Cisco ASA routing behavior

Christian Besselmann — Tue, 12 Mar 2019 01:03:05 GMT

Hello,

I would like to know more about the behavior of the asa-routing.
Unfortunately i have not found any answers to this question:

Suppose we have an ASA which have two interfaces (inside and outside).

We configure a static route to the subnet 10.0.0.0 /8 via the inside interface.

Can i configure a subnet of this address range eg. 10.0.250.0/24 use for my AnyConnect IP-Pool?

I am not shure about this routing behavior, because there are two interfaces with a route to 10.0.250.0/24.

Which route is going to win?

greetz

chris

Cisco ASA routing behavior

Jouni Forss — Wed, 20 Feb 2013 17:26:06 GMT

Hi,

To my understanding this should be no problem.

The more specific route should be chosen.

Take this example from my home ASA

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.255.0

interface Vlan10

description WAN

nameif WAN

security-level 0

ip address x.x.x.x 255.255.255.248

interface Vlan20

no forward interface Vlan1

nameif WLAN

security-level 99

ip address 10.0.255.1 255.255.255.0

route WAN 0.0.0.0 0.0.0.0 y.y.y.y 1

route WLAN 10.0.0.0 255.0.0.0 10.255.1.2 1

route LAN 10.0.0.0 255.255.255.0 10.0.10.1 1

route LAN 10.0.1.0 255.255.255.0 10.0.10.1 1

For examples sake:

WLAN has the route for the whole 10.0.0.0/8
LAN has routes for 2 networks
- 10.0.0.0/24
- 10.0.1.0/24

PACKET-TRACER ROUTE-LOOKUP TEST

First test has a destination IP address belonging to one of the LAN networks. Traffic gets forwarded through LAN interface.

ASA(config)# packet-tracer input LAN tcp 10.0.0.10 1234 10.0.0.1 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 LAN

Second test has a destination IP address that doesnt have any other route than the 10.0.0.0/8 and therefore gets forwarded through the WLAN interface.

ASA(config)# packet-tracer input LAN tcp 10.0.0.10 1234 10.0.2.1 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.0.0.0 WLAN

I imagine in the case of VPN Pool it might actually show to the ASA as a directly connected network which furthermore overrides Static routing.

- Jouni

topic Cisco ASA routing behavior in Network Security

Cisco ASA routing behavior

Cisco ASA routing behavior