https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590387#M205321 <P>Hi,</P><P>Then , don't use this at all as this will not work.</P><P>Use SHUN instead.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Thu, 13 Nov 2014 05:40:50 GMT Vibhor Amrodia 2014-11-13T05:40:50Z https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590382#M205316 <P>Hello,</P><P>&nbsp;</P><P>It looks that there are no null route function in earlier version of ASA.&nbsp; Just today when checking with 9.x it have null0 route now</P><P>Ref:</P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/route-static.html#pgfId-1254465" target="_blank">http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/route-static.html#pgfId-1254465</A></P><P>&nbsp;</P><P>I would like to check is it like following setup.</P><P>Source IP: 172.0.10.11</P><P>and need to black-hole it</P><P>so it should be like following?</P><P>&nbsp;</P><P>route null0 172.0.10.11 255.255.255.255&nbsp;</P><P>&nbsp;</P><P>Thanks!</P> Tue, 12 Mar 2019 05:03:50 GMT https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590382#M205316 Machi Ma 2019-03-12T05:03:50Z https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590383#M205317 <P>Hi,</P><P>Null route will help you to Black Hole for a specific Destination IP and not the sources.</P><P>For Ex:-</P><P>route null0 172.0.10.11 255.255.255.255&nbsp;</P><P>This will drop all the traffic going to 172.0.10.11</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Wed, 12 Nov 2014 10:25:06 GMT https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590383#M205317 Vibhor Amrodia 2014-11-12T10:25:06Z https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590384#M205318 <P>Hi,</P><P>Thanks for advise.&nbsp; How about if I create the dummy interface</P><P>example</P><P>interface ethernet0/1.1000</P><P>description Black Hole dummy interface</P><P>nameif bh0</P><P>security-level 100</P><P>ip address 10.0.0.1 255.255.255.252</P><P>&nbsp;</P><P>Then I add static route to this interface</P><P>route bh0 172.0.10.11 255.255.255.255 10.0.0.1 255</P><P>&nbsp;</P><P>Since I could not have control of Router end, so my propose is want to save some power of ASA for building some ACL to block those IPs and save some log space.</P><P>Thanks!</P> Thu, 13 Nov 2014 05:00:46 GMT https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590384#M205318 Machi Ma 2014-11-13T05:00:46Z https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590385#M205319 <P>Hi,</P><P>I think Null route would be better way to do it than this.</P><P>Also , if you want some traffic destined to IP:- 172.0.10.11 to be blackholed , you can add a dummy route as well pointing next hop to an Unused IP in the Subnet and that would also achieve the same results for you.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Thu, 13 Nov 2014 05:15:16 GMT https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590385#M205319 Vibhor Amrodia 2014-11-13T05:15:16Z https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590386#M205320 <P>Hi,</P><P>Thanks but IP:- 172.0.10.11 is source incoming toward to firewall.&nbsp; Which I want to blackholed it.</P><P>Thanks!</P> Thu, 13 Nov 2014 05:34:48 GMT https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590386#M205320 Machi Ma 2014-11-13T05:34:48Z https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590387#M205321 <P>Hi,</P><P>Then , don't use this at all as this will not work.</P><P>Use SHUN instead.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Thu, 13 Nov 2014 05:40:50 GMT https://community.cisco.com/t5/network-security/asa-null0-route-question/m-p/2590387#M205321 Vibhor Amrodia 2014-11-13T05:40:50Z