IP Routing Configuration in Cisco ASA

IP Routing Configuration in Cisco ASA

To route the traffic to a non-connected host or network, the ASA must be configured with a static route to the host or network or, at a minimum, a default route for any networks to which the ASA is not directly connected; for example, when there is a router between a network and the ASA.

Without a static or default route defined, ASA generates the error as shown below for traffic to non-connected hosts or networks:

ciscoasa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
No route to host 8.8.8.8

Success rate is 0 percent (0/1)

Note that ASA in multiple context mode does not support dynamic routing.

The simplest option for IP routing is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the ASA.

In transparent firewall mode, for traffic that originates on the ASA and is destined for a non-directly connected network, you need to configure either a default route or static routes so the ASA knows out of which interface to send traffic. Traffic that originates on the ASA might include communications to a syslog server, Websense server or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. Additionally, the ASA supports up to three equal cost routes on the same interface for load balancing.

Configuring a Static Route

Static routing algorithms are basically table mappings established by the network administrator before the beginning of routing. These mappings do not change unless the network administrator alters them. Algorithms that use static routes are simple to design and work well in environments where network traffic is relatively predictable and where network design is relatively simple. Because of this fact, static routing systems cannot react to network changes.

Static routes remain in the routing table even if the specified gateway becomes unavailable. If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the specified interface goes down, and are reinstated when the interface comes back up.

To configure a static route on ASA, enter the command route if_name dest_ip mask gateway_ip, where the dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router. The addresses you specify for the static route are the addresses that are in the packet before entering the ASA and performing NAT. The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes.

ciscoasa(config)# route ?

configure mode commands/options:
Current available interface(s):
  inside  Name of interface GigabitEthernet0
ciscoasa(config)# route inside ?

configure mode commands/options:
  Hostname or A.B.C.D  The foreign network for this route, 0 means default
ciscoasa(config)# route inside 192.168.100.0 255.255.255.0 ?

configure mode commands/options:
  Hostname or A.B.C.D  The address of the gateway by which the foreign network is reached.
  <cr>
ciscoasa(config)# route inside 192.168.100.0 255.255.255.0 192.168.10.1

Configuring Default Route

A default static route identifies the gateway IP address to which the ASA sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.

You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry. If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes."

You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes.

You can track the availability of static routes using Tracked object and SLA as shown here.

Configuring Dynamic Routing Protocol

When it is not feasible to manage static routes on ASA, you can use dynamic routing protocols like OSPF, RIP, EIGRP to take care of routes to non-connected networks. For theoretic explanation on dynamic routing protocols you can visit this section.

Enabling OSPF in Cisco ASA

To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses.

Step 1 To create an OSPF routing process, enter the router ospf process_id command, where process_id is an internally used identifier for this routing process. It can be any positive integer and does not have to match the ID on any other device.

ciscoasa(config)# router ospf 123

Step 2 To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the network ip_address mask area area_id command.

ciscoasa(config-router)# network 192.168.10.0 255.255.255.0 area 0
ciscoasa(config-router)# network 192.168.20.0 255.255.255.0 area 0
ciscoasa(config-router)# network 192.168.30.0 255.255.255.0 area 0
Redistributing Routes Into OSPF

The ASA can control the redistribution of routes between OSPF routing processes. The ASA matches and changes routes according to settings in the redistribute command or by using a route map.

To redistribute static, connected, RIP routes into an OSPF process, perform the following steps:

Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the OSPF routing process.

Step 2 If you have not already done so, enter the router configuration mode for the OSPF process you want to redistribute into by entering the following command:

hostname(config)# router ospf process_id

Step 3 To specify the routes you want to redistribute, enter the following command:

hostname(config-router)# redistribute {ospf process_id [match {internal | external 1 | external 2}] | static | connected | rip} [metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map map_name]

The ospf process_id, static, connected, and rip keywords specify from where you want to redistribute routes.

You can either use the options in this command to match and set route properties, or you can use a route map. The tag and subnets options do not have equivalents in the route-map command. If you use both a route map and options in the redistribute command, then they must match.


The following example shows route redistribution from OSPF process 1 into OSPF process 2 by matching routes with a metric equal to 1. The security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.

ciscoasa(config)# route-map 1-to-2 permit
ciscoasa(config-route-map)# match metric 1
ciscoasa(config-route-map)# set metric 5
ciscoasa(config-route-map)# set metric-type type-1
ciscoasa(config-route-map)# set tag 1
ciscoasa(config-route-map)# router ospf 2
ciscoasa(config-router)# redistribute ospf 1 route-map 1-to-2

The following example shows the specified OSPF process routes being redistributed into OSPF process 109. The OSPF metric is remapped to 100.

ciscoasa(config)# router ospf 109
ciscoasa(config-router)# redistribute ospf 108 metric 100 subnets

The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics.

ciscoasa(config)# router ospf 1
ciscoasa(config-router)# redistribute ospf 2 metric 5 metric-type external

Enabling RIP in Cisco ASA

Devices that support RIP send routing-update messages at regular intervals and when the network topology changes. These RIP packets contain information about the networks that the devices can reach, as well as the number of routers or gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure.

To enable and configure the RIP routing process, perform the following steps:

Step 1 Start the RIP routing process by entering the following command in global configuration mode:

ciscoasa(config)# router rip

You enter router configuration mode for the RIP routing process.

Step 2 Specify the interfaces that will participate in the RIP routing process. Enter the following command for each interface that will participate in the RIP routing process:

ciscoasa(config-router): network 192.168.10.0

If an interface belongs to a network defined by this command, the interface will participate in the RIP routing process. If an interface does not belong to a network defined by this command, it will not send or receive RIP updates.

Step 3 (Optional) Specify the version of RIP used by the security appliance by entering the following command:

ciscoasa(config-router)# version 2

You can override this setting on a per-interface basis.

Step 4 (Optional) To generate a default route into RIP, enter the following command:

ciscoasa(config-router)# default-information originate

Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command:

ciscoasa(config-router)# passive-interface inside

Specifying an interface name sets only that interface to passive RIP mode. In passive mode, RIP routing updates are accepted by but not sent out of the specified interface. You can enter this command for each interface you want to set to passive mode. Using the default keyword causes all interfaces to operate in passive mode.

Step 6 (Optional) Disable automatic route summarization by entering the following command:

ciscoasa(config-router)# no auto-summary

RIP Version 1 always uses automatic route summarization and you cannot disable it for RIP Version 1. RIP Version 2 uses route summarization by default but you can disable it using this command.

Step 7 (Optional) To filter the networks received in updates, perform the following steps:

a. Create a standard access list permitting the networks you want the RIP process to allow in the routing table and denying the networks you want the RIP process to discard.

b. Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates received by that interface.

ciscoasa(config-router)# distribute-list 100 in interface inside

You can enter this command for each interface you want to apply a filter to. If you do not specify an interface name, the filter is applied to all RIP updates.

Step 8 (Optional) To filter the networks sent in updates, perform the following steps:

a. Create a standard access list permitting the networks you want the RIP process to advertise and denying the networks you do not want the RIP process to advertise.

b. Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates sent by that interface.

ciscoasa(config-router)# distribute-list 101 out interface outside

You can enter this command for each interface you want to apply a filter to. If you do not specify an interface name, the filter is applied to all RIP updates.

Redistributing Routes into the RIP Routing Process

You can redistribute routes from the OSPF, static, and connected routing processes into the RIP routing process.

To redistribute a routes into the RIP routing process, perform the following steps:

Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the RIP routing process.

Step 2 Choose one of the following options to redistribute the selected route type into the RIP routing process.

To redistribute connected routes into the RIP routing process, enter the following command:

hostname(config-router): redistribute connected [metric {metric_value | transparent}] [route-map map_name]

To redistribute static routes into the RIP routing process, enter the following command:

hostname(config-router): redistribute static [metric {metric_value | transparent}] [route-map map_name]

To redistribute routes from an OSPF routing process into the RIP routing process, enter the following command:

hostname(config-router): redistribute ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric {metric_value | transparent}] [route-map map_name]

Displaying the Routing Table

To view the entries in the routing table, enter the following command:

ciscoasa# show route

[output cut]

Gateway of last resort is not set

C    192.168.30.0 255.255.255.0 is directly connected, DMZ
C    192.168.10.0 255.255.255.0 is directly connected, inside
C    192.168.20.0 255.255.255.0 is directly connected, outside
How the Routing Table is Populated

The ASA routing table can be populated by statically defined routes, directly connected routes, and routes discovered by the RIP and OSPF routing protocols. Because the ASA can run multiple routing protocols in addition to having static and connected routed in the routing table, it is possible that the same route is discovered or entered in more than one manner. When two routes to the same destination are put into the routing table, the one that remains in the routing table is determined as follows:

• If the two routes have different network prefix lengths (network masks), then both routes are considered unique and are entered in to the routing table. The packet forwarding logic then determines which of the two to use.

For example, if the RIP and OSPF processes discovered the following routes:

RIP: 192.168.32.0/24

OSPF: 192.168.32.0/19

Even though OSPF routes have the better administrative distance, both routes are installed in the routing table because each of these routes has a different prefix length (subnet mask). They are considered different destinations and the packet forwarding logic determine which route to use.

• If the security appliance learns about multiple paths to the same destination from a single routing protocol, such as RIP, the route with the better metric (as determined by the routing protocol) is entered into the routing table.

Metrics are values associated with specific routes, ranking them from most preferred to least preferred. The parameters used to determine the metrics differ for different routing protocols. The path with the lowest metric is selected as the optimal path and installed in the routing table. If there are multiple paths to the same destination with equal metrics, load balancing is done on these equal cost paths.

• If the security appliance learns about a destination from more than one routing protocol, the administrative distances of the routes are compared and the routes with lower administrative distance is entered into the routing table.

Dynamic Routing and Failover

Dynamic routes are not replicated to the standby unit or failover group in a failover configuration. Therefore, immediately after a failover occurs, some packets received by the ASA may be dropped because of a lack of routing information or routed to a default static route while the routing table is repopulated by the configured dynamic routing protocols.

Back



Microsoft Certified | Cisco Certified

1 Comment

Comments are closed.