Finally we have PBR on Cisco ASA’s!!
I normally don’t need this feature but we have a few clients with multiple connections and this now means I can do all the traffic control from an ASA without the needing to use a Cisco ISR.
This is straight forward to do in ASDM but I will explain how to do on CLI as its not very complicated and far quicker.
I am assuming you have two working internet connections already connected to the Cisco ASA. I have my normal default route set to Priority 1 and the 2nd connection set to 2.
First create the Access-List for the traffic you want to redirect. Below I have an ACL called PBR and Im interested in traffic coming from 4 servers:
CiscoASA5512X# sh access-list PBR
access-list PBR; 4 elements; name hash:
access-list PBR line 1 extended permit ip host 192.168.1.236 any
access-list PBR line 2 extended permit ip host 192.168.1.237 any
access-list PBR line 3 extended permit ip host 192.168.1.238 any
access-list PBR line 4 extended permit ip host 192.168.1.239 any
Create the PBR like so:
route-map PBR permit 2
match ip address PBR
set ip next-hop recursive X.X.X.X
set interface DSL1
Note I have used “set ip next-hop recursive”. This is because I actually have a little Draytek 120 connected with an ADSL connection and if you do not use recursive you will get a match on the PBR but you will not get traffic to flow through the 2nd interface. This is because its not directly connected. Please see this link for more info (http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_pbr.html)
If your connection is directly connected use “set ip next-hop X.X.X.X”
Once you have the PBR created you just need to assign to the LAN or inside interface like so:
ip address 192.168.1.254 255.255.255.0
policy-route route-map PBR
If I then run the packet-tracer you will see it exit out of the 2nd interface Successfully:
CiscoASA5512X# packet-tracer input LAN tcp 192.168.1.236 443 126.96.36.199 443
nat (LAN,DSL1) after-auto source dynamic any interface
Dynamic translate 192.168.1.236/443 to X.X.X.X.X/23
Please make sure you have a Dynamic NAT Configured for the 2nd interface (just in case you forget)