L
L
lohmag2018-01-22 11:29:33
linux
lohmag, 2018-01-22 11:29:33

Packet marking in Cisco Asa?

It is necessary to connect two default gw to the Cisco ASA and when entering them, so that each packet is marked, so that when the server responds, it goes exactly to the provider from which it came, and not according to the standard default gw. On Linux this is solved with
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A INPUT ! -s 10.0.0.0/24 -m state --state NEW -m mac --mac-source 00:24:C4:CC:C3:B3 -j MARK --set-xmark 0x2/0xffffffff
-A INPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A INPUT -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore -mark --nfmask 0xffffffff --ctmask 0xffffffff
and rules
ip rule add fwmark 0x2 lookup toSecondaryInternet
ip route add default via 10.0.0.3 table toSecondaryInternet

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question