Cisco ASA Policy-Based Route

Network Topology:

Requirements: ASA image version 9.4 or higher

First step is to configure an ACL go to Firewall->Advanced->ACL Manager and click Add

The purpose of this ACL is to catch the required traffic for match, here in my example I’ll use the guest network (192.168.7.0/24).

The ACL name is ACL_GUEST_PBR, where the first ACE is to deny internal traffic to be match, Here I deny the guset network to the dev network (192.168.2.0/24):

Then add permit ACE which match guest network to all destinations:

Then go to Device Setup->Routing->Route Maps and click Add to create the route-map, RM_GUEST_PBR.

In the Match Clause tab we will configure the match criteria, in my example the ACL_GUEST_PBR along with route-map name and sequence number:

Go to Policy Based Routing tab, You may get the IP Address Mismatch warning, just click yes and ignore it:

click on Set default next-hop IP address and enter the next hop IP:

Click OK

Next go to Interface Settings->Interfaces, choose the source interface, in my example the Guest interface Gi0/1.7

Click edit and under Route Map choose the PBR route map RM_GUEST_PBR:

Click OK

Don’t forget to configure Firewall access rules and NAT rules as needed.

Here in my example I’ve configured two NAT rules, one for each link:

In order to debug policy-based route use the following command:

debug policy-route

Here is an example of successful PBR, where my client (192.168.7.31) tries to ping outside IP (172.16.0.30):

pbr: policy based route lookup called for 192.168.7.3/1 to 172.16.0.30/0 proto 1 sub_proto 8 received on interface GUEST pbr: First matching rule from ACL(20) pbr: route map RM_GUEST_PBR, sequence 10, permit; proceed with policy routing pbr: 'default' option configured; lookup for an explicit route to 172.16.0.30 pbr: no explicit route to 172.16.0.30 found pbr: evaluating default next-hop 2.2.2.2 pbr: policy based routing applied; egress_ifc = EXTERNAL2 : next_hop = 2.2.2.2

And an example of denied match on PBR, where my client tries to ping internal address (192.168.2.254):

pbr: policy based route lookup called for 192.168.7.3/1 to 192.168.2.254/0 proto 1 sub_proto 8 received on interface GUEST pbr: First matching rule from ACL(20) pbr: found route policy with a matching deny ACL; Check next matching rule. pbr: no route policy found; skip to normal route lookup

Cisco PBR with multiple NAT

In the following lab I will demonstrate how to use PBR (Policy-Based Route) along with 3 different exit points (next-hop) and NAT the source IP accordingly.

Here is the network topology:

 

R5 is a host on our LAN (network 192.168.0.0/24) while R1 is the gateway for this network.

When R5 tries to reach R7 (192.168.71.1) using ICMP he will exit through R2, when trying to reach R7 on port 80 he will exit through R3 and when using telnet through R4. The NAT will occur according to the exit point – hence when going through R2 he will have 10.1.12.1, through R3 he will have 10.1.13.1 and through R4 – 10.1.14.1.

Using this scenario we can load-balance certain traffic type through different upstream providers according to our demands (a next-hop verification and redundancy can be added but I skipped this issues on this post).

R5 (relevant) configuration:

interface FastEthernet0/0  ip address 192.168.0.5 255.255.255.0  speed 100  full-duplex ! ip route 0.0.0.0 0.0.0.0 192.168.0.1

Note that R2, R3, R4 and R7 are running OSPF between them.

R2 (relevant) configuration:

interface FastEthernet0/0  ip address 10.1.12.2 255.255.255.0  speed 100  full-duplex ! interface FastEthernet0/1  ip address 172.16.0.2 255.255.255.0  speed 100  full-duplex ! router ospf 1  log-adjacency-changes  network 0.0.0.0 255.255.255.255 area 0

R3 (relevant) configuration:

interface FastEthernet0/0  ip address 10.1.13.3 255.255.255.0  speed 100  full-duplex ! interface FastEthernet0/1  ip address 172.16.0.3 255.255.255.0  speed 100  full-duplex ! router ospf 1  log-adjacency-changes  network 0.0.0.0 255.255.255.255 area 0

R4 (relevant) configuration:

interface FastEthernet0/0  ip address 10.1.14.4 255.255.255.0  speed 100  full-duplex ! interface FastEthernet0/1  ip address 172.16.0.4 255.255.255.0  speed 100  full-duplex ! router ospf 1  log-adjacency-changes  network 0.0.0.0 255.255.255.255 area 0

R7 (relevant) configuration:

interface Loopback1  ip address 192.168.71.1 255.255.255.0  ip ospf network point-to-point ! interface Loopback2  ip address 192.168.72.1 255.255.255.0  ip ospf network point-to-point ! interface Loopback3  ip address 192.168.73.1 255.255.255.0 ! interface FastEthernet0/0  ip address 172.16.0.7 255.255.255.0  speed 100  full-duplex ! router ospf 1  log-adjacency-changes  network 0.0.0.0 255.255.255.255 area 0 ! ip http server

And R1 basic configuration:

interface FastEthernet1/0  ip address 192.168.0.1 255.255.255.0  duplex full  speed 100 ! interface FastEthernet1/1  ip address 10.1.12.1 255.255.255.0  duplex full  speed 100 !         interface FastEthernet2/0  ip address 10.1.13.1 255.255.255.0  duplex full  speed 100 ! interface FastEthernet2/1  ip address 10.1.14.1 255.255.255.0  duplex full  speed 100 ! ip route 0.0.0.0 0.0.0.0 10.1.12.2

Now let’s start configure R1, first create access-lists which will match the desired traffic for the PBR, here in my example I want to match HTTP and telnet traffic:

ip access-list extended ACL_PBR_HTTP  permit tcp 192.168.0.0 0.0.0.255 any eq www  deny   ip any any ! ip access-list extended ACL_PBR_TELNET  permit tcp 192.168.0.0 0.0.0.255 any eq telnet  deny   ip any any !

Then configure the PBR route-map:

route-map RM_PBR permit 10  match ip address ACL_PBR_HTTP  set ip next-hop 10.1.13.3 ! route-map RM_PBR permit 20  match ip address ACL_PBR_TELNET  set ip next-hop 10.1.14.4 ! route-map RM_PBR deny 999 !

In the following PBR I configure that all HTTP traffic will go to next-hop 10.1.13.3 and all telnet traffic will go to next-hop 10.1.14.4, all other traffic that the route-map didn’t catch will go through the normal routing table, in this case to 10.1.12.2 (default route).

Configure the PBR under the LAN interface:

interface FastEthernet1/0  ip address 192.168.0.1 255.255.255.0  ip virtual-reassembly in  ip policy route-map RM_PBR  duplex full  speed 100 !

Now configure NAT inside on Fa1/0 (LAN interface) and NAT outside on Fa1/1, Fa2/0 and Fa2/1 (WAN interfaces):

interface FastEthernet1/0  ip address 192.168.0.1 255.255.255.0  ip nat inside  ip virtual-reassembly in  ip policy route-map RM_PBR  duplex full  speed 100 ! interface FastEthernet1/1  ip address 10.1.12.1 255.255.255.0  ip nat outside  ip virtual-reassembly in  duplex full  speed 100 !         interface FastEthernet2/0  ip address 10.1.13.1 255.255.255.0  ip nat outside  ip virtual-reassembly in  duplex full  speed 100 ! interface FastEthernet2/1  ip address 10.1.14.1 255.255.255.0  ip nat outside  ip virtual-reassembly in  duplex full  speed 100 !

Now configure 3 route-maps for NAT distinguish for each WAN interface:

route-map RM_NAT_R4 permit 10  match interface FastEthernet2/1 ! route-map RM_NAT_R2 permit 10  match interface FastEthernet1/1 ! route-map RM_NAT_R3 permit 10  match interface FastEthernet2/0 !

These route-maps will ensure that every packet that goes out on a specific interface will get the correct outside NAT IP address.

And last configure the NAT statements:

ip nat inside source route-map RM_NAT_R2 interface FastEthernet1/1 overload ip nat inside source route-map RM_NAT_R3 interface FastEthernet2/0 overload ip nat inside source route-map RM_NAT_R4 interface FastEthernet2/1 overload !

Now let’s check:

R5#ping 192.168.71.1

Result:

R5#telnet 192.168.71.1

Result:

R5#telnet 192.168.71.1 80

Result:

When R5 ping 192.168.71.1 he made it using source IP 10.1.12.1, when using HTTP he made it using 10.1.13.1 and when telnet he used 10.1.14.1.