cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6189
Views
1
Helpful
7
Replies

DNS ROUTING FQDN

phipse_508122
Level 1
Level 1

Hi Everyone,

 

I have a FQDN object on our Firewall, the IP address of this changes daily so the firewall has a rule to permit access to it on a specified port number. 

Example:

access-list inside_access_in line 284 extended permit tcp host 192.168.0.25 host 191.235.193.75 (database.windows.net) eq 1433 (hitcnt=0) 0xeef0bf01

This is working great, however I can not route traffic to the firewall from our CORE 6500 series switches if I don't know the IP address of the object.  I have a server that needs to access this FQDN object.

 

How do I route traffic from our CORE to the firewall?

 

CORE Cisco 6509's (s2t54-ipservicesk9-mz.SPA.150-1.SY2.bin)

Firewall Cisco ASA 5540 v9.1(5)21

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.

 

HTH

 

Rick

HTH

Rick

View solution in original post

It might look something like this

access-list 199 permit tcp any any eq 1433

route-map SQLtraffic permit 10

match ip address 199

set ip next-hop <fw_addr>

interface vlan 20

ip policy SQLtraffic

 

HTH

 

Rick

HTH

Rick

View solution in original post

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.

 

HTH

 

Rick

HTH

Rick

Thanks Rick,

Can you give an example of this?

It might look something like this

access-list 199 permit tcp any any eq 1433

route-map SQLtraffic permit 10

match ip address 199

set ip next-hop <fw_addr>

interface vlan 20

ip policy SQLtraffic

 

HTH

 

Rick

HTH

Rick

I thought so.

Thanks again Rick

So Rick... what do you think if the requirements are that only traffic destined to that specific FQDN (say toto.database.windows.net which changes with time) should be routed to a specific interface and not every tcp flow destined to 1433...?

I think that is quite a challenge. I would try writing a script with EEM which you could schedule every x interval. In the script you could check on the FQDN and if the address has changed then you could perform an edit on the access list used for PBR.

HTH

Rick 

HTH

Rick

vinayjaiswal
Level 3
Level 3

Hi Richard,

is there any FQDN PBR sript link so we can do it for cisco 9500 switches?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: