Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA null0 route question

Hello,

 

It looks that there are no null route function in earlier version of ASA.  Just today when checking with 9.x it have null0 route now

Ref:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/route-static.html#pgfId-1254465

 

I would like to check is it like following setup.

Source IP: 172.0.10.11

and need to black-hole it

so it should be like following?

 

route null0 172.0.10.11 255.255.255.255 

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,Then , don't use this at

Hi,

Then , don't use this at all as this will not work.

Use SHUN instead.

Thanks and Regards,

Vibhor Amrodia

5 REPLIES
Cisco Employee

Hi,Null route will help you

Hi,

Null route will help you to Black Hole for a specific Destination IP and not the sources.

For Ex:-

route null0 172.0.10.11 255.255.255.255 

This will drop all the traffic going to 172.0.10.11

Thanks and Regards,

Vibhor Amrodia

New Member

Hi,Thanks for advise.  How

Hi,

Thanks for advise.  How about if I create the dummy interface

example

interface ethernet0/1.1000

description Black Hole dummy interface

nameif bh0

security-level 100

ip address 10.0.0.1 255.255.255.252

 

Then I add static route to this interface

route bh0 172.0.10.11 255.255.255.255 10.0.0.1 255

 

Since I could not have control of Router end, so my propose is want to save some power of ASA for building some ACL to block those IPs and save some log space.

Thanks!

Cisco Employee

Hi,I think Null route would

Hi,

I think Null route would be better way to do it than this.

Also , if you want some traffic destined to IP:- 172.0.10.11 to be blackholed , you can add a dummy route as well pointing next hop to an Unused IP in the Subnet and that would also achieve the same results for you.

Thanks and Regards,

Vibhor Amrodia

New Member

Hi,Thanks but IP:- 172.0.10

Hi,

Thanks but IP:- 172.0.10.11 is source incoming toward to firewall.  Which I want to blackholed it.

Thanks!

Cisco Employee

Hi,Then , don't use this at

Hi,

Then , don't use this at all as this will not work.

Use SHUN instead.

Thanks and Regards,

Vibhor Amrodia

1582
Views
0
Helpful
5
Replies
CreatePlease login to create content