Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Policy-based routing problems

Please take look at this topic. The ASA firewall is making me a headache.

WAN, Routing and Switching: Policy-based routing.

22 REPLIES
New Member

Re: Policy-based routing problems

If Im not mistaken, PBR is not supported on ASA.

R/g

Gold

Re: Policy-based routing problems

correct, PBR is not supported on the ASA. the route-map support is limited to route redistribution on the ASA.

New Member

Re: Policy-based routing problems

Do you have an idea how to solve my problem?

New Member

Re: Policy-based routing problems

Hi,

Some Typical Policy Based Routing problem can be solved using Policy Based NAT. All the features for PBR you get in router is not available in ASA.

Still, Could you post your exact requirement.

New Member

Re: Policy-based routing problems

It is explained in my first post.

The central router routes the traffic to ASA and there it just stops.

Don't know if the ASA is droping the packets or similar. I don't have any experience with it.

Re: Policy-based routing problems

The ASA may be dropping packets that it does not know how to pass onto the next layer 3 routing device, check the config and the layer 3 connectivity at the remote end.

HTH>

New Member

Re: Policy-based routing problems

But the Central router sends the request (sourced from the remote site) with a source and destination address.

I really don't know whay the ASA does not forward it on the outside interface.

Re: Policy-based routing problems

if the traffic from the remote site enters the outside interface of the ASA over a VPN the ASA will not specifically pass it out the outside interface and NAT it without specific config, is this what you are tyring to do?

post your config's for review.

New Member

Re: Policy-based routing problems

The traffic comes on an inside interface (security 50, OSPF routing). The ASA is connected with 2 interfaces with the central router. One for OSPF routing between sites (private IP) and one for internet (Public IP, ASA is doing NAT)

And there is an inside interface with SEC 0 and that is not important.

You can find a topology and config file in my posts.

Re: Policy-based routing problems

None of your posts have any attachements.

Is the ASA taking part in the OSPF routing?

Are you performing any NAT between the intside and the central router interface?

New Member

Re: Policy-based routing problems

There are attachments. Like I said in my first post, I made a topic in:

WAN, Routing and Switching: Policy-based routing.

It is all explained there.

Re: Policy-based routing problems

I have no time to search for posts, sorry. Perhaps another netpro will be able to help.

Re: Policy-based routing problems

I have read the post - and seen the updated diagram, I have a few questions:-

1) Why is the VPN terminated on the central router?

2) Why is the central router in front of the ASA for the internet, and beihind the ASA for internal

3) If you havea tunnel, then you should not really need PBR - as you can encapsulate OSPF into the tunnel

4) The ASA could redistribute the default route in OSPF on the internal private IP's.

HTH>

New Member

Re: Policy-based routing problems

Well, I have not designed this network.

I think the central router is terminating VPN because of OSPF routing (tunnel interfaces with GRE)

The central router is not behind the ASA for internal. The ASA has its own internal network (HQ) and the others are all remote sited that have to go through the ASA because of authenticaion (not all users are allowed to surf on the internet)

OSPF is already encapsulated in the tunnel on remtoe site and central routers

ASA is already a gateway for the internal network (not for remote sites) ASA can't send them a defaulte route because the is the central router in between

Re: Policy-based routing problems

OK - a simple solution would be to:-

1) Terminate the VPN on the ASA

2) Have the tunnel desintation on the central router for the remote point to the ASA

3) In the ASA configure the crypto map for the tunnel srouce & desinations of the tunnels.

4) Directly connect the ASA to the internet circuit

5) Have the central router have only 1 connection to the ASA

6) Distribute a default route in OSPF - remote users would dynamically route over the tunnel thru the IPSEC to the central router, the central router woudl route the internet traffic directly to the ASA where they can be authenticated.

HTH>

New Member

Re: Policy-based routing problems

Well I know that when the ASA would terminate the VPNs my problem would be solved. But I don't know if my client would like that, because that is a lot of work.

And I have one question. Does the ASA have tunnel interfaces like a router? So that I can use GRE?

Re: Policy-based routing problems

No the ASA does not support GRE tunnels.

At the end of the day you should explain to your customer that the current topology/configuration is sub-optimal and can be improved 100%

HTH>

New Member

Re: Policy-based routing problems

So your advice is that the ASA terminates the VPNs and that the router is there only for the internet?

There is a problem too, a Frame-Relay router is connected on the router for other remote sites! I think that I could use a subinterface on the ASA for that!

Re: Policy-based routing problems

If you just do that - what are you going to use as a layer 3 routing device on the inside?

Possibly - or just shift all the internal routing to the device that has the frame-relay - this is the central internal router.

then the other router can just be used for internet routing, and the ASA can be the secuure device that seperates the internal to internet.

New Member

Re: Policy-based routing problems

Well thank you. I will consult myself with my workmate.

Re: Policy-based routing problems

np - glad to help

320
Views
5
Helpful
22
Replies