ā12-16-2010 05:29 AM - edited ā03-11-2019 12:23 PM
I need to setup our ASA firewall to route traffic to a DNS name of the remote host instead of its IP address.
The mobile host is mobile (always moving around) and using cellular broadband for data communications back to the HQ sites.
The mobile host very often enters a "Dead Zone" (yes they still exist) and looses signal. Upon returning to a good signal, the mobile host now has a new IP address. The mobile host does automatically update the HQ DNS of its new IP address but the ASA firewall sees this new address as a hack attempt. The ASA is not reading the DNS server updates for mobile host names to IP addresses. We CANNOT use static addressing on the mobile host, too costly and a vilotation of rules.
.......................
I have enabled the following on the ASA:
names
name 192.168.0.1 mobile-host1
. . .
name 192.168.1.235 mobile-host510
route outside mobile-host1 10.0.0.1
. . .
route outside mobile-host510 10.0.0.1
.............................
10.0.0.1 is the ASA firewall default gateway.
.....................
This all works well as long as the mobile-host# IP does not change.
Is there a way to make the ASA "static route" command get the mobile-host# update IP addrsses from DNS dynamically?
Is there a better way to accomplish this task?
We have several thousand mobile-hosts?
Thanks again!!!
Frank
ā12-16-2010 10:03 AM
Frank,
Can't think of a way. Let me ask around.
-KS
ā12-16-2010 10:36 AM
I have discovered this document, ASA 5500 series that speaks to the subject of mobile clients and the ASA.
This document title is "Configuring DHCP, DDNS and WCCP Services"
If you don't want to click on the link, do a google search for the title and you'll get the same doc as listed below.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html
Since this is a new topic for me, hopefully someone with more experience will offer some guidance.
Thanks again
Frank
ā12-16-2010 11:43 AM
Do you need this just so both mobile clients can find each other? If so you can try this DDNS.
But you are asking static routes on the ASA based on the names that may have their IP association changed.
-KS
ā12-17-2010 06:02 AM
No we do not need the spokes (mobile clients) to communicate with each other.
Clarification:
Mobile Mobile Mobile, Dynamic IP static static static static
laptop - INE - cellular modem - telecom - border router - border firewall - INE - Internal HQ network
IPsec VPN <-----------------------------> IPsec VPN
VPN <------------------------------------------------------------> VPN
The IPsec VPN configured on the cellular modem and terminates on the border firewall, will encapsulate the INE VPN.
The cellular modem is using dynamic DHCP, a new IP address each time it connects to the telecom.
After the initial connections are made and all remote connections have been authenticated, all works well, the problem is when the cellular modem looses cellular signal and then recovers, the cellular modem receives a new IP address while the current (original) VPN tunnels are up and operational with the original IP addresses, the border firewall cannot use the original route to the mobile client as the mobile client now has a new IP address. So the border firewall does not have a route to the mobile cellular modem/INE/laptop.
Tks
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide