Can I make site to site Vpn take precedence over pbr on ASA5512x?

I have an ASA5512x running PBR using 2 different ISP's. I also have a site to site VPN set up with a remote location.  The PBR is working just fine.  Too good in fact. If I am on that network I cannot get to the resources on the other side of the tunnel. Can I make the site to site tunnel take precedence over the PBR?
Wyant NiswongerPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lruiz52Commented:
If possible post sanitized con figs for both ends of the tunnel.
0
JustInCaseCommented:
Can I make the site to site tunnel take precedence over the PBR?
You can't do that, but what you can do is exclude traffic from PBR, or create rule for that traffic. If you exclude traffic from PBR, normal routing will take place.
0
Pete LongTechnical ConsultantCommented:
I'd have to agree with the poster above, Ive not used the 9.4 PBR feature yet, but its simply applied by ACL in a policy map, if you exclude your VPN traffic in the same ACL, then the PBR will not be applied to the VPN traffic.

i.e.

interface GigabitEthernet1/1
 policy-route route-map map-pbr
!
access-list aclex-pbr deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list aclex-pbr extended permit tcp any any eq www
access-list aclex-pbr extended permit tcp any any eq https
!
route-map map-pbr permit 10
 match ip address aclex-pbr
 set ip next-hop 123.123.123.123

P
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Wyant NiswongerPresidentAuthor Commented:
lruiz52,I will work on the clean configs later when I get back to the office. Not the easiest to access from here.

PeteLong, I just put these types of rules in place....

FW# sh run access-list OfficeWiFi                    
access-list OfficeWiFi extended deny ip 172.20.150.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list OfficeWiFi extended deny ip 172.20.150.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list OfficeWiFi extended deny ip 172.20.150.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list OfficeWiFi extended deny ip 172.20.150.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list OfficeWiFi extended deny ip 172.20.150.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list OfficeWiFi extended permit ip 172.20.150.0 255.255.255.0 any

*THE NAMES HAVE BEEN CHANGED TO PROTECT....WELL YOU GET THE PICTURE......

I will see what happens when I get home.  The PBR is applied to route-map 10 which is applied to the inside interface.
0
Wyant NiswongerPresidentAuthor Commented:
I just got back to the office and after a little bit of playing around with the order in the ACL, all seems to be well.  Thanks!

The order that is working for me is

access-list PBR extended deny ip 172.20.150.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list PBR extended deny ip 172.20.150.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list PBR extended deny ip 172.20.150.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list PBR extended deny ip 172.20.150.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list PBR extended deny ip 172.20.150.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list PBR extended permit ip 172.20.150.0 255.255.255.0 any

Thanks for Everything!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.