2.

access-list 172 permit ip 172.20.200.0 0.0.0.255 any

route-map pix-172-20-200 permit 10

match ip address 172

set ip default next-hop 172.20.200.2

interface vlan 172

ip address 172.20.200.1 255.255.255.0

ip policy route-map pix-172-20-200

This policy map is working fine..

Here is why my problem lies...

I have a server at 172.20.200.6 that I need to get to from outside the network (public IP).

I have made to correct configurations on the ASA.

I created a static mapping from 172.20.200.6 to an external address 64.53.55.55 - (not the real ip)

I allowed the correct ports on the ASA through for these addresses. I have about 7 yrs experience with the Pix Os.

The connection is permitted if I watch the debug logs on the ASA, but I can never get connected to the internal system. I am pretty sure it is related to the PBR on the 6509, but I can't think of a way around it. I only want the 172.20.200.0 addresses going through the ASA, but I also need access to other parts of hte network from the 172.20.200.0 network.

Thanks

Don Hickey

1 REPLY
Silver

Re: PBR on 6509 and Cisco ASA

Did you apply the static nat config on the appropriate interface?. I mean is this server connected to the same interface as other 172.20 networks is connected?.

I think the problem might be with the command "access-list 172 permit ip 172.20.200.0 0.0.0.255 any" in the route map. It is also sending 172.20.200.6 via the default next hop configured. But this alone can't be said as a reason.

Can you send me the debug log you received. Looking at that, I can get some idea.

293
Views
0
Helpful
1
Replies
CreatePlease to create content