Multiple routes based on source?

Unanswered Question
May 13th, 2009
User Badges:

I have an ASA 5510 that has a route statement in it for a specific class C IP block which routes requests to that address space over our inside network - we have a private link into that third-party network. This works fine for most uses, except for our DNS. Our DNS external resolvers need to access to servers on the third-party network over the public interface in order to get name resolution to work. Due to a lack of information we can't simply narrow the route statement in the ASA down so the address the DNS servers are trying to query is not included - we don't know, and have no way of finding out, which specific IP's in the class C need to go over our internal network, and which need to be routed through the public networks (it's complicated, but what it boils down to is that my boss said no, we can't).


So my question is this: is there any way to get the ASA box to route all traffic coming FROM our DNS servers to the third-party network out over the public link? I can set up a separate port on the ASA with a different security level or whatever if that would help, but I haven't been able to figure out how to make it work myself. At the moment the only thing we can think to do is to put the DNS servers outside the ASA so the ASA doesn't route any traffic for them, but this would leave them without the firewall protection of the ASA, which we don't really want. Any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 05/14/2009 - 05:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Israel,

ASA doesn't support Policy Based Routing you should use PBR on an inner router to forward packets from DNS servers to specific addresses to the ASA or to the border router.


PBR works on inbound traffic.


Hope to help

Giuseppe


ibrewster Thu, 05/14/2009 - 09:41
User Badges:

Thanks- this sounds promising. One question that still has me a bit puzzled though - how do we route the packets through the ASA? As per the network diagram I attached in response to the other message, all internet bound traffic currently goes through the ASA. In order to accommodate VPN connections, the ASA needs routing rules that send the traffic destined for the third-party network (Sabre, to be specific) over our internal network. So once we set up the inner routers to forward the packets out of the network, how do we keep the ASA from turning around and sending them back in, creating a nice little loop?

Jon Marshall Thu, 05/14/2009 - 11:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Israel


Assuming that your 3825 internet router does not have a route for that class C pointing back to the ASA then you could use a GRE tunnel between an internal router and the 3825.


You could use PBR on the internal router so any traffic coming from your DNS server addresses going to the class C subnet is sent down the GRE tunnel to the 3825. The 3825 would just then route these across the internet, assuming the class C subnet is publically routable which it sounds as though it is.


You may have a problem with return traffic as the third party may well route all your internal traffic back across the private link. So you may well need to NAT the DNS server addresses on the 3825 before sending them across the Internet. Note that if you use private addressing internally you would have to do this anyway.


Jon

ibrewster Thu, 05/14/2009 - 09:35
User Badges:

Sure. I've attached a (rough) network diagram showing the routing we currently have, and the routing we want. Note that ONLY the DNS server traffic destined for the Sabre network should go over the alternate routing, all other traffic should go over the existing routing.



Actions

This Discussion