Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
1
Replies

PBR on 6509 and Cisco ASA

dhickey
Level 1
Level 1

‎03-10-2006 01:26 PM - edited ‎02-21-2020 12:45 AM

Hi all,

I have the following problem..

I have a cisco 6509 switch which 4 networks are connected to it..

172.20.2.0

172.20.3.0

172.20.4.0

172.20.200.0

the default routed is pointed to our ISP's router. We are using NAT for address translation for these ranges.This works great

I now have a Cisco ASA that I want to deploy. I want the 172.20.200.0 network to go through the ASA to get to the internet. So I have created the following PBR setup..

The IP of the router gateway is 172.20.200.1

The IP of the ASA is 172.20.200.2.

access-list 172 permit ip 172.20.200.0 0.0.0.255 any

route-map pix-172-20-200 permit 10

match ip address 172

set ip default next-hop 172.20.200.2

interface vlan 172

ip address 172.20.200.1 255.255.255.0

ip policy route-map pix-172-20-200

This policy map is working fine..

Here is why my problem lies...

I have a server at 172.20.200.6 that I need to get to from outside the network (public IP).

I have made to correct configurations on the ASA.

I created a static mapping from 172.20.200.6 to an external address 64.53.55.55 - (not the real ip)

I allowed the correct ports on the ASA through for these addresses. I have about 7 yrs experience with the Pix Os.

The connection is permitted if I watch the debug logs on the ASA, but I can never get connected to the internal system. I am pretty sure it is related to the PBR on the 6509, but I can't think of a way around it. I only want the 172.20.200.0 addresses going through the ASA, but I also need access to other parts of hte network from the 172.20.200.0 network.

Thanks

Don Hickey

0 Helpful
1 Reply 1

a-vazquez
Level 6
Level 6

‎03-16-2006 11:28 AM

Did you apply the static nat config on the appropriate interface?. I mean is this server connected to the same interface as other 172.20 networks is connected?.

I think the problem might be with the command "access-list 172 permit ip 172.20.200.0 0.0.0.255 any" in the route map. It is also sending 172.20.200.6 via the default next hop configured. But this alone can't be said as a reason.

Can you send me the debug log you received. Looking at that, I can get some idea.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card