I’m trying to get PBR working, but after tons of reading and research, it’s not working as expected and I’m not sure why.
Interfaces:
INSIDE
COBC
COBC-LGNET
CC-LGNET
Network Groups:
COBC-LGNET-SRC – all subnets accessible via the COBC interface
CC-LGNET-SRC – all subnets accessible via the INSIDE interface
LGNET-DEST – all subnets accessible via the COBC-LGNET or the CC-LGNET interfaces
Gateways:
COBC-LGNETROUTER – directly connected to COBC-LGNET interface
CC-LGNETROUTER – directly connected to CC-LGNET interface
My Logic:
“if source = COBC-LGNET-SRC and destination = LGNET-DEST then gw = COBC-LGNETROUTER”
“if source = CC-LGNET-SRC and destination = LGNET-DEST then gw = CC-LGNETROUTER”
Why I need PBR:
COBC traffic is expected to show up on the LGNET router on its COBC-LGNETROUTER interface
CC traffic is expected to show up on the LGNET router on its CC-LGNETROUTER interface
Config I’ve implemented to accomplish My Logic:
access-list COBC-LGNET-PBR extended permit ip object-group COBC-LGNET-SRC object-group LGNET-DEST
route-map COBC-LGNET-RT-MAP permit 10
match ip address COBC-LGNET-PBR
match interface COBC
set ip next-hop <COBC-LGNETROUTER ip address>
set interface COBC-LGNET
interface GigabitEthernet1/0
nameif COBC
security-level 50
ip address xxxxxxx
policy-route route-map COBC-LGNET-RT-MAP
I have not bothered with PBR config to cover the CC part of my logic yet - I want to see COBC work as expected first.
Additional info:
There is an IPSec tunnel between COBC interface and another ASA5515x.
There is a No-NAT statement covering traffic between COBC-LGNET-SRC and LGNET-DEST
When I watch the output from debug policy-route
I see traffic that should match, but it all states pbr: no route policy found; skip to normal route lookup
Any ideas?
Thank you.
EDIT: forgot to mention, no matter what I do zero hits are matching when I issue this on CLI show access-list COBC-LGNET-PBR