Answer the question
In order to leave comments, you need to log in
Packet marking in Cisco Asa?
It is necessary to connect two default gw to the Cisco ASA and when entering them, so that each packet is marked, so that when the server responds, it goes exactly to the provider from which it came, and not according to the standard default gw. On Linux this is solved with
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A INPUT ! -s 10.0.0.0/24 -m state --state NEW -m mac --mac-source 00:24:C4:CC:C3:B3 -j MARK --set-xmark 0x2/0xffffffff
-A INPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A INPUT -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore -mark --nfmask 0xffffffff --ctmask 0xffffffff
and rules
ip rule add fwmark 0x2 lookup toSecondaryInternet
ip route add default via 10.0.0.3 table toSecondaryInternet
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question