Cisco ASA 9.4 – Policy Based Routing

0
888

firewallIt has finally happened: policy based routing is available for the Cisco ASA platform. This comes about from the new version 9.4 of the ASA software. While a lot of the time policy based routing is done on the routers themselves, there are definitely uses for having is on your ASA firewall such as in the cases of multihomed connections, etc.

For those unfamiliar with policy based routing, basically is allows a user to match specific traffic that is designated with an access list accordingly and then set specific actions or specifications for that traffic.┬áThe most common that you will see is the next-hop IP. For users dealing with multiple ISP’s, they can now specify which ISP is used based on things like which source the traffic is coming from. This was something that was not possible before this update. There is a catch though as there always is with new things. This update will only be available for the newer, X series firewalls like the 5545-X. Unfortunately that old 5505 and 5510 that are hanging around will not have this update released for then anytime soon.

If you are looking at configuring this on your ASA running 9.4, here’s an example on how to get started straight from Cisco’s site:

 

Examples for Route Map Configuration

In the following example, since no action and sequence is specified, an implicit action of permit and a sequence number of 10 is assumed:

ciscoasa(config)# route-map testmap

In the following example, since no match criteria is specified, an implicit match ‘any’ is assumed.:

ciscoasa(config)# route-map testmap permit 10
ciscoasa(config-route-map)# set ip next-hop 1.1.1.10

In this example, all traffic matching <acl> will be policy routed and forwarded through outside interface.

ciscoasa(config)# route-map testmap permit 10
ciscoasa(config-route-map)# match ip address <acl>
ciscoasa(config-route-map)# set interface outside

In this example, since there are no interface or next-hop actions are configured, all traffic matching <acl> will have df bit and dscp fields modified as per configuration and are forwarding using normal routing

ciscoasa(config)# route-map testmap permit 10
ciscoasa(config-route-map)# match ip address <acl>
set ip df 1
set ip precedence af11

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.