ASA static routing via DNS updates for mobile hosts

fsebera · ‎12-16-2010

I need to setup our ASA firewall to route traffic to a DNS name of the remote host instead of its IP address.

The mobile host is mobile (always moving around) and using cellular broadband for data communications back to the HQ sites.

The mobile host very often enters a "Dead Zone" (yes they still exist) and looses signal. Upon returning to a good signal, the mobile host now has a new IP address. The mobile host does automatically update the HQ DNS of its new IP address but the ASA firewall sees this new address as a hack attempt. The ASA is not reading the DNS server updates for mobile host names to IP addresses. We CANNOT use static addressing on the mobile host, too costly and a vilotation of rules.

.......................

I have enabled the following on the ASA:

names

name 192.168.0.1 mobile-host1

. . .

name 192.168.1.235 mobile-host510

route outside mobile-host1 10.0.0.1

. . .

route outside mobile-host510 10.0.0.1

.............................

10.0.0.1 is the ASA firewall default gateway.

.....................

This all works well as long as the mobile-host# IP does not change.

Is there a way to make the ASA "static route" command get the mobile-host# update IP addrsses from DNS dynamically?

Is there a better way to accomplish this task?

We have several thousand mobile-hosts?

Thanks again!!!

Frank

Kureli Sankar · ‎12-16-2010

Frank,

Can't think of a way. Let me ask around.

-KS

fsebera · ‎12-16-2010

I have discovered this document, ASA 5500 series that speaks to the subject of mobile clients and the ASA.

This document title is "Configuring DHCP, DDNS and WCCP Services"

If you don't want to click on the link, do a google search for the title and you'll get the same doc as listed below.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html

Since this is a new topic for me, hopefully someone with more experience will offer some guidance.

Thanks again

Frank

Kureli Sankar · ‎12-16-2010

Do you need this just so both mobile clients can find each other? If so you can try this DDNS.

But you are asking static routes on the ASA based on the names that may have their IP association changed.

-KS

fsebera · ‎12-17-2010

No we do not need the spokes (mobile clients) to communicate with each other.

Clarification:

Mobile Mobile Mobile, Dynamic IP static static static static

laptop - INE - cellular modem - telecom - border router - border firewall - INE - Internal HQ network

IPsec VPN <-----------------------------> IPsec VPN

VPN <------------------------------------------------------------> VPN

The IPsec VPN configured on the cellular modem and terminates on the border firewall, will encapsulate the INE VPN.

The cellular modem is using dynamic DHCP, a new IP address each time it connects to the telecom.

After the initial connections are made and all remote connections have been authenticated, all works well, the problem is when the cellular modem looses cellular signal and then recovers, the cellular modem receives a new IP address while the current (original) VPN tunnels are up and operational with the original IP addresses, the border firewall cannot use the original route to the mobile client as the mobile client now has a new IP address. So the border firewall does not have a route to the mobile cellular modem/INE/laptop.

Tks

Frank