cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3359
Views
0
Helpful
6
Replies
Highlighted
Beginner

DNS ROUTING FQDN

Hi Everyone,

 

I have a FQDN object on our Firewall, the IP address of this changes daily so the firewall has a rule to permit access to it on a specified port number. 

Example:

access-list inside_access_in line 284 extended permit tcp host 192.168.0.25 host 191.235.193.75 (database.windows.net) eq 1433 (hitcnt=0) 0xeef0bf01

This is working great, however I can not route traffic to the firewall from our CORE 6500 series switches if I don't know the IP address of the object.  I have a server that needs to access this FQDN object.

 

How do I route traffic from our CORE to the firewall?

 

CORE Cisco 6509's (s2t54-ipservicesk9-mz.SPA.150-1.SY2.bin)

Firewall Cisco ASA 5540 v9.1(5)21

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Guru

If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Highlighted

It might look something like this

access-list 199 permit tcp any any eq 1433

route-map SQLtraffic permit 10

match ip address 199

set ip next-hop <fw_addr>

interface vlan 20

ip policy SQLtraffic

 

HTH

 

Rick

HTH

Rick

View solution in original post

6 REPLIES 6
Highlighted
Hall of Fame Guru

If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Highlighted

Thanks Rick,

Can you give an example of this?

Highlighted

It might look something like this

access-list 199 permit tcp any any eq 1433

route-map SQLtraffic permit 10

match ip address 199

set ip next-hop <fw_addr>

interface vlan 20

ip policy SQLtraffic

 

HTH

 

Rick

HTH

Rick

View solution in original post

Highlighted

I thought so.

Thanks again Rick

Highlighted

So Rick... what do you think if the requirements are that only traffic destined to that specific FQDN (say toto.database.windows.net which changes with time) should be routed to a specific interface and not every tcp flow destined to 1433...?

Highlighted

I think that is quite a challenge. I would try writing a script with EEM which you could schedule every x interval. In the script you could check on the FQDN and if the address has changed then you could perform an edit on the access list used for PBR.

HTH

Rick 

HTH

Rick
Content for Community-Ad