Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11801
Views
5
Helpful
5
Replies

ASA null0 route question

Go to solution
Machi Ma
Level 1
Level 1

‎11-11-2014 09:50 PM - edited ‎03-11-2019 10:03 PM

Hello,

 

It looks that there are no null route function in earlier version of ASA.  Just today when checking with 9.x it have null0 route now

Ref:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/route-static.html#pgfId-1254465

 

I would like to check is it like following setup.

Source IP: 172.0.10.11

and need to black-hole it

so it should be like following?

 

route null0 172.0.10.11 255.255.255.255 

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎11-12-2014 09:40 PM

Hi,

Then , don't use this at all as this will not work.

Use SHUN instead.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

5 Replies 5

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎11-12-2014 02:25 AM

Hi,

Null route will help you to Black Hole for a specific Destination IP and not the sources.

For Ex:-

route null0 172.0.10.11 255.255.255.255 

This will drop all the traffic going to 172.0.10.11

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Machi Ma
Level 1
Level 1
In response to Vibhor Amrodia

‎11-12-2014 09:00 PM

Hi,

Thanks for advise.  How about if I create the dummy interface

example

interface ethernet0/1.1000

description Black Hole dummy interface

nameif bh0

security-level 100

ip address 10.0.0.1 255.255.255.252

 

Then I add static route to this interface

route bh0 172.0.10.11 255.255.255.255 10.0.0.1 255

 

Since I could not have control of Router end, so my propose is want to save some power of ASA for building some ACL to block those IPs and save some log space.

Thanks!

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎11-12-2014 09:15 PM

Hi,

I think Null route would be better way to do it than this.

Also , if you want some traffic destined to IP:- 172.0.10.11 to be blackholed , you can add a dummy route as well pointing next hop to an Unused IP in the Subnet and that would also achieve the same results for you.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Machi Ma
Level 1
Level 1
In response to Vibhor Amrodia

‎11-12-2014 09:34 PM

Hi,

Thanks but IP:- 172.0.10.11 is source incoming toward to firewall.  Which I want to blackholed it.

Thanks!

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎11-12-2014 09:40 PM

Hi,

Then , don't use this at all as this will not work.

Use SHUN instead.

Thanks and Regards,

Vibhor Amrodia

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card