Policy Based Routing on a Cisco ASA

Cisco ASA 9.4 (and later) is now supporting Policy Based Routing. Yeah. Great news, since many customers are requesting something like “HTTP traffic to the left – VoIP traffic to the right”. Coming with a new Cisco ASA 5506-X I was happy to try the policy based routing feature.

The configuration steps through the ASDM GUI are not easy and full of errors so I am trying to give some hints within this blog post.

The main document from Cisco for policy based routing on a ASA is here. It describes the use-cases for PBR and gives examples.

Configuration

I am doing all of my configurations through the GUI ASDM. (I know, some people really love the CLI even for configurations, but I don’t. I am using it only for troubleshooting issues.) For this lab I am using a Cisco ASA 5506-X with ASA version 9.5(1), while ASDM is version 7.5(1). In my lab, I have a default route to ISP 1 (gi1/1) and a different connection to ISP 2 (gi1/2). There is no route to ISP 2 in the routing table. I want that each user generated http/https traffic is routed to ISP 2, while anything else is still traversing through ISP 1 to the Internet.

To configure PBR, an ACL that matches the traffic must be defined, then referenced in a route map with the “set ip next-hop” statement, and this route map must be applied to the incoming interface. I ran into many error messages through the configuration, e.g., a false warning message stating “will not have any effect”. Here is my path: (And as always: Note the descriptions under the screenshots for more details.)

The complete CLI commands for my test scenario are the following:

 

Test

The following debug output on the CLI reveals the PBR process. The DNS request (line 2) has no match -> skip to normal route (line 3). The HTTP traffic (line 4) is matched and processed to the next-hop (lines 5-8).

 

How to “Not PBR”?

An unsolved problem for me is the “do not pbr” policy which is needed to not forward traffic to inside private IP addresses (RFC1918) to the second ISP, but due to the normal routing table. I tried the following configurations, but none of them worked: (Maybe someone has an idea?)

  • Route-map statement “deny” referencing an ACL that lists the private networks: There was only the following warning in the CLI: “WARNING: Route-map map-pbr with sequence number 10 does not have any set actions defined. Not installing PBR datapath rules for this route-map entry”. But the private IP ranges are still policy-routed to the second ISP.
  • Same route-map with the ACL that denies the private networks while permitting “any” with port http/https: Does not work either.
  • Route-map statement “permit” referencing an ACL that lists the private networks with “Set Null0 interface as the default interface”: Not working.
  • Route-map statement “permit” referencing an ACL that lists the private networks with any kind of “next-hop” address: Would not make sense since I have many different routes in the routing table. Furthermore, some private networks are connected via VPNs, which are not route-based VPNs but policy-based VPNs. I do not know how these two policy features (policy-routing and policy-based VPN) do merge.

(By the way: It is not possible to delete a certain route map statement through ASDM. Through the CLI, this is no problem. For example, if I want to deleted sequence number 5, the following error message appears:)

Cisco ASA PBR 09 trying to delete a route map statement

Conclusion

I don’t know if I should be happy or not. Ok, in general, PBR is working on the ASA, but the configuration process is not intuitive. If a customer already has a new ASA 5500-X, then he might be happy to have PBR now. However, the policy based routing configurations on other firewall vendors such as Palo Alto or Fortinet are much better.

(And by the way: The example configuration commands on the Cisco page are not correct at some points, e.g. this one:)

Featured image “Space ships flying. In the yellow haze of the sun.” by caratello is licensed under CC BY-NC 2.0.

21 thoughts on “Policy Based Routing on a Cisco ASA

  1. Thanks for the tip and the simplicity that was put here in this setting!
    It helped me a lot in knowing a new feature of Cisco ASA!

  2. I’m looking at this exact scenario. One question I have, is related to the default route. I know pbr overrides, but there still needs to be a primary default route and back up floating static route, right?

    1. Hey Ryan,

      I am not sure whether I fully understood your question. Of course, you need a primary default route to reach the Internet. In general, it depends on your scenario. If you must have static routes, then they are needed, obviously. If not, why should you use them?
      However, to my mind you can also run the firewall with only policy based routes. In theory, that should work. Simply try it out.

      1. Thanks. In my case, one WAN is for LAN Internet access, vpn, ssl, etc. My DMZ, will use the WAN2. That adds up to a default to outside1 and default to outside2 with a higher AD. Furthermore, for the first packet, in the slow path, the ASA invoke NAT un-translate to see if the destination address needs to be translated and, when this is true, choose the egress interface as specified in the NAT divert table. Otherwise the traffic will be sent using route table information.

        This information can be double-checked on the following link:

        http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html

        PBR needs to be used for the ASA to be able to decide the egress interface different from the routing table, which based on metrics will be pointing to ISP1 out of interface outside1.

      2. So, if you have two WANs, and one LAN (inside) needs to go out ISP1, and say LAN2 needs to go out ISP2, then, as I have figured out, you need your routes to look like this:

        route outside 0.0.0.0 0.0.0.0 64.61.14.233 1
        route outside2 0.0.0.0 0.0.0.0 66.198.179.1 5

        Then, if it is source-based routing, the PBR ACLs have to be extended ACLs, and I found by doing a packet-tracer, then LAN2—>ISP2, and LAN1–>ISP1 for all outbound traffic.

  3. What about failover, if there is a PBR for Voice to go out WAN2, what if WAN2 fails. Can you route traffic out WAN1 in the event of WAN2 failure?

    Separate question, for load balancing, can you send 50% of traffic out one WAN and 50% out the other?

  4. Dears,
    it try to used the same with new ASA 9.5 and it’s working normal :) the problem now , that i can’t connect between inside 1 and inside 2 ( note i enable traffic between two or more interface which are configured with same security levels )
    !!!!!!!!!!!!!!!!!

  5. Hi All, So I’ve configured the PBR correctly, all is well, but it’s not working with fqdn objects, I get an error on that, Is there a way to solve it?

  6. Pingback: CISCO | Pearltrees
  7. PBR on ASA seems to still have the odd hitch or two. I’m on 9.5 on a 5506X, currently trying to add a second internal network on gi3. (192.168.5.0/24) inside = 192.168.1.0/24.

    This 2nd network contains a LTE lunchbox and is intended to serve as a bandwidth booster (box hangs off a poor bandwidth DSL RAM Copper Wire in a rural area). First off, I can only ping it from its correspoding mother interface (same sec permit inter/intra is on of course as is ICMP permit ); can observe only requests, no echos, if pinged from inside.

    Switching PBR on yields:

    pbr: policy based route lookup called for 192.168.1.1/64907 to 87.106.184.69/80 proto 6 sub_proto 0 received on interface inside
    pbr: First matching rule from ACL(4)
    pbr: route map LTE, sequence 10, permit; proceed with policy routing
    pbr: evaluating recursive next-hop 192.168.5.10
    pbr: policy based routing applied; egress_ifc = LTE : next_hop = 192.168.5.10

    The lunchbox is in fact online….. but nothing comes back.

  8. Hi I have one query.
    I have seniro where i have Cisco ISR 4321 Router with 2 ISP configure using BGP and ASA 5508X NGF with both the ISP connected, Site to Site VPN Fail-over , i need to enable Load sharing, but i have issue when every the ISP1 packets is sending to other site vpn, while coming back it is reaching vie ISP2 so i have drop in VPN packet and i am not able to using both the ISP for load sharing, please find the below BGP configured in ISR 4321 router, kindly help me for the same.

    router bgp 64519
    bgp log-neighbor-changes
    network 111.93.145.240 mask 255.255.255.248
    network 182.71.243.24 mask 255.255.255.248
    neighbor 111.93.129.197 remote-as 45820
    neighbor 182.73.209.1 remote-as 9498

  9. how to “Not PBR”

    Not quite sure your specific issue with that. I simply added a ‘deny IP’ with my internal ip’s as a destination in the access list applied to the policy map as line 1

    maybe my situation is different or more simplistic

    1. RE: how to “Not PBR” How we solved the VPN Connected networks.

      We have 2 Public Class C Addresses and one ISP, though need servers to been seen from the internet from one subnet or the other. So we needed PBR to route out the interface for the specific subnet. Though in following your guide we ran into the same issue that the devices defined in the ACL for the PBR for the 1st Interface were not able to access the Remote VPN Connected offices as they are terminated on the 2nd Interface.

      Here is what we did:

      !We have an object Group that defines all of our Remote VPN Connected networks.:
      object-group network REMOTE_NETWORK
      network-object object NETWORK-OLIVET
      network-object object NETWORK-MEINZ
      network-object object NETWORK-WATERCOURSE

      !Define the Individual networks:
      object network NETWORK-OLIVET
      subnet 10.11.0.0 255.255.0.0

      !Define the Access List for Interface 1 so that we deny the REMOTE_NETWORK up front
      access-list 204-Static-PBR-ACL extended deny ip any object-group REMOTE_NETWORK
      access-list 204-Static-PBR-ACL extended permit ip object vsvr-syslogd_i any
      access-list 204-Static-PBR-ACL extended permit ip object vsvr-internet_i any
      access-list 204-Static-PBR-ACL extended permit ip object vsvr-web-sp_i any

      !Define the Access List for Interface 2 so that we deny the REMOTE_NETWORK up front
      access-list 198-Static-PBR-ACL extended deny ip any object-group REMOTE_NETWORK
      access-list 198-Static-PBR-ACL extended permit ip object hbgipoffice_i any

      !Define the Catch all for everything else
      access-list Internal-Dynamic-PBR-ACL extended permit ip any any

      ! Define the interface and ACL to use for Interface 1
      route-map PBR permit 10
      match ip address 204-Static-PBR-ACL
      set ip next-hop

      ! Define the interface and ACL to use for Interface 2
      route-map PBR permit 20
      match ip address 198-Static-PBR-ACL
      set ip next-hop

      ! Define the interface and ACL to use for things not explicitly defined in the other two ACLs
      route-map PBR permit 30
      match ip address Internal-Dynamic-PBR-ACL
      set ip next-hop

      Your Guide was a Great starting point!

      Thank you…

  10. Hi,

    I have an ASA 5520, with IOS 9.1(6).

    I went into Cisco’s website, and can only see v9.1 for my ASA.

    Does anybody know if Cisco does 9.5 for ASA 5520, or if there are any updates to the 9.1 to allow PBR on the interface?

    Thanks & Regards
    Heider

    1. Hei Heider,
      I am not a Cisco specialist, but to my mind the old ASA (without -x) models are not longer updated with newer versions. You must purchase a new appliance based on the 5500-X models. (However, please consider changing the firewall vendor to Palo Alto Networks if you want a reasonable firewall! ;))

  11. Hello,

    this is an excellent article and PBR is working fine on Cisco and Dell.
    I’m using Dell N4000 Series as the default gateway for all my internal vlans and set up a PBR on this Dell to set the default Gateway to the Cisco for all “non-internal” traffic.
    However, I’m facing an issue with my VPN users trying to access our internal servers and workstations through the Cisco ASA and Dell.
    Did anyone succeed to do this?

    Thanks,
    Thierry

Leave a Reply

Your email address will not be published. Required fields are marked *