Nov 8 15:11:00 racoon: ERROR: failed to pre-process packet. It seems that phase 1 works, but phase 2 fails. Repeat the test from a device on the outside of the ASA ping the NAT IP address 2.2.2.11 (DEVICE_ISP2) ping 2.2.2.11.įrom the output below we can see the inbound request from 2.2.2.2 (the ISP router) on the ISP_2 interface destined to 2.2.2.11, this was untranslated to 10.20.1.1 (switch loopback interface 22).I am trying to get a site to site VPN going between a pfSense firewall and a Cisco ASA.From a device on the outside of the ASA ping the NAT IP address 1.1.1.11 (DEVICE_ISP1) ping 1.1.1.11.įrom the output below we can see the inbound request from 1.1.1.2 (the ISP router) on the ISP_1 interface destined to 1.1.1.11, this was untranslated to 10.10.1.1 (switch loopback interface 11).We can confirm the traffic is NATTED behind the ISP_2 interface IP address 2.2.2.1. Repeat the test from the switch, but specify the source loopback address ping 8.8.8.8 source loopback2.įrom the debug output of the ASA, we can confirm the source IP address of 10.20.0.1, which matches PBR sequence 20 and traffic is now routed to the next hop address 2.2.2.2.We can confirm traffic is also NATTED behind the ISP_1 interface IP address 1.1.1.1. Repeat the test from the switch, but specify the source loopback address ping 8.8.8.8 source loopback1.įrom the debug output of the ASA, we can confirm the source IP address of 10.10.0.1 which matches the PBR sequence 10 and traffic is routed to the next hop address 1.1.1.2.We can also determine traffic was NATTED behind ISP_1 interface IP address 1.1.1.1. In other words, this used the default route defined on the ASA. The output confirms no route policy found skip to normal route lookup. From the command line of the switch ping and IP address on the internet ping 8.8.8.8.įrom the output below we can confirm that the source IP address of the traffic was 192.168.100.1, this does not match the source IP address defined in either ACL associated to the PBR configuration.Turn on Policy-route and ICMP debug on the ASA with the command debug icmp trace and debug policy-route.The default route of the switch will be the ASA. The switch local to the ASA will be configured with multiple networks within the IP address range defined in the ACL’s associated to the PBR configuration. access-list ISP_1_IN extended permit icmp any object DEVICE_ISP1 access-list ISP_2_IN extended permit icmp any object DEVICE_ISP2 access-group ISP_2_IN in interface ISP_1 access-group ISP_2_IN in interface ISP_2 Switch Configuration object network DEVICE_ISP1ĭefine ACL and attach to the relevant interfaces in order to permit inbound ICMP to the objects. Nat (INSIDE,ISP_2) after-auto source dynamic any interfaceĭefine network objects with static NAT. nat (INSIDE,ISP_1) after-auto source dynamic any interface Traffic that does not match either ACL will be routed via the default route.Įnable Policy Based Routing on the INSIDE interface.ĭefine Dynamic NAT rules for each outside interface. Traffic that does not match the first sequence will be checked against the second sequence, if that matches ACL_PBR_ISP2 it will be routed out of ISP_2 interface. The first sequence will check to see if the source IP address match the ACL PBR_ISP1, if it does it will route traffic out of the ISP_1 interface. Separate Access Lists will be used to define the source traffic and referenced in the route-map. Static routes will be defined for all networks inside the ASA. The default routes will only be used if traffic does not match the ACL referenced in the route-map used for the Policy Based Routing. Route all traffic matching 10.20.0.0/16 out of ISP_2 interfaceĭefine the interfaces (INSIDE, ISP_1 and ISP_2) with the correct security-levels.
#Asa asdm enable icmp from outside how to#
This post describes how to configure a Cisco ASA firewall to support Policy Based Routing (PBR).