ASA 5515x v9.6(1) Policy Based Routing

I’m trying to get PBR working, but after tons of reading and research, it’s not working as expected and I’m not sure why.



Network Groups:
COBC-LGNET-SRC – all subnets accessible via the COBC interface
CC-LGNET-SRC – all subnets accessible via the INSIDE interface
LGNET-DEST – all subnets accessible via the COBC-LGNET or the CC-LGNET interfaces

COBC-LGNETROUTER – directly connected to COBC-LGNET interface
CC-LGNETROUTER – directly connected to CC-LGNET interface

My Logic:
“if source = COBC-LGNET-SRC and destination = LGNET-DEST then gw = COBC-LGNETROUTER”
“if source = CC-LGNET-SRC and destination = LGNET-DEST then gw = CC-LGNETROUTER”

Why I need PBR:
COBC traffic is expected to show up on the LGNET router on its COBC-LGNETROUTER interface
CC traffic is expected to show up on the LGNET router on its CC-LGNETROUTER interface

Config I’ve implemented to accomplish My Logic:

access-list COBC-LGNET-PBR extended permit ip object-group COBC-LGNET-SRC object-group LGNET-DEST

route-map COBC-LGNET-RT-MAP permit 10
 match ip address COBC-LGNET-PBR
 match interface COBC
 set ip next-hop <COBC-LGNETROUTER ip address>
 set interface COBC-LGNET

interface GigabitEthernet1/0
  nameif COBC
 security-level 50
 ip address xxxxxxx 
 policy-route route-map COBC-LGNET-RT-MAP

I have not bothered with PBR config to cover the CC part of my logic yet - I want to see COBC work as expected first.

Additional info:
There is an IPSec tunnel between COBC interface and another ASA5515x.
There is a No-NAT statement covering traffic between COBC-LGNET-SRC and LGNET-DEST
When I watch the output from debug policy-route I see traffic that should match, but it all states pbr: no route policy found; skip to normal route lookup

Any ideas?

Thank you.

EDIT: forgot to mention, no matter what I do zero hits are matching when I issue this on CLI show access-list COBC-LGNET-PBR

Hi Kris,

Are you still having issues with this?

Two things that come to mind…first of all, did you try removing match interface? You don’t really need this. Also try to get rid of set interface.

An access-list with matching traffic and setting the next hop is all you need. Here is a working example:

hostname ASA1
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 
 policy-route route-map PBR
interface GigabitEthernet0/1
 nameif OUTSIDE1
 security-level 0
 ip address 
interface GigabitEthernet0/2
 nameif OUTSIDE2
 security-level 0
 ip address 
access-list ISP2_L0 extended permit ip any host
route-map PBR permit 10
 match ip address ISP2_L0
 set ip next-hop
route OUTSIDE1 1
: end


Thanks Rene - I gave up on it after hours and hours of tweaking & testing - couldn’t get it work just right.
I purchased an ASA 5505 to do the job for CC-LGNET traffic, instead of trying to run both thru a single 5515-x.