topic Re: ASA Static Routing same IP with different subnet masks in Network Security

ASA Static Routing same IP with different subnet masks

tselby3 — Thu, 14 Nov 2024 16:39:42 GMT

Would having static routes on an ASA with the same IP but with a different subnet mask present any issues?

For example:

192.168.0.0/16

192.168.2.0/24

From what I understand it wouldn't present an issue because although they may have the same IP, the subnet mask places them on a different network.

Thanks

TLS3

Re: ASA Static Routing same IP with different subnet masks

Rob Ingram — Thu, 14 Nov 2024 16:43:23 GMT

@tselby3 that will be fine, the route for 192.168.2.0/24 is more specific, so traffic will be routed via the configure next hop.

Re: ASA Static Routing same IP with different subnet masks

MHM Cisco World — Thu, 14 Nov 2024 16:50:51 GMT

It issue'

If you have packet to 192.168.2.1 that need to route via 192.168.0.0/16 then asa will never forward it to correct interface' asa use longest match and hence always use 192.168.2.0/24

Try dont use overlapping subnet in any device

MHM

Re: ASA Static Routing same IP with different subnet masks

tselby3 — Thu, 14 Nov 2024 17:13:16 GMT

MHM

Sorry, not quite following what you are saying. The static route entries would look like the below, they both would use a different interface and gateway.

Existing route: Interface-A 192.168.0.0 255.255.0.0 x.x.x.x

New route: Interface-B 192.168.2.0 255.255.255.0 y.y.y.y

TLS3

Re: ASA Static Routing same IP with different subnet masks

MHM Cisco World — Thu, 14 Nov 2024 17:17:25 GMT

If asa need to forward traffic to host have IP 192.168.2.x and it connect via interface- A which static route asa will use?

Asa like ios devices use longest match and hence it will use static route 192.168.20/24 instead of 192.168.0.0/24 to forward packet to 192.168.2.x

This will make blackhole and packet drop.

So try avoiding use overlapping subnet as much as you can.

MHM

Re: ASA Static Routing same IP with different subnet masks

Rob Ingram — Fri, 15 Nov 2024 06:51:54 GMT

@tselby3 the /24 would be preferred when routing to the specific /24 network, else traffic to any other 192.168.0.0/16 network would go via the other next hop.

Example from my ASA, via same interface different next hop.

ASA(config)# show run route
route LAB 192.168.0.0 255.255.0.0 192.168.250.1 1
route LAB 192.168.10.0 255.255.255.0 192.168.250.2 1
ASA(config)# show route 192.168.10.0

Routing entry for 192.168.10.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.2, via LAB
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.20.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.1, via LAB
Route metric is 0, traffic share count is 1

Or different interface, different next hop.

route LAB 192.168.0.0 255.255.0.0 192.168.250.3 1
route VLAN7 192.168.12.0 255.255.255.0 192.168.7.2

ASA(config)# show route 192.168.12.0

Routing entry for 192.168.12.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.7.2, via VLAN7
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.0.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.3, via LAB
Route metric is 0, traffic share count is 1

Re: ASA Static Routing same IP with different subnet masks

tselby3 — Thu, 14 Nov 2024 17:45:27 GMT

I see what you are referring to with a possibility of it having to go out interface-a. I'll triple check, but I don't think 192.168.2.x on the /16 is used. I do agree with you on not overlapping subnets on routes, but this is a network i inherited.

Re: ASA Static Routing same IP with different subnet masks

tselby3 — Thu, 14 Nov 2024 17:47:24 GMT

Rob

Thanks for your detailed replies. I've got a few things to check before I enter the route and I'll go from there.

TLS3

Re: ASA Static Routing same IP with different subnet masks

tselby3 — Thu, 14 Nov 2024 21:49:27 GMT

One more question, does the same apply if it is the same interface but different gateways?

Interface1 192.168.0.0 255.255.0.0 x.x.x.x

Interface1 192.168.2.0 255.255.255.0 y.y.y.y

Thanks

TLS3

Re: ASA Static Routing same IP with different subnet masks

Rob Ingram — Fri, 15 Nov 2024 06:52:57 GMT

@tselby3 yes that will work, I updated the example above to reflect that scenario.

Re: ASA Static Routing same IP with different subnet masks

MHM Cisco World — Fri, 15 Nov 2024 20:06:20 GMT

Sorry it not work.

Still asa see overlapping.

The asa will still prefer longest match and never try use 192.168.0.0 to forward traffic for 192.168.2.0.

MHM