10-02-2015 03:44 AM - edited 03-08-2019 02:02 AM
Hi Everyone,
I have a FQDN object on our Firewall, the IP address of this changes daily so the firewall has a rule to permit access to it on a specified port number.
Example:
access-list inside_access_in line 284 extended permit tcp host 192.168.0.25 host 191.235.193.75 (database.windows.net) eq 1433 (hitcnt=0) 0xeef0bf01
This is working great, however I can not route traffic to the firewall from our CORE 6500 series switches if I don't know the IP address of the object. I have a server that needs to access this FQDN object.
How do I route traffic from our CORE to the firewall?
CORE Cisco 6509's (s2t54-ipservicesk9-mz.SPA.150-1.SY2.bin)
Firewall Cisco ASA 5540 v9.1(5)21
Solved! Go to Solution.
10-02-2015 04:18 AM
If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.
HTH
Rick
10-02-2015 09:14 AM
It might look something like this
access-list 199 permit tcp any any eq 1433
route-map SQLtraffic permit 10
match ip address 199
set ip next-hop <fw_addr>
interface vlan 20
ip policy SQLtraffic
HTH
Rick
10-02-2015 04:18 AM
If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.
HTH
Rick
10-02-2015 05:46 AM
Thanks Rick,
Can you give an example of this?
10-02-2015 09:14 AM
It might look something like this
access-list 199 permit tcp any any eq 1433
route-map SQLtraffic permit 10
match ip address 199
set ip next-hop <fw_addr>
interface vlan 20
ip policy SQLtraffic
HTH
Rick
10-02-2015 04:19 PM
I thought so.
Thanks again Rick
10-14-2016 08:10 PM
So Rick... what do you think if the requirements are that only traffic destined to that specific FQDN (say toto.database.windows.net which changes with time) should be routed to a specific interface and not every tcp flow destined to 1433...?
10-15-2016 03:37 PM
I think that is quite a challenge. I would try writing a script with EEM which you could schedule every x interval. In the script you could check on the FQDN and if the address has changed then you could perform an edit on the access list used for PBR.
HTH
Rick
09-08-2023 03:34 AM
Hi Richard,
is there any FQDN PBR sript link so we can do it for cisco 9500 switches?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide