It has finally happened: policy based routing is available for the Cisco ASA platform. This comes about from the new version 9.4 of the ASA software. While a lot of the time policy based routing is done on the routers themselves, there are definitely uses for having is on your ASA firewall such as in the cases of multihomed connections, etc.
For those unfamiliar with policy based routing, basically is allows a user to match specific traffic that is designated with an access list accordingly and then set specific actions or specifications for that traffic. The most common that you will see is the next-hop IP. For users dealing with multiple ISP’s, they can now specify which ISP is used based on things like which source the traffic is coming from. This was something that was not possible before this update. There is a catch though as there always is with new things. This update will only be available for the newer, X series firewalls like the 5545-X. Unfortunately that old 5505 and 5510 that are hanging around will not have this update released for then anytime soon.
If you are looking at configuring this on your ASA running 9.4, here’s an example on how to get started straight from Cisco’s site:
Examples for Route Map Configuration
In the following example, since no action and sequence is specified, an implicit action of permit and a sequence number of 10 is assumed:ciscoasa(config)# route-map testmap
In the following example, since no match criteria is specified, an implicit match ‘any’ is assumed.:ciscoasa(config)# route-map testmap permit 10ciscoasa(config-route-map)# set ip next-hop 220.127.116.11
In this example, all traffic matching <acl> will be policy routed and forwarded through outside interface.ciscoasa(config)# route-map testmap permit 10ciscoasa(config-route-map)# match ip address <acl>ciscoasa(config-route-map)# set interface outside
In this example, since there are no interface or next-hop actions are configured, all traffic matching <acl> will have df bit and dscp fields modified as per configuration and are forwarding using normal routingciscoasa(config)# route-map testmap permit 10ciscoasa(config-route-map)# match ip address <acl>set ip df 1set ip precedence af11