ASA Policy Based Routing

  • Post author:
  • Post category:ASA / Cisco

ASA Policy Based Routing

This post describes how to configure a Cisco ASA firewall to support Policy Based Routing (PBR). PBR allows an administrator to define routing based on source address, source port, destination address, destination port, protocol or a combination of all these. This is useful in a scenario when a customer requires multiple internet connections.

Topology

For testing we have a simple topology (as per the figure below). A Cisco IOSv switch on the inside of the ASA (v9.4) with 2 outside interfaces connected to a Cisco IOSv router, acting as the ISP router. In our scenario we will configure the following: –

  • Route all traffic matching 10.10.0.0/16 out of ISP_1 interface
  • Route all traffic matching 10.20.0.0/16 out of ISP_2 interface
  • Inbound static NAT for a host on ISP_1
  • Inbound static NAT for a host on ISP_2

ASA Configuration

Define the interfaces (INSIDE, ISP_1 and ISP_2) with the correct security-levels.

interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.100.2 255.255.255.0
 !
interface GigabitEthernet0/1
 nameif ISP_1
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif ISP_2
 security-level 0
 ip address 2.2.2.1 255.255.255.0

The default routes will only be used if traffic does not match the ACL referenced in the route-map used for the Policy Based Routing. Static routes will be defined for all networks inside the ASA.

route PRIMARY 0.0.0.0 0.0.0.0 1.1.1.2 1
route SECONDARY 0.0.0.0 0.0.0.0 2.2.2.2 10
route INSIDE 10.10.0.0 255.255.0.0 192.168.100.1 1
route INSIDE 10.20.0.0 255.255.0.0 192.168.100.1 1

Separate Access Lists will be used to define the source traffic and referenced in the route-map.

access-list ACL_PBR_ISP1 permit ip 10.10.0.0 255.255.0.0 any
access-list ACL_PBR_ISP2 permit ip 10.20.0.0 255.255.0.0 any

Define a route-map. The first sequence will check to see if the source IP address match the ACL PBR_ISP1, if it does it will route traffic out of the ISP_1 interface. Traffic that does not match the first sequence will be checked against the second sequence, if that matches ACL_PBR_ISP2 it will be routed out of ISP_2 interface. Traffic that does not match either ACL will be routed via the default route.

route-map PBR permit 10
 match ip address ACL_PBR_ISP1
 set ip next-hop 1.1.1.2
!
route-map PBR permit 20
 match ip address ACL_PBR_ISP2
 set ip next-hop 2.2.2.2

Enable Policy Based Routing on the INSIDE interface.

interface gi0/0
 policy-route route-map PBR

Define Dynamic NAT rules for each outside interface

nat (INSIDE,ISP_1) after-auto source dynamic any interface
nat (INSIDE,ISP_2) after-auto source dynamic any interface

Define network objects with static NAT.

object network DEVICE_ISP1
 host 10.10.1.1
 nat (INSIDE,ISP_1) static 1.1.1.11
!
object network DEVICE_ISP2
 host 10.20.1.1
 nat (INSIDE,ISP_2) static 2.2.2.11

Define ACL and attach to the relevant interfaces in order to permit inbound ICMP to the objects

access-list ISP_1_IN extended permit icmp any object DEVICE_ISP1
access-list ISP_2_IN extended permit icmp any object DEVICE_ISP2
access-group ISP_2_IN in interface ISP_1
access-group ISP_2_IN in interface ISP_2

Switch Configuration

The switch local to the ASA will be configured with multiple networks within the IP address range defined in the ACL’s associated to the PBR configuration. The default route of the switch will be the ASA.

interface Loopback1
 ip address 10.10.0.1 255.255.255.255
!
interface Loopback11
 ip address 10.10.1.1 255.255.255.255
!
interface Loopback2
 ip address 10.20.0.1 255.255.255.255
!
interface Loopback22
 ip address 10.20.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.100.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.100.2

Testing and Verification

  • Turn on Policy-route and ICMP debug on the ASA with the command debug icmp trace and debug policy-route
  • From the command line of the switch ping and IP address on the internet ping 8.8.8.8

From the output below we can confirm that the source IP address of the traffic was 192.168.100.1, this does not match the source IP address defined in either ACL associated to the PBR configuration. The output confirms no route policy found; skip to normal route lookup. In other words, this used the default route defined on the ASA. We can also determine traffic was NATTED behind ISP_1 interface IP address 1.1.1.1.

  • Repeat the test from the switch, but specify the source loopback address ping 8.8.8.8 source loopback1

From the debug output of the ASA, we can confirm the source IP address of 10.10.0.1 which matches the PBR sequence 10 and traffic is routed to the next hop address 1.1.1.2. We can confirm traffic is also NATTED behind the ISP_1 interface IP address 1.1.1.1.

  • Repeat the test from the switch, but specify the source loopback address ping 8.8.8.8 source loopback2

From the debug output of the ASA, we can confirm the source IP address of 10.20.0.1, which matches PBR sequence 20 and traffic is now routed to the next hop address 2.2.2.2. We can confirm the traffic is NATTED behind the ISP_2 interface IP address 2.2.2.1.

  • From a device on the outside of the ASA ping the NAT IP address 1.1.1.11 (DEVICE_ISP1) ping 1.1.1.11

From the output below we can see the inbound request from 1.1.1.2 (the ISP router) on the ISP_1 interface destined to 1.1.1.11, this was untranslated to 10.10.1.1 (switch loopback interface 11).

  • Repeat the test from a device on the outside of the ASA ping the NAT IP address 2.2.2.11 (DEVICE_ISP2) ping 2.2.2.11

From the output below we can see the inbound request from 2.2.2.2 (the ISP router) on the ISP_2 interface destined to 2.2.2.11, this was untranslated to 10.20.1.1 (switch loopback interface 22).

 

 

Tags: ,