Cisco Firewall :: Policy Based Routing To ASA5550 Inside Interface?
Mar 4, 2011
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
I have problem while implementing policy based routing with a firewall. Let me explain in detail.
I have 2 remote site(Site A-small , Site B - Big) , Site B is connected with HQ with Tunnels 1 and 2 , Site B and Site A is connected with Tunnel 9941.
What I want is: Scenirio for Communication :
1)Site A--------->VPN Router Site B-----------> FW-------------->VPN Router Site B------------------>Central Site 2)Central Site--------->VPN Router Site B-----------> FW---------->VPN Router Site B-------------->Site A 3)Site B--------->FW-------------------->VPN Router Site B------>Central Site 4)Central Site--------->VPN Router Site B-------------------->FW------>Site B 5)Site A--------->VPN Router Site B-----------> Site B(no firewall) 6)Site B--------->VPN Router Site B-----------> Site A(no firewall)
How can I configure police-based nat to allow ICMP-only traffic on asaos 8.4.1 or 8.3?On 8.3 it was very simple:global (outside) 1 interface ,access-list outside_nat_outbound extended permit icmp any any,nat (outside) 1 access-list outside_nat_outbound.
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router: hostname sdc-1811-LocalLab ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy
Last night I had a crack at setting up PBR on my companies Cisco 1811.Joy, I thought, it's actually working. Alas I was wrong, the addresses were getting translated to our ADSLs external ip address but routed over our EFM.What I want to acheive is to send all HTTP(s) traffic from our workstations over the ADSL (FastEthernet1) whilst all other traffic and VPN goes out over our Bonded ADSL (FastEthernet0). There is also a minor failover in place for traffic routed to the ADSL in the route-map PBR_VLAN1. The servers are on IPs 200, 202, 204 and 240.
Anyway, I have re-written the configuration and xxx'd and x.a/b/c'd all the IP addresses I want to keep secret. Need to make sure that the PBR is correct, and will do what I want it to? I have a very small time-frame to get this correct and I dont want to fudge the bucket so to speak.
I have a 1941 router configured for Policy based routing with two ISPs.Two static default routes configured to point the gateways of respoective ISPs with same metric.But the problem is, packets are going throug the one ISP only while doing traceroute.
ISP1-----> <----------------------> LAN1 | Router | ISP-------> <----------------------> LAN 2
Below is my configuration :
Current configuration : 5958 bytes ! ! Last configuration change at 05:18:56 UTC Mon Jun 25 2012 ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption
I have been using a route map to pick WAN exit points (PBR) on a 3725 router. This have been working fine with /24 networks. I am trying to pick the first /28 piece out of the 10.1.1.0 network and send it out a different exit from the rest of that network. I have tried the /28 entry at the start and end of the route map, although I thought the first match would stop any further route map processing. The entry does not seem to have any effect, as traffic from all addresses in the 10.1.1.0 /24 network exit per the "route-map 10-LAN permit 11" section.
access-list 5 remark Ten Dot 1 low 63 IPs access-list 5 remark SDM_ACL Category=2access-list 5 remark Ten Dot One Low 63 IPs access-list 5 permit 10.1.1.0 0.0.0.63 log [ code]....
I have a simple design with 3750. I configured a route-map which define a next hop. I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR? I think of CEF .
In our datacenter we have a 3750 stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
route-map TestASA permit 10 match ip address 10 set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
I have tried to make policy based routing on Cisco 3560. I use ipservices ios (SW version 12.2.(50)SE3 and SW-IMAGE C3560-IPSERVICESK9-M) For below configuration there is no problem and pbr is working.
“Access-list 100 permit ip host 126.96.36.199 host 188.8.131.52 Access-list 101 permit ip host 184.108.40.206 host 220.127.116.11 Route-map pbr1 permit 10 Match ip address 100 Set ip next-hop verify-availability 18.104.22.168 1 track 11 interface fasthethernet 0/1 ip policy route-map pbr1”
But when i add another sequence to the "pbr1" with another sequence number like that.
“Route-map pbr1 permit 11 Match ip address 101 Set ip next-hop verify-availability 22.214.171.124 1 track 12”
pbr is not working. Switch gives message "PLATFORM_PBR-3-UNSUPPORTTED_RMP:Route-map pbr1 not supported for Policy Based Routing”"ip policy route-map pbr1" command not shown in the running config. And "show ip policy" output is blank.Configuration guide says you have insert many sequence to the route-map with the same name. And also this command is not in the unsupported command list.
I have a simple design with 3750.I configured a route-map which define a next hop.I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR?
I am having a problem with PBR done on a 7604-S router - It seems like it is not done in harware. I have an Iperf client and an Iperf server, and would like to test the performance of 7600 router for PBR, supervisor is RSP720-3C-G and used interface card is 7600-ES20-GE3C ESM20G.
I have read numerous discussions about PBR that is supposed to happen in hardware when you use it with matching access-list and set ip next-hop.Although, when I start the iperf, the 7600 cpu is hitting the 80-90 % boundary, and transfer bandwidth can't go over 120-130 Mbit/s.The IP Policy is applied on an interface part of vrf ONE maybe this is casing the problem... ?
The diagram and configuration follows: Configuration:
c7604#sh run boot system flash disk0:c7600rsp72043-advipservicesk9-mz.122-33.SRE2.bin ! ip vrf one [Code]...
I've been implementing a setup where a remote office has a Cisco 1900 router. There are 2 GRE/ IP SEC tunnels to the headquarters, 1 over public internet, 1 over a private cloud. Because of some MTU issues we have to clear the DF bit for some of the traffic, but we also want to use PBR to send https traffic over the "public internet" tunnel and the rest of the traffic over the "private cloud" tunnel. I'm able to clear the DF bit and to do the PBR with route-maps, but I'm not able to implement both functionality at the same time.
I have 3560 with attached 3 networks, 172.16.1.0/24 172.16.2.0/24 and 172.16.4.0/24, all of them have a vlan interface, 172.16.1.254, 172.16.2.254, and 172.16.4.254, I have enabled intervlan routing with command ip routing and they have route beetwen each other. Now I want to create PBR and let them go to the internet from different gateways.
so i did 3 access list:
access-list 20 permit 172.16.1.0 0.0.0.255 access-list 10 permit 172.16.2.0 0.0.0.255 access-list 30 permit 172.16.4.0 0.0.0.255 and 3 pbr route-map supnet permit 20 match ip address 10 set ip next-hop 172.16.2.3 route-map blade permit 20 match ip address 30 set ip next-hop 172.16.4.250 route-map main permit 20 match ip address 20 set ip next-hop 172.16.1.4
attached them to corresponding vlan interfaces and everything ok they have different gateways to internet but now I dont have routing beetwen them?
I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (126.96.36.199) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 188.8.131.52 255.255.0.0 any eq 80 Pix(config)#access-list outbound permit udp 184.108.40.206 255.255.0.0 any eq 53 Pix(config)#access-group outbound in interface inside
I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
This is a single point of failure and what I need is a way to mitigate that. Under:
redundancy application redundancy group 1 control <interface> protocol 1
only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?
I have an ASA 5505 at each of three locations. We have VPN tunnels set up between the three sites. I am currently using a single ISP to control the traffic between the sites. I am adding a new ISP to the mix. The goal is to have any internet traffic routed to ISP 2 and all internal traffic routed to ISP 1.The ASA does not do policy based routing (mostly because it is a firewall, not a router). I need to configure a router that will accept the output of the ASA and route it according to the above rule. All incoming routing will be done through ISP 1. Any suggestion on the device and the methodology to set it up? I am planning on doing this in each location.
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 220.127.116.11 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site. I will be terminating a site-to-site VPN tunnel on it and also configuring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets). My question is about how to approach securing the WAN interface with the Zone based FW in place?what kind of ACL do I need beyond those allowing and restricting remote access to the outside ip?
I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The "match dscp ef" or "match precedence 5" is not working only the "match protocol icmp" shows hits.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.