The Cisco Firewall firewall model is connected to 2 ISPs as shown on the diagram below:
The requirement is to route Web traffic (HTTP port 80 and HTTP port 443) through ISP01 and all other Internet traffic through ISP02.
Configuration
Step 1 (Step 1)
First let’s configure the interfaces:
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/1
nameif ISP01
security-level 0
ip address 103.255.180.2 255.255.255.252
interface GigabitEthernet0/2
nameif ISP02
security-level 0
ip address 221.135.1.2 255.255.255.252
Step 2 (Step 2)
Create an Access Control List (ACL) appropriate to the traffic we want to be handled by the PBR policy.
object-group services WEB-ports tcp i>
port-object eq 443
port-object eq 80
access-list PBR_ACL extended permit tcp 192.168.10.0 255.255.255.0 any object-group WEB-ports
The above ACL matches traffic from the internal network (192.168.10.0/24) with destination ports 80 and 443.
Step 3 (Step 3)
Just like PBR on IOS routers, we need to create a route-map that matches the traffic in the ACL created above and then apply a routing policy to the flow. this traffic.
In this case, we will apply a next-hop IP to this traffic flow so that packets will be routed through ISP01 (103.255.180.1).
route-map PBR permit 2 i>
match ip address PBR_ACL i>
set ip next-hop 103.255.180.1 i>
Step 4 (Step 4)
Apply the PBR policy to the “Ingress” interface on which you want to enforce this routing policy. This interface is the “inside” interface (Gig0 / 0) of the internal network.
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
policy-route route-map PBR i>
Step 5 (Step 5)
We need to configure NAT and also configure appropriate default routes.
nat (inside,ISP01) 1 source dynamic any interface
nat (inside,ISP02) 2 source dynamic any interface
The NAT rules above are dynamic NAT (Port Address Translation-PAT) using the corresponding outbound interface of the ASA for outbound traffic from “inside. inside” to “ISP01” and also “inside. inside” to “ISP02”.
route ISP01 0.0.0.0 0.0.0.0 103.255.180.1 50 i>
route ISP02 0.0.0.0 0.0.0.0 221.135.1.1 i>
The default routes above will send normal traffic through ISP02 (which has a lower AD number of 1 compared to 50 for the first default route). However, traffic that matches the PBR policy (ports 80, 443) will go through ISP01.
Verification command (Verification)
Now let’s look at some verification commands for the configuration we just completed:
– Command show route-map shows a summary of the route map (which ACLs to match and the policy for traffic “next-hop IP”What is this).
– Command packet-tracer will simulate an HTTPs connection going through ISP01.
– Command show run : in nat
– Command show run : in route
See more details: Configure routing based on PBR (Policy Based Routing) with Cisco Firewall
Xem tiếp...