topic Using an ASA as a router in Network Security

Using an ASA as a router

abtt-39 — Mon, 04 Mar 2024 12:02:17 GMT

Hello,

the question is in the title.

Is it possible to use the ASA as a router between 2 internal networks?

interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 10.0.1.254 255.255.255.0

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.40.1.249 255.255.255.0

"outside" interface, connected to an L2 switch.

A PC ( PC1) is connected to this switch

10.0.1.110 255.255.255.0 GW : 10.01.254

The "inside" interface is also connected to an L2 switch, to which PCs are connected. These PCs have IP 10.40.1.X /24 and Gateway 10.40.1.254. This gateway is the IP of the ISP router (VPN MPLS router).

From the "inside" network, I need to retrieve FTP data on PC1. And allow ICMP too. Same thing in reverse (from outside to inside).

But the problem is that if I add a route on the ASA, it asks me to configure the next hop Ip address. But in this diagram, I don't have one?

The goal is to isolate PC1. A laboratory analyzer is connected to this PC (PC not supplied by us). It sends data to this PC, and I can retrieve data via FTp on it to send it to the inside network.

Re: Using an ASA as a router

Rob Ingram — Mon, 04 Mar 2024 12:13:09 GMT

@abtt-39 you can either change the routing on your to make the ASA the next hop, you would also need to configure an ACL to explictly permit the traffic between the interfaces.

Or you could configure the ASA in transparent mode - https://integratingit.wordpress.com/2021/05/30/asa-transparent-mode/

Re: Using an ASA as a router

abtt-39 — Mon, 04 Mar 2024 12:41:04 GMT

Hello rob,

Unfortunately, on the inside station, I cannot change the gateway to ASA. These PCs need their current gateway to access the MPLS VPN network between sites.

For transparent mode, I didn't know, but in the link indicated, it is written that switching to transparent mode will erase the ASA configuration. However, I also use it for other things not mentioned in my post

Re: Using an ASA as a router

Edgar Benavente — Mon, 04 Mar 2024 12:52:23 GMT

I believe that you don´t need to configure static routes, due both network is directly connected to the ASA.
But is needed traffic permits between both security zones.

Kind regards

Re: Using an ASA as a router

Rob Ingram — Mon, 04 Mar 2024 12:54:34 GMT

@abtt-39 without knowing your topology I see no reason why you cannot change the routing on the LAN. Or alternatively create another network behind the ASA and route accordingly. Or depending on your ASA hardware you could convert to ASA Multi-context, 1 using your existing routed configuration and another context as transparent.

I'd recommend you look to change your LAN topology to route between the different networks.

Re: Using an ASA as a router

Marius Gunnerud — Mon, 04 Mar 2024 13:14:19 GMT

From what you are describing you want to use FTP between two devices that have IPs in the same subnet as the Inside and Outside interfaces? If this is the case then no routing is needed as these are "directly connected" subnets, the ASA already knows how to reach these networks. So all that is needed is that the PCs need either a default gateway or a route for the PC in question pointing to the relevant ASA interface and access rules allowing the FTP connection (if using active FTP you will need to open for both tcp/20 and tcp/21).

As for ICMP, as this is stateless you will need to add an inspect icmp command under the global policy-map configuration as well as allow this in the access list.

policy-map global_policy

class inspeciton_default

inspect icmp

Re: Using an ASA as a router

abtt-39 — Mon, 04 Mar 2024 13:28:28 GMT

I'm attaching a little diagram, it will be easier.

Re: Using an ASA as a router

Marius Gunnerud — Mon, 04 Mar 2024 13:45:05 GMT

LOL, never mind the last comment, I see it is a L2 switch. In this case you would need to implement static routes on PC2 to point to the ASA for network 10.0.1.0/24. Also, you still need the access list entries to allow access for FTP as well as inspect ICMP in the global policy map.

Or place an L3 device between PC2 and the ISP and the rest of the internal network.

Re: Using an ASA as a router

abtt-39 — Mon, 04 Mar 2024 13:46:05 GMT

it's already the case :

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp

and i can't ping

Re: Using an ASA as a router

MHM Cisco World — Mon, 04 Mar 2024 13:46:08 GMT

go a head use FW as router

but I want to mention that we normally named the Interface connect to ISP OUTSIDE and level 0
and interface connect to LAN as INSIDE and level 100

MHM

Re: Using an ASA as a router

Marius Gunnerud — Mon, 04 Mar 2024 13:48:42 GMT

If you will use the ASA as a router you would need to provision a new subnet for PC2 as you will end up with asynchronous routing towards the ISP if left as is. Or configure tcp bypass on the ASA, but I would not recommend going that direction.

Re: Using an ASA as a router

MHM Cisco World — Mon, 04 Mar 2024 13:56:30 GMT

You are totally correct
the traffic path will be
PC2->ISP->ASA->PC1
the return will be
PC1->ASA->PC2 (since ASA and PC2 share same subnet)

So He can use ASA as router but he need

Re: Using an ASA as a router

abtt-39 — Mon, 04 Mar 2024 14:09:04 GMT

Indeed, it seemed to me that it was not possible as shown in the diagram without a router somewhere.
I'm going to try adding a static route on a PC (it's a Windows PC), I've never tried it on Windows.

Re: Using an ASA as a router

MHM Cisco World — Mon, 04 Mar 2024 16:17:11 GMT

it work not issue

NOTE:- R2 in my lab is pure L2 SW.

Re: Using an ASA as a router

abtt-39 — Wed, 18 Sep 2024 12:08:26 GMT

Good morning,

I'm re-uploading this post because I haven't worked on this problem again.

If I put the diagram back, it has evolved. A commenter added 2 routers/firewalls (not managed by us), 201 and 202

From a pc on the 10.40.1.0 network, I can ping 10.0.0.50

On this PC 10.0.0.50, there is a local web server in https

I would like to be able to access this local web server from a computer on the 10.40.1.0 network

https://10.0.0.50/

ERR_CONNECTION_REFUSED

Gateway of last resort is 10.40.1.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 10.40.1.254, inside
S 10.0.0.1 255.255.255.255 [1/0] via 10.0.1.253, outside
S 10.0.0.10 255.255.255.255 [1/0] via 10.0.1.252, outside
S 10.0.0.20 255.255.255.255 [1/0] via 10.0.1.253, outside
S 10.0.0.50 255.255.255.255 [1/0] via 10.0.1.253, outside
S 10.0.0.101 255.255.255.255 [1/0] via 10.0.1.253, outside
C 10.0.1.0 255.255.255.0 is directly connected, outside
S 10.0.1.5 255.255.255.255 [1/0] via 10.0.1.251, outside
L 10.0.1.254 255.255.255.255 is directly connected, outside
S 10.39.1.0 255.255.255.0 [1/0] via 10.40.1.254, inside
C 10.40.1.0 255.255.255.0 is directly connected, inside
L 10.40.1.249 255.255.255.255 is directly connected, inside
S 10.239.11.0 255.255.255.0 [1/0] via 10.40.1.254, inside

In this topology, I have 2 networks connected directly to the ASA, and a 3rd, not directly connected 10.0.0.0/24

with packet tracer :

#packet-tracer input inside tcp 10.40.1.4 12345 10.0.0.50 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.253 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access in interface inside
access-list inside_access extended permit object-group DM_INLINE_SERVICE_4 object inside-network 10.0.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object udp
service-object tcp destination eq https
service-object tcp destination eq www
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 10.40.1.4/12345 to 10.0.1.254/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 223558, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.253 using egress ifc outside

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0008.da79.1d1e hits 0 reference 1

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

#PING from 10.40.1.4 to 10.0.0.50 = OK

Traceroute from 10.40.1.4 to 10.0.0.50 = OK
1 <1 ms <1 ms <1 ms 10.40.1.254
2 4 ms 3 ms 3 ms 10.0.1.253
3 4 ms 4 ms 4 ms 10.0.0.50

# sh nat detail
Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic obj_any interface
translate_hits = 3389, untranslate_hits = 9874
Source - Origin: 0.0.0.0/0, Translated: 10.0.1.254/24

In terms of nat, I'm not sure?

Re: Using an ASA as a router

alexcarry1044 — Wed, 18 Sep 2024 13:00:43 GMT

Yes, you can use the ASA as a router between two internal networks. Set up bidirectional access rules allowing ICMP and FTP traffic between the "outside" and "inside" networks. Since you don’t have a next hop, you can use route statements with the connected interfaces. Make sure the ASA’s NAT and access lists are properly configured to ensure smooth communication between PC1 and the inside network.

Re: Using an ASA as a router

MHM Cisco World — Wed, 18 Sep 2024 13:52:36 GMT

First I am busy these day so my reply maybe delay' that OK for you?

Now

Same Subnet 10.0.0.0/24 connect to two routers and ASA ?

That wrong.

MHM

Re: Using an ASA as a router

abtt-39 — Wed, 18 Sep 2024 14:19:36 GMT

yes.

Re: Using an ASA as a router

abtt-39 — Wed, 18 Sep 2024 14:20:08 GMT

Currently, I have not specified it, but ping and ftp are functional between the inside network and the 10.0.0.0/24 network, it is https which is not. But as the diagram shows, there is a router in the architecture that is not managed by us. This week, a technician from this company is coming, I will ask him to check.

Re: Using an ASA as a router

MHM Cisco World — Wed, 18 Sep 2024 14:34:56 GMT

If Yes you use same subnet then static route or igp not help here.

You need to use different subnet

MHM