EXOS Lose Internal Access After Applying Policy Based Routing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-07-2016 08:19 PM
We are trying to route traffic from a particular server out an ASA firewall. We are moving from a Cisco core where we had the following in place:
ip access-list extended PBR-ASA
permit ip host 10.10.34.54 any
!
route-map ASA-MAP permit 10
match ip address PBR-ASA
set ip default next-hop 10.10.0.3
The behavior on the Cisco was basically to set the 0.0.0.0 route for that particular server to point to the ASA (10.10.0.3), but it still seemed to use all other routes internally so internal connectivity was just fine.
We have tried the following, but when we apply this we lose internal access to the Server (10.10.34.54):
entry PBR-ASA {
if match all {
source-address 10.10.34.54/32;
}
then {
redirect 10.10.0.3;
count pbr-asa;
}
}
I was applying this Access-List to the vlan that this server belonged to:
configure access-list PBR-ASA vlan VLAN305 ingress
We only want this server to redirect to 10.10.0.3 for it's external access. Any ideas on how to achieve this?
Thanks!
ip access-list extended PBR-ASA
permit ip host 10.10.34.54 any
!
route-map ASA-MAP permit 10
match ip address PBR-ASA
set ip default next-hop 10.10.0.3
The behavior on the Cisco was basically to set the 0.0.0.0 route for that particular server to point to the ASA (10.10.0.3), but it still seemed to use all other routes internally so internal connectivity was just fine.
We have tried the following, but when we apply this we lose internal access to the Server (10.10.34.54):
entry PBR-ASA {
if match all {
source-address 10.10.34.54/32;
}
then {
redirect 10.10.0.3;
count pbr-asa;
}
}
I was applying this Access-List to the vlan that this server belonged to:
configure access-list PBR-ASA vlan VLAN305 ingress
We only want this server to redirect to 10.10.0.3 for it's external access. Any ideas on how to achieve this?
Thanks!
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-08-2016 07:42 PM
Hi Ty,
you could add an ACL entry to permit traffic from the server to any internal network before the redirect entry. That way internal traffic will be forwarded normally, only external traffic would use PBR, similar to setting a different default route via PBR in Cisco IOS.
Erik
you could add an ACL entry to permit traffic from the server to any internal network before the redirect entry. That way internal traffic will be forwarded normally, only external traffic would use PBR, similar to setting a different default route via PBR in Cisco IOS.
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-08-2016 02:54 PM
Jeremy,
This is on some x670 switches. Does the flow-redirect 'add nexthop' work similar to the 'set ip default next-hop' in Cisco?
Thanks!
This is on some x670 switches. Does the flow-redirect 'add nexthop' work similar to the 'set ip default next-hop' in Cisco?
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-08-2016 02:54 PM
Hi Ty,
the list of nexthop entries created via add nexthop are used to define fallbacks if one (or more) nexthop(s) is(are) unreachable. This is different from setting a different default route via PBR in Cisco IOS.
Erik
the list of nexthop entries created via add nexthop are used to define fallbacks if one (or more) nexthop(s) is(are) unreachable. This is different from setting a different default route via PBR in Cisco IOS.
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-07-2016 09:55 PM
Also, what equipment do you have?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-07-2016 09:35 PM
