10-02-2015 03:44 AM - edited 03-08-2019 02:02 AM
Hi Everyone,
I have a FQDN object on our Firewall, the IP address of this changes daily so the firewall has a rule to permit access to it on a specified port number.
Example:
access-list inside_access_in line 284 extended permit tcp host 192.168.0.25 host 191.235.193.75 (database.windows.net) eq 1433 (hitcnt=0) 0xeef0bf01
This is working great, however I can not route traffic to the firewall from our CORE 6500 series switches if I don't know the IP address of the object. I have a server that needs to access this FQDN object.
How do I route traffic from our CORE to the firewall?
CORE Cisco 6509's (s2t54-ipservicesk9-mz.SPA.150-1.SY2.bin)
Firewall Cisco ASA 5540 v9.1(5)21
Solved! Go to Solution.
10-02-2015 04:18 AM
If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.
HTH
Rick
10-02-2015 09:14 AM
It might look something like this
access-list 199 permit tcp any any eq 1433
route-map SQLtraffic permit 10
match ip address 199
set ip next-hop <fw_addr>
interface vlan 20
ip policy SQLtraffic
HTH
Rick
10-02-2015 04:18 AM
If the IP address changes daily then it seems that using Policy Based Routing to forward traffic for TCP 1433 might be the solution for you.
HTH
Rick
10-02-2015 05:46 AM
Thanks Rick,
Can you give an example of this?
10-02-2015 09:14 AM
It might look something like this
access-list 199 permit tcp any any eq 1433
route-map SQLtraffic permit 10
match ip address 199
set ip next-hop <fw_addr>
interface vlan 20
ip policy SQLtraffic
HTH
Rick
10-02-2015 04:19 PM
I thought so.
Thanks again Rick
10-14-2016 08:10 PM
So Rick... what do you think if the requirements are that only traffic destined to that specific FQDN (say toto.database.windows.net which changes with time) should be routed to a specific interface and not every tcp flow destined to 1433...?
10-15-2016 03:37 PM
I think that is quite a challenge. I would try writing a script with EEM which you could schedule every x interval. In the script you could check on the FQDN and if the address has changed then you could perform an edit on the access list used for PBR.
HTH
Rick
09-08-2023 03:34 AM
Hi Richard,
is there any FQDN PBR sript link so we can do it for cisco 9500 switches?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: