Содержание
- CISCO ASA config issue (Remote management ASDM/SSH/etc)
- Popular Topics in Cisco
- 13 Replies
- Read these next.
- poor wifi, school’s third floor
- Need help crafting a job posting for an IT Pro
- Snap! — AI Eye Contact, Mine Batteries, Headset-free Metaverse, D&D Betrayal
- Spark! Pro series – 13th January 2023
- Problem routing between directly connected Subnets w/ ASA-5510
- 2 Answers 2
- Trunk between Cisco — Cisco
CISCO ASA config issue (Remote management ASDM/SSH/etc)
I have a couple ASA devices than I want to be able to manage across our network. I have two devices, Device A-10.23.1.10 the other is on 10.23.2.10, if I remote into a machine on the 10.23.2.x network I can connect through SSH and ASDM, but on the 10.23.1.x network I can not connect.. I have the ASDM configured to accept connection from both netowkrs. any idea why it does not work, the remote ASA is on the local/inside netwkr just on a diff subnet.
Popular Topics in Cisco
Yeah so it appears obvious you just need a route back to 10.23.1.x via the router added to the remote ASA.
route inside 10.23.1.0 255.255.255.0 10.23.2.1 1
I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though.
The way our ASAs are setup, I can ping the ASA from an inside interface, but not from an outside interface. What do your HTTP enable commands look like? In the second ASA (10.23.2.10) probably sees the first (10.23.1.10) as an outside connection, is it setup that way?
Depends on the ASA model and the connection specifics.
Are you using the inside interface to access the device?
When you say you’ve configured the ASA to accept connection, do you mean the ssh command?
ssh 10.23.1.0 255.255.255.0 inside
ssh 10.23.2.0 255.255.255.0 inside
Maybe you need a route back to where you are coming from and don’t have it. Also (at least for testing purposes) add
icmp permit 10.23.0.0 255.255.0.0 echo inside
to allow you to ping it.
Maybe you need a route back to where you are coming from and don’t have it. Also (at least for testing purposes) add
icmp permit 10.23.0.0 255.255.0.0 echo inside
to allow you to ping it.
Already in there
Then log into the router at the remote end (so you can be on the same subnet — no routing) and see if you can ping it from there (e.g. ping source )
Then log into the router at the remote end (so you can be on the same subnet — no routing) and see if you can ping it from there (e.g. ping source )
There IS however a subnet between the routers that they communicate that is diff than either two subnets, the IP that the two connecting routers use exclusively but they are simply passing traffic through between the ethernet ports on the routers.
Yeah so it appears obvious you just need a route back to 10.23.1.x via the router added to the remote ASA.
route inside 10.23.1.0 255.255.255.0 10.23.2.1 1
Yeah so it appears obvious you just need a route back to 10.23.1.x via the router added to the remote ASA.
route inside 10.23.1.0 255.255.255.0 10.23.2.1 1
Oh good grief, I tried it on the wrong ASA, that worked, thx!
Yeah, there wouldn’t be a «connected» route from the remote ASA on the other side of router back to your local subnet that you can’t access it from so you are on the wrong ASA or I don’t have proper situational awareness from reading your posts to understand what is where but given that you can ping and access it from the local subnet (where ever that is) and can’t from where you want to, it seems like a simple routing issue. Of course if I had a diagram that showed I am here and the remote ASA is there with the router in-between and access to the configuration of these devices it would be really easy to figure out why you can’t get there from here (wherever that is). You should even be able to do a traceroute (tracert in windows terms) to it and see where you fall off the edge of the earth and then fix it.
Given that you can access it from the local subnet and have given it permission to talk to the remote subnet (that is remote to it), it must just be routing.
Oh good grief, I tried it on the wrong ASA, that worked, thx!
That’s funny. While I was writing a response that said «you are on the wrong ASA» you posted that you were on the wrong ASA 🙂
You’re very welcome, glad I could be of assistance.
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Read these next.
poor wifi, school’s third floor
I work as a help desk technician at a high school for a school district. Teachers/students on the building’s third floor have been reporting poor wifi, with their Chromebooks/laptops etc experiencing slow connectivity and random disconnections. We hav.
Need help crafting a job posting for an IT Pro
I’d really appreciate some thoughts and advice. I’m looking to hire an IT pro to be our resident go-to for all things IT (device support, SQL Server, network admin, etc) but who also is interested in learning — or even has some experience in — the.
Snap! — AI Eye Contact, Mine Batteries, Headset-free Metaverse, D&D Betrayal
Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: January 13, 1874: Adding Machine Patented (Read more HERE.) Bonus Flashback: January 13, 1990: Astronauts awakened to the song Attack of the Killer Tomatoes (Read mor.
Spark! Pro series – 13th January 2023
Happy Friday the 13th! This day has a reputation for being unlucky, but I hope that you’ll be able to turn that around and have a great day full of good luck and good fortune. Whether you’re superstitious or not, .
Источник
Problem routing between directly connected Subnets w/ ASA-5510
This is an issue I’ve been struggling with for quite some time, with a seemingly simple answer (Aren’t all IT problems?).
And that is the problem of passing traffic between two directly connected subnets with an ASA
While I’m aware that best practice is to have Internet -> Firewall -> Router, in many cases this isn’t possible.
For example, In have an ASA with two interfaces, named OutsideNetwork (10.19.200.3/24) and InternalNetwork (10.19.4.254/24). You’d expect Outside to be able to get to, say, 10.19.4.1, or at LEAST 10.19.4.254, but pinging the interface gives only bad news.
Result of the command: «ping OutsideNetwork 10.19.4.254»
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.4.254, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)
Naturally, you’d assume that you could add a static route, to no avail.
[ERROR] route Outsidenetwork 10.19.4.0 255.255.255.0 10.19.4.254 1
Cannot add route, connected route exists
At this point, you might gander if its a NAT or Access list problem.
access-list Outsidenetwork_access_in extended permit ip any any
access-list Internalnetwork_access_in extended permit ip any any
There is no dynamic nat (or static nat for that matter), and Unnatted traffic is permitted.
When I try pinging the above address (10.19.4.254 from Outsidenetwork), I get this error message from level 0 logging (debugging).
Routing failed to locate next hop for icmp from NP Identity Ifc:10.19.200.3/0 to Outsidenetwork:10.19.4.1/0
This led me to set same-security traffic permit, and assigned the same, lesser and greater security numbers between the two interfaces.
Am I overlooking something obvious? Is there a command to set static routes that are classified higher than connected routes?
2 Answers 2
There’s a few problems in your question. First, I wouldn’t naturally think that I could get to the inside network from the outside network. The ASA is a FIREWALLL not a router. If it did this, it wouldn’t be doing its job. A router will do that just fine.
The second major problem is with your route command. You don’t need it. You have 2 locally connected networks. The firewall knows how to reach both of them. They are directly connected. Thus, you don’t need a route command to tell the firewall what the next hop is.
With that stuff out of the way, let’s get to an answer. The ASA requires every network to have a security level attached to it from 0-100. A higher security level will be able to access a lower security level. A lower security level needs explicit access granted to resources at a higher level. So let’s start by assigning the proper security levels:
interface ethernet 0/0
nameif outside
security-level 0
ip address 10.19.200.3 255.255.255.0
interface ethernet 0/1
nameif inside
security-level 100
ip address 10.19.4.254 255.255.255.0
Now your inside network is allowed to access your outside network. If you need to allow your outside network to access your inside network, you need to define that in an access-list and assign it to the interface in an access group:
access-list outside_access_in extended permit ip any any
access-group outside_access_in in interface outside
But it’s still not working? Probably because you need to define static mappings from one network to the other. Otherwise the firewall doesn’t know what to do. Remember, this is a firewall, not a router:
static (inside,outside) 10.19.4.0 10.19.4.0 netmask 255.255.255.0
static (outside,inside) 10.19.200.0 10.19.200.0 netmask 255.255.255.0
That’s it. you should have free flow between the 2 interfaces. really defeats the purpose of a firewall, but it seems to be what you want. At least it gives you a starting point and you can restrict traffic from there.
Источник
Trunk between Cisco — Cisco
Все новые темы
| Автор | ||||
|---|---|---|---|---|
| BuHast Активный участник Зарегистрирован: 23.10.2006
|
|
|||
| Вернуться к началу |
|
|||
 |
||||
| Зарегистрируйтесь и реклама исчезнет!
|
||||
|
||||
| marykone Активный участник Зарегистрирован: 11.08.2010 |
|
|||
| Вернуться к началу |
|
|||
|
||||
| BuHast Активный участник Зарегистрирован: 23.10.2006
|
|
|||
| Вернуться к началу |
|
|||
|
||||
| marykone Активный участник Зарегистрирован: 11.08.2010 |
|
|||
| Вернуться к началу |
|
|||
|
||||
| BuHast Активный участник Зарегистрирован: 23.10.2006
|
|
|||
| Вернуться к началу |
|
|||
|
||||
| marykone Активный участник Зарегистрирован: 11.08.2010 |
|
|||
| Вернуться к началу |
|
|||
|
||||
| BuHast Активный участник Зарегистрирован: 23.10.2006
|
|
|||
| Вернуться к началу |
|
|||
|
||||
| marykone Активный участник Зарегистрирован: 11.08.2010 |
|
|||
| Вернуться к началу |
|
|||
|
||||
| BuHast Активный участник Зарегистрирован: 23.10.2006
|
|
|||
| Вернуться к началу |
|
|||
|
||||
| Casket Участник форума Зарегистрирован: 19.04.2007 Источник Adblock |
This is an issue I’ve been struggling with for quite some time, with a seemingly simple answer (Aren’t all IT problems?).
And that is the problem of passing traffic between two directly connected subnets with an ASA
While I’m aware that best practice is to have Internet -> Firewall -> Router, in many cases this isn’t possible.
For example, In have an ASA with two interfaces, named OutsideNetwork (10.19.200.3/24) and InternalNetwork (10.19.4.254/24). You’d expect Outside to be able to get to, say, 10.19.4.1, or at LEAST 10.19.4.254, but pinging the interface gives only bad news.
Result of the command: «ping OutsideNetwork 10.19.4.254»
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.19.4.254, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Naturally, you’d assume that you could add a static route, to no avail.
[ERROR] route Outsidenetwork 10.19.4.0 255.255.255.0 10.19.4.254 1
Cannot add route, connected route exists
At this point, you might gander if its a NAT or Access list problem.
access-list Outsidenetwork_access_in extended permit ip any any
access-list Internalnetwork_access_in extended permit ip any any
There is no dynamic nat (or static nat for that matter), and Unnatted traffic is permitted.
When I try pinging the above address (10.19.4.254 from Outsidenetwork), I get this error message from level 0 logging (debugging).
Routing failed to locate next hop for icmp from NP Identity Ifc:10.19.200.3/0 to Outsidenetwork:10.19.4.1/0
This led me to set same-security traffic permit, and assigned the same, lesser and greater security numbers between the two interfaces.
Am I overlooking something obvious? Is there a command to set static routes that are classified higher than connected routes?
13 Replies
-
I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though.
Was this post helpful?
thumb_up
thumb_down
-
The way our ASAs are setup, I can ping the ASA from an inside interface, but not from an outside interface. What do your HTTP enable commands look like? In the second ASA (10.23.2.10) probably sees the first (10.23.1.10) as an outside connection, is it setup that way?
Was this post helpful?
thumb_up
thumb_down
-
Depends on the ASA model and the connection specifics.
Are you using the inside interface to access the device?
When you say you’ve configured the ASA to accept connection, do you mean the ssh command?
ssh 10.23.1.0 255.255.255.0 inside
ssh 10.23.2.0 255.255.255.0 inside
Was this post helpful?
thumb_up
thumb_down
-
correct Robert5205:
Text
name 10.23.2.0 mv-inside-network name 10.23.1.0 wr-inside-network ssh wr-inside-network 255.255.255.0 inside ssh mv-inside-network 255.255.255.0 inside
Text
Scott9723, We have a fiber connection between the branches, they terminate with Cisco 1841, that pass traffic between the two subnets, I can access any device from the 10.23.1.x to the 10.23.2.x and vise versa, the ASA's inside network is connected on these networks.
Was this post helpful?
thumb_up
thumb_down
-
Maybe you need a route back to where you are coming from and don’t have it. Also (at least for testing purposes) add
icmp permit 10.23.0.0 255.255.0.0 echo inside
to allow you to ping it.
Was this post helpful?
thumb_up
thumb_down
-
stevemoores wrote:
Maybe you need a route back to where you are coming from and don’t have it. Also (at least for testing purposes) add
icmp permit 10.23.0.0 255.255.0.0 echo inside
to allow you to ping it.
Already in there
Text
icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside
Was this post helpful?
thumb_up
thumb_down
-
Then log into the router at the remote end (so you can be on the same subnet — no routing) and see if you can ping it from there (e.g. ping <ASA-inside-int-ip> source <router-ip>)
Was this post helpful?
thumb_up
thumb_down
-
stevemoores wrote:
Then log into the router at the remote end (so you can be on the same subnet — no routing) and see if you can ping it from there (e.g. ping <ASA-inside-int-ip> source <router-ip>)
Text
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.23.2.10, timeout is 2 seconds: Packet sent with a source address of 10.23.2.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
There IS however a subnet between the routers that they communicate that is diff than either two subnets, the IP that the two connecting routers use exclusively but they are simply passing traffic through between the ethernet ports on the routers.
Text
10.23.1.1-(10.10.12.1)---(10.10.12.2)-10.23.2.1
Was this post helpful?
thumb_up
thumb_down
-
Yeah so it appears obvious you just need a route back to 10.23.1.x via the router added to the remote ASA.
route inside 10.23.1.0 255.255.255.0 10.23.2.1 1
Was this post helpful?
thumb_up
thumb_down
-
stevemoores wrote:
Yeah so it appears obvious you just need a route back to 10.23.1.x via the router added to the remote ASA.
route inside 10.23.1.0 255.255.255.0 10.23.2.1 1
Text
Result of the command: "route inside 10.23.1.0 255.255.255.0 10.23.2.1 1" ERROR: Cannot add route, connected route exists
Was this post helpful?
thumb_up
thumb_down
-
Oh good grief, I tried it on the wrong ASA, that worked, thx!
Was this post helpful?
thumb_up
thumb_down
-
Yeah, there wouldn’t be a «connected» route from the remote ASA on the other side of router back to your local subnet that you can’t access it from so you are on the wrong ASA or I don’t have proper situational awareness from reading your posts to understand what is where but given that you can ping and access it from the local subnet (where ever that is) and can’t from where you want to, it seems like a simple routing issue. Of course if I had a diagram that showed I am here and the remote ASA is there with the router in-between and access to the configuration of these devices it would be really easy to figure out why you can’t get there from here (wherever that is). You should even be able to do a traceroute (tracert in windows terms) to it and see where you fall off the edge of the earth and then fix it.
Given that you can access it from the local subnet and have given it permission to talk to the remote subnet (that is remote to it), it must just be routing.
Was this post helpful?
thumb_up
thumb_down
-
Carl Slaughter wrote:
Oh good grief, I tried it on the wrong ASA, that worked, thx!
That’s funny. While I was writing a response that said «you are on the wrong ASA» you posted that you were on the wrong ASA :)
You’re very welcome, glad I could be of assistance.
Was this post helpful?
thumb_up
thumb_down
First of all, I have fairly basic knowledge of Cisco ASAs, but I’m attempting to look into something that is bugging me.
I am working through the ASDM as opposed to the CLI.
We have a Cisco ASA5505 router that has 192.168.1.x network on linking on Ethernet Port 0. We also have a set of switches which are linked to the ASA through Ethernet Port 3 on 192.168.71.x.
The connectivity between the 2 is functioning without a hitch. My issue is currently with users that VPN in. When users VPN in they obtain a 192.168.73.x address given by the ASA. They are able to access anything on the 192.168.1.x through Ethernet 0 but unable to access anything on the 192.168.71.x network through Ethernet 3.
So, in a brief summary, no issues talking to either network when inside of the ASA but when connecting to the ASA through VPN only access to 192.168.1.x network on Ethernet 0.
Any pointers or information on where I should be looking for answers would be much appreciated, and if you need any more information to help, then by all means I can try and explain as best I can!
UPDATE:
Visit www.fresh.co.uk/CiscoConfiguration/Cisco.txt for Configuration of Cisco ASA.
Also, have an issue on here which could well be part of the issue. Under VPN > Connection Gateway, there is an Entry in there for the 71.x network (the network needed access) which is pointing to the incorrect gateway. I attempted to change this to the correct gateway (71.253), but an error for Cannot Remove Connected route and Cannot add route, Connected route exists.
Re: проблема с PPTP на 1841
Код:
interface Ethernet0/1
description RVB_GW_HOST
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
!
interface Ethernet0/2
description To_Route_POSATM
nameif ATM_POS
security-level 50
ip address 10.20.20.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
access-list RVB_ACL extended permit ip 10.255.179.0 255.255.255.0 10.255.0.0 255.255.255.0
access-list EXCHANGE_NAT_ACL extended permit ip 192.168.0.0 255.255.255.0 host 10.255.0.12
access-list WebARM_NAT_ACL extended permit tcp 192.168.0.0 255.255.255.0 host 10.255.0.20 eq 7777
access-list IVR_NAT_ACL extended permit tcp 192.168.0.0 255.255.255.0 host 10.255.0.20 eq 4050
access-list POS_ATM_NAT_ACL extended permit ip 10.20.180.0 255.255.255.192 host 10.255.0.13
pager lines 24
mtu outside 1500
mtu inside 1500
mtu ATM_POS 1500
mtu PROD_WEB 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
no asdm history enable
arp timeout 14400
global (outside) 2 10.255.179.20
global (outside) 3 10.255.179.1
global (outside) 4 10.255.179.3
global (outside) 5 10.255.179.2
nat (inside) 2 access-list WebARM_NAT_ACL
nat (inside) 3 access-list IVR_NAT_ACL
nat (inside) 5 access-list EXCHANGE_NAT_ACL
nat (ATM_POS) 4 access-list POS_ATM_NAT_ACL
route outside 0.0.0.0 0.0.0.0 78.31.75.195 1
route ATM_POS 10.20.180.0 255.255.255.192 10.20.20.2 1
route inside 192.168.0.0 255.255.255.0 10.20.30.2 1
Код:
packet-tracer input inside tcp 192.168.0.14 4050 10.255.0.20 4050
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 3 access-list IVR_NAT_ACL
match tcp inside 192.168.0.0 255.255.255.0 outside host 10.255.0.20 eq 4050
dynamic translation to pool 3 (10.255.179.1)
translate_hits = 5, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.0.14/4050 to 10.255.179.1/34775 using netmask 255.255.255.255
Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 access-list WebARM_NAT_ACL
match tcp inside 192.168.0.0 255.255.255.0 outside host 10.255.0.20 eq 7777
dynamic translation to pool 2 (10.255.179.20)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
TunnelRVB-CardStandart# packet-tracer input inside tcp 192.168.0.14 7777 10.255.0.20 7777
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 2 access-list WebARM_NAT_ACL
match tcp inside 192.168.0.0 255.255.255.0 outside host 10.255.0.20 eq 7777
dynamic translation to pool 2 (10.255.179.20)
translate_hits = 7, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.0.14/7777 to 10.255.179.20/37967 using netmask 255.255.255.255
Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 access-list WebARM_NAT_ACL
match tcp inside 192.168.0.0 255.255.255.0 outside host 10.255.0.20 eq 7777
dynamic translation to pool 2 (10.255.179.20)
translate_hits = 7, untranslate_hits = 0
Additional Information:
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12941, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
IP Routing Configuration in Cisco ASA
To route the traffic to a non-connected host or network, the ASA must be configured with a static route to the host or network or, at a minimum, a default route for any networks to which the ASA is not directly connected; for example, when there is a router between a network and the ASA.
Without a static or default route defined, ASA generates the error as shown below for traffic to non-connected hosts or networks:
ciscoasa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
No route to host 8.8.8.8
Success rate is 0 percent (0/1)
Note that ASA in multiple context mode does not support dynamic routing.
The simplest option for IP routing is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the ASA.
In transparent firewall mode, for traffic that originates on the ASA and is destined for a non-directly connected network, you need to configure either a default route or static routes so the ASA knows out of which interface to send traffic. Traffic that originates on the ASA might include communications to a syslog server, Websense server or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. Additionally, the ASA supports up to three equal cost routes on the same interface for load balancing.
Configuring a Static Route
Static routing algorithms are basically table mappings established by the network administrator before the beginning of routing. These mappings do not change unless the network administrator alters them. Algorithms that use static routes are simple to design and work well in environments where network traffic is relatively predictable and where network design is relatively simple. Because of this fact, static routing systems cannot react to network changes.
Static routes remain in the routing table even if the specified gateway becomes unavailable. If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the specified interface goes down, and are reinstated when the interface comes back up.
To configure a static route on ASA, enter the command route if_name dest_ip mask gateway_ip, where the dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router. The addresses you specify for the static route are the addresses that are in the packet before entering the ASA and performing NAT. The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes.
ciscoasa(config)# route ? configure mode commands/options: Current available interface(s): inside Name of interface GigabitEthernet0 ciscoasa(config)# route inside ? configure mode commands/options: Hostname or A.B.C.D The foreign network for this route, 0 means default ciscoasa(config)# route inside 192.168.100.0 255.255.255.0 ? configure mode commands/options: Hostname or A.B.C.D The address of the gateway by which the foreign network is reached. <cr> ciscoasa(config)# route inside 192.168.100.0 255.255.255.0 192.168.10.1
Configuring Default Route
A default static route identifies the gateway IP address to which the ASA sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.
You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry. If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the following message:
"ERROR: Cannot add route entry, possible conflict with existing routes."
You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes.
You can track the availability of static routes using Tracked object and SLA as shown here.
Configuring Dynamic Routing Protocol
When it is not feasible to manage static routes on ASA, you can use dynamic routing protocols like OSPF, RIP, EIGRP to take care of routes to non-connected networks. For theoretic explanation on dynamic routing protocols you can visit this section.
Enabling OSPF in Cisco ASA
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses.
Step 1 To create an OSPF routing process, enter the router ospf process_id command, where process_id is an internally used identifier for this routing process. It can be any positive integer and does not have to match the ID on any other device.
ciscoasa(config)# router ospf 123
Step 2 To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the network ip_address mask area area_id command.
ciscoasa(config-router)# network 192.168.10.0 255.255.255.0 area 0 ciscoasa(config-router)# network 192.168.20.0 255.255.255.0 area 0 ciscoasa(config-router)# network 192.168.30.0 255.255.255.0 area 0
Redistributing Routes Into OSPF
The ASA can control the redistribution of routes between OSPF routing processes. The ASA matches and changes routes according to settings in the redistribute command or by using a route map.
To redistribute static, connected, RIP routes into an OSPF process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the OSPF routing process.
Step 2 If you have not already done so, enter the router configuration mode for the OSPF process you want to redistribute into by entering the following command:
hostname(config)# router ospf process_id
Step 3 To specify the routes you want to redistribute, enter the following command:
hostname(config-router)# redistribute {ospf process_id [match {internal | external 1 | external 2}] | static | connected | rip} [metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map map_name]
The ospf process_id, static, connected, and rip keywords specify from where you want to redistribute routes.
You can either use the options in this command to match and set route properties, or you can use a route map. The tag and subnets options do not have equivalents in the route-map command. If you use both a route map and options in the redistribute command, then they must match.
The following example shows route redistribution from OSPF process 1 into OSPF process 2 by matching routes with a metric equal to 1. The security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.
ciscoasa(config)# route-map 1-to-2 permit ciscoasa(config-route-map)# match metric 1 ciscoasa(config-route-map)# set metric 5 ciscoasa(config-route-map)# set metric-type type-1 ciscoasa(config-route-map)# set tag 1 ciscoasa(config-route-map)# router ospf 2 ciscoasa(config-router)# redistribute ospf 1 route-map 1-to-2
The following example shows the specified OSPF process routes being redistributed into OSPF process 109. The OSPF metric is remapped to 100.
ciscoasa(config)# router ospf 109 ciscoasa(config-router)# redistribute ospf 108 metric 100 subnets
The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics.
ciscoasa(config)# router ospf 1 ciscoasa(config-router)# redistribute ospf 2 metric 5 metric-type external
Enabling RIP in Cisco ASA
Devices that support RIP send routing-update messages at regular intervals and when the network topology changes. These RIP packets contain information about the networks that the devices can reach, as well as the number of routers or gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure.
To enable and configure the RIP routing process, perform the following steps:
Step 1 Start the RIP routing process by entering the following command in global configuration mode:
ciscoasa(config)# router rip
You enter router configuration mode for the RIP routing process.
Step 2 Specify the interfaces that will participate in the RIP routing process. Enter the following command for each interface that will participate in the RIP routing process:
ciscoasa(config-router): network 192.168.10.0
If an interface belongs to a network defined by this command, the interface will participate in the RIP routing process. If an interface does not belong to a network defined by this command, it will not send or receive RIP updates.
Step 3 (Optional) Specify the version of RIP used by the security appliance by entering the following command:
ciscoasa(config-router)# version 2
You can override this setting on a per-interface basis.
Step 4 (Optional) To generate a default route into RIP, enter the following command:
ciscoasa(config-router)# default-information originate
Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command:
ciscoasa(config-router)# passive-interface inside
Specifying an interface name sets only that interface to passive RIP mode. In passive mode, RIP routing updates are accepted by but not sent out of the specified interface. You can enter this command for each interface you want to set to passive mode. Using the default keyword causes all interfaces to operate in passive mode.
Step 6 (Optional) Disable automatic route summarization by entering the following command:
ciscoasa(config-router)# no auto-summary
RIP Version 1 always uses automatic route summarization and you cannot disable it for RIP Version 1. RIP Version 2 uses route summarization by default but you can disable it using this command.
Step 7 (Optional) To filter the networks received in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to allow in the routing table and denying the networks you want the RIP process to discard.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates received by that interface.
ciscoasa(config-router)# distribute-list 100 in interface inside
You can enter this command for each interface you want to apply a filter to. If you do not specify an interface name, the filter is applied to all RIP updates.
Step 8 (Optional) To filter the networks sent in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to advertise and denying the networks you do not want the RIP process to advertise.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates sent by that interface.
ciscoasa(config-router)# distribute-list 101 out interface outside
You can enter this command for each interface you want to apply a filter to. If you do not specify an interface name, the filter is applied to all RIP updates.
Redistributing Routes into the RIP Routing Process
You can redistribute routes from the OSPF, static, and connected routing processes into the RIP routing process.
To redistribute a routes into the RIP routing process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the RIP routing process.
Step 2 Choose one of the following options to redistribute the selected route type into the RIP routing process.
•To redistribute connected routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute connected [metric {metric_value | transparent}] [route-map map_name]
•To redistribute static routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute static [metric {metric_value | transparent}] [route-map map_name]
•To redistribute routes from an OSPF routing process into the RIP routing process, enter the following command:
hostname(config-router): redistribute ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric {metric_value | transparent}] [route-map map_name]
Displaying the Routing Table
To view the entries in the routing table, enter the following command:
ciscoasa# show route [output cut] Gateway of last resort is not set C 192.168.30.0 255.255.255.0 is directly connected, DMZ C 192.168.10.0 255.255.255.0 is directly connected, inside C 192.168.20.0 255.255.255.0 is directly connected, outside
How the Routing Table is Populated
The ASA routing table can be populated by statically defined routes, directly connected routes, and routes discovered by the RIP and OSPF routing protocols. Because the ASA can run multiple routing protocols in addition to having static and connected routed in the routing table, it is possible that the same route is discovered or entered in more than one manner. When two routes to the same destination are put into the routing table, the one that remains in the routing table is determined as follows:
• If the two routes have different network prefix lengths (network masks), then both routes are considered unique and are entered in to the routing table. The packet forwarding logic then determines which of the two to use.
For example, if the RIP and OSPF processes discovered the following routes:
–RIP: 192.168.32.0/24
–OSPF: 192.168.32.0/19
Even though OSPF routes have the better administrative distance, both routes are installed in the routing table because each of these routes has a different prefix length (subnet mask). They are considered different destinations and the packet forwarding logic determine which route to use.
• If the security appliance learns about multiple paths to the same destination from a single routing protocol, such as RIP, the route with the better metric (as determined by the routing protocol) is entered into the routing table.
Metrics are values associated with specific routes, ranking them from most preferred to least preferred. The parameters used to determine the metrics differ for different routing protocols. The path with the lowest metric is selected as the optimal path and installed in the routing table. If there are multiple paths to the same destination with equal metrics, load balancing is done on these equal cost paths.
• If the security appliance learns about a destination from more than one routing protocol, the administrative distances of the routes are compared and the routes with lower administrative distance is entered into the routing table.
Dynamic Routing and Failover
Dynamic routes are not replicated to the standby unit or failover group in a failover configuration. Therefore, immediately after a failover occurs, some packets received by the ASA may be dropped because of a lack of routing information or routed to a default static route while the routing table is repopulated by the configured dynamic routing protocols.
Back