Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Policy-based routing

Hi,

I have a quesiton. I want to make the users on remote sites to authenticate on the ASA when they want to surf on the web.

To accomplish this they have to go through the Central router, then through the ASA to authenticate (ASA is doing NAT too) and then back to the Central router and then to the Internet.

Right now they are using a proxy that should be disconnected soon.

I tried with route-maps, the packet came to the ASA and then back to the Central router, but then I got a loop error (debug ip policy)

Here is a picture.

20 REPLIES
Hall of Fame Super Silver

Re: Policy-based routing

Hello Smail,

you need another L3 link between ASA and the router probably the router sees the PBR traffic coming back on the same interface and thinks it is a loop.

hope to help

Giuseppe

Bronze

Re: Policy-based routing

ASA is doing NAT so the traffic will come back with a Public IP.

I know now why it detected a loop. I tested it with GNS and I had not NAT configured. Gonna try it now.

But I don't know how the traffic will come back.

New Member

Re: Policy-based routing

Hello,

First, the NAT will use a public address, which means that you can use PBR based on the source remote ip addresses.

But you need to know that only one connection to the ASA means that you are connected to the outside which is not be possible!! you have-as Giussepe sais-two connections to the ASA. One with the inside or DMZ to send arriving packets, and an outside to send back the NATted packets.

If you don't have more than on possible physical connection, you may use sub-interfaces on both router and ASA.

Hope that can help.

Regards,

Omar

Bronze

Re: Policy-based routing

There are two interaces on the ASA that are connected to the central router.

One has a Public IP and one a private ip (OSPF routing in enabled on that one)

I forgot that when I made a lab with GNS.

I gonna try it again later, GNS does not work well on my laptop.

So do you guys have any tips how to solve this one without a lot complications in the configuration?

New Member

Re: Policy-based routing

There is no complication.

On the router, you have to steams:

-Remote->router (managed with PBR and Route-maps)

-Local(ASA)->Internet (managed with default-route)

If you need more information, you have only to ask.

Regards,

Omar

Bronze

Re: Policy-based routing

Hi,

the remote router send the request to the central router and it sends it obviously to ASA. I've put a route-map on the LAN interface on the remote router and a route-map on the tunnel interface on the central router. With "debug ip policy" i get the info that it is policy routed to the next hop (ASA) but it seems that it don't reach the ASA.

I used traceroute on my laptop and I get only a respond from my LAN interface and the tunnel interface on the central router.

I tested it on GNS where I used a router as the ASA. I used a route-map on this router too and this configuration worked flawless.

I tried to configure a route-map on the ASA but there is no set ip next-hop and set interface statement.

New Member

Re: Policy-based routing

Right, the ASA dont do any PBR like a router. You need to connect to a DMZ and not to the Outside.

On the ASA you need only a NAT from DMZ to Outside.

Any comment ?

Regards,

Omar

Bronze

Re: Policy-based routing

I have only 3 interfaces on the ASA.

LAN, Internet (connected to the central router) and one "for VPN" (connected to the central router with private IP).

Don't know what to do now, I don't have any ideas.

Bronze

Re: Policy-based routing

I don't have any ideas how to tell the ASA to send the traffic received on the VPN interface to the outside interface. A route-map would solve this problem but it does not support it.

New Member

Re: Policy-based routing

It's not a problem my friend. You can still use sub-interfaces to create more than one in only a single physical interface.

If you have a more explained schema or configuration file, I can explain you how you can do in more details.

Regards,

Omar

New Member

Re: Policy-based routing

I will do it tomorrow at work.

But I don't understand what I will get using sub-interfaces on ASA.

Please explain if it is not a problem.

Thank you in advance.

New Member

Re: Policy-based routing

Hello,

I made a toplogy. I hope it explains a little bit better what I want to do.

With a route-map on ASA my problem would be solved, but unfortunatelly it does not support it.

New Member

Re: Policy-based routing

Hello,

I think that you have to right configuration on the router as you are using the router-map to redirect traffic to Internet. And traffic from remote to the ASA.

Now the sub-interface connected to the ASA with private OSPF should have security level more than 0 (called remote) and the one connected with public IP address, need to be 0 as security level (called outside).

Now on the ASA you need to do NATting from (remote) to (outside). And this way you will receive traffic going to Internet from the ASA on the outside interface and the router will reroute it for the second time and now through Internet.

And now, is it clear ?? If not please, tell me where you have difficulties.

Regards,

Omar

New Member

Re: Policy-based routing

Thank you for your response. I will give you the conf. of the ASA (I deleted some parts that are not necessary)

I usually configure routers, I don't have much experience with ASA firewalls.

Should I now the Ethernet0/1 interface split in two subinterfaces?

New Member

Re: Policy-based routing

Hello,

I see that you have no need to make sub-interfaces as the router is connected on Fa0/0 and Fa0/1.

I think that your configuration is OK. You tried it right now ?

Try to debug the routing on the ASA and also NAT translations.

Regards,

Omar

New Member

Re: Policy-based routing

Will do it now. I will brief you about the debug info on the ASA.

New Member

Re: Policy-based routing

Well I tried to debug NAT on ASA but there is no such command or similar. Can you give an advice?

New Member

Re: Policy-based routing

Here is the sh nat 2vpn outside info.

I really don't know what to do. I don't have any experience with ASA.

New Member

Re: Policy-based routing

Are use using ASDM ?

you can use it with HTTPS it will permit you doing better debugging and configuration.

New Member

Re: Policy-based routing

I will try that.

thank you.

272
Views
0
Helpful
20
Replies
CreatePlease login to create content