topic Re: Send traffic via a specific interface for one host in Network Security

Send traffic via a specific interface for one host

Frederic Garcia — Fri, 21 Feb 2020 14:25:55 GMT

Hello all,

I need help to configure my ASA for a specific host.

I have an IPBX and SDSL connection.

I want to send all my traffic of my IPBX server to the interface of my SDSL connection.

MyIPBX -> outside-IPBX (SDSL).

My ASA Version is 9.6.

You will find in attachement my running config.

Re: Send traffic via a specific interface for one host

TRENT WAITE — Wed, 04 Oct 2017 11:18:30 GMT

You would do "route Outside-IPBX XXX,XXX,XXX,XXX 255.255.255.XXX YYY.YYY.YYY.YYY 1" where XXXs are either the host address or a subnet range for the outside PBX servers and YYYs are the next hop/gateway provided by the SDSL provider.

So for example, if my servers were at 205.10.10.1 and 205.10.10.20 and the SDSL service gave me an IP of 65.55.55.12 with a gateway of 65.55.55.1 my route would be

"route Outside-IPBX 205.10.10.0 255.255.255.224 65.55.55.1 1". Then you internal PBX will get routed from the ASA out through the SDSL interface only, keeping all other traffic to go out the "outside" interface

Re: Send traffic via a specific interface for one host

Frederic Garcia — Wed, 04 Oct 2017 12:51:11 GMT

Thanks for your help !

But I forgot an information.
My Provider give me an IP who is : 65.55.55.12/32. It's a PPPoE connection, I don't have a gateway or next HOP (no informations, I asked to my provider...)

My route will be is : route outside-ipbx 192.168.10.xxx 255.255.255.255 65.55.55.12 1

where 192.168.10.xxx 255.255.255.255 it's my IPBX.

And as I don't have a gateway for my next hop I have this message :

[ERROR] route inside 192.168.10.70 255.255.255.255 65.55.55.12 1
Invalid next hop address 65.55.55.12, it matches our IP address.

Re: Send traffic via a specific interface for one host

TRENT WAITE — Wed, 04 Oct 2017 17:40:23 GMT

First, is there any chance you can add route to the IP-PBX server itself?

Second thought would be to terminate the PPOE connection on a different device (e.g. DSL modem) that is then connected to the ASA.

Re: Send traffic via a specific interface for one host

Kias — Thu, 05 Oct 2017 06:13:44 GMT

Hi,

You have to consider PBR for this scenario.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.html#ID-2182-00000104

Regards,

Kias

Re: Send traffic via a specific interface for one host

Frederic Garcia — Thu, 26 Oct 2017 09:16:30 GMT

Hello,

Sorry I was very busy...
I have opened a case, and I think we have a problem with the route. The ASA don't learn the route of my SDSL connection.

I need to test again...

Re: Send traffic via a specific interface for one host

Mohammed al Baqari — Fri, 16 Mar 2018 10:19:31 GMT

9.6 has route-map support. Configure a route-map to match all traffic from
PBX and send it out to SDSL

Re: Send traffic via a specific interface for one host

Frederic Garcia — Fri, 16 Mar 2018 10:31:40 GMT

Hello Mohammed,

Thanks for your response. I contacted the TAC, and it's not working. Because, the Next Hop from my SDSL doesn't appear. Maybe I need to upgrade the version.

Actually, I'm stuck.