Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple routes based on source?

I have an ASA 5510 that has a route statement in it for a specific class C IP block which routes requests to that address space over our inside network - we have a private link into that third-party network. This works fine for most uses, except for our DNS. Our DNS external resolvers need to access to servers on the third-party network over the public interface in order to get name resolution to work. Due to a lack of information we can't simply narrow the route statement in the ASA down so the address the DNS servers are trying to query is not included - we don't know, and have no way of finding out, which specific IP's in the class C need to go over our internal network, and which need to be routed through the public networks (it's complicated, but what it boils down to is that my boss said no, we can't).

So my question is this: is there any way to get the ASA box to route all traffic coming FROM our DNS servers to the third-party network out over the public link? I can set up a separate port on the ASA with a different security level or whatever if that would help, but I haven't been able to figure out how to make it work myself. At the moment the only thing we can think to do is to put the DNS servers outside the ASA so the ASA doesn't route any traffic for them, but this would leave them without the firewall protection of the ASA, which we don't really want. Any suggestions?

5 REPLIES
Hall of Fame Super Silver

Re: Multiple routes based on source?

Hello Israel,

ASA doesn't support Policy Based Routing you should use PBR on an inner router to forward packets from DNS servers to specific addresses to the ASA or to the border router.

PBR works on inbound traffic.

Hope to help

Giuseppe

New Member

Re: Multiple routes based on source?

Thanks- this sounds promising. One question that still has me a bit puzzled though - how do we route the packets through the ASA? As per the network diagram I attached in response to the other message, all internet bound traffic currently goes through the ASA. In order to accommodate VPN connections, the ASA needs routing rules that send the traffic destined for the third-party network (Sabre, to be specific) over our internal network. So once we set up the inner routers to forward the packets out of the network, how do we keep the ASA from turning around and sending them back in, creating a nice little loop?

Hall of Fame Super Blue

Re: Multiple routes based on source?

Israel

Assuming that your 3825 internet router does not have a route for that class C pointing back to the ASA then you could use a GRE tunnel between an internal router and the 3825.

You could use PBR on the internal router so any traffic coming from your DNS server addresses going to the class C subnet is sent down the GRE tunnel to the 3825. The 3825 would just then route these across the internet, assuming the class C subnet is publically routable which it sounds as though it is.

You may have a problem with return traffic as the third party may well route all your internal traffic back across the private link. So you may well need to NAT the DNS server addresses on the 3825 before sending them across the Internet. Note that if you use private addressing internally you would have to do this anyway.

Jon

Re: Multiple routes based on source?

Can you provide a diagram?

New Member

Re: Multiple routes based on source?

Sure. I've attached a (rough) network diagram showing the routing we currently have, and the routing we want. Note that ONLY the DNS server traffic destined for the Sabre network should go over the alternate routing, all other traffic should go over the existing routing.

123
Views
0
Helpful
5
Replies