topic routing on asa in Network Security

routing on asa

prashantrecon — Mon, 11 Mar 2019 22:53:32 GMT

L3 sitch is connected to firewall and firewall is connected to router

on l3 network 10.0.0.0/24

172.16.0.0/24

and default route is to firewall

from firewall default route is ROUTE OUTSIDE 0.0.0.0 0.0.0.0 202.x.x.x(router)

I have another router my requirement is i want 172.16.0.0 /24 data should go through this router(124.x.x.x)

iF I GIVE THE ROUTE ROUTE OUTSIDE 172.16.X.X 255.255.255.0 124.X.X.X ON FIREWALL THUS IT WORK

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 08:17:25 GMT

Kumar,

First of all you must keep in mind that the traditional routing is made using destination address.

So taking this into consideration your firewall will make the routing decisions based on destination.

As an short answer : no will not work.

The solution is PBR , but sadly I do not think this feature is supported on ASA.

Regards

Dan

routing on asa

prashantrecon — Fri, 13 Apr 2012 08:41:02 GMT

Thanks

If i use another interface of firewall name it as outside1

than route the traffic route outside1 172.16.x.x 255.255.0.0 124.x.x.x

will it work? is there any other solution ?

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 08:46:48 GMT

My understanding regarding your setup is :

L3 switch ------- ASA -------- ROUTER

172.16.0.0/24 is connected to the L3 switch.

Is that correct ?

Regards

Dan

routing on asa

prashantrecon — Fri, 13 Apr 2012 08:48:44 GMT

l3--asa--l2switch --router

all theports of l2 switch are in same vlan

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 08:49:59 GMT

And where is connected the 172.16.0.0/24 network ?

Dan

routing on asa

prashantrecon — Fri, 13 Apr 2012 09:42:01 GMT

on l3 switch

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 09:52:00 GMT

Ok.

As I see it , and taking into consideration that ASA does not suport PBR, the solution must involve PBR but on other equipments :

1) after the firewall - on the router - this involves connecting the second router to the first router and also access to the routers in order to configure PBR

2) before the firewall - on the L3 switch - this involves creating 2 contexts on the firewall 1 for the first connection (router) , and the second for the second connection (router), and also PBR on the L3 switch in order to route the traffic coming from 172.16.0.0/24 to the second router/connection.

The 2nd fits you better, because I do not think that you have access to the routers.

Regards

Dan

routing on asa

prashantrecon — Fri, 13 Apr 2012 09:56:59 GMT

Thanks

Regarding 2 solution can u give rough idea regarding scenario or any doc.

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 10:17:57 GMT

L3 switch ----access ---- ASA ------ trunk ----- L2 switch ---- access vlan 2 ---- old router

|-------------access vlan 3--------- new router

=> L2 switch - you should create a separated vlan for the second connection.

L2 switch : let's consider vlans : 2 old router vlan

3 new router vlan

=> ASA

ASA : interfaces E0 (inside) , E1 (outside)

Phisical : interface E1 , should be configured with subinterfaces

E1.2 ----> old router vlan

E1.3 ----> new router vlan

context ONE : interface E0 - inside -

interface E1.2 - outside - 202.x.x.x address

default route to the old router - 202.x.x.x

specific routes to the L3 switch - 172.16.0.0/24 , 10.0.0.0/24

-------------------------------------------------------------------------------

context TWO : interface E0 - inside -

interface E1.3 - outside - 124.x.x.x address

default route to the new router 124.x.x.x

specific routes to the L3 switch 172.16.0.0/24 , 10.0.0.0/24

=> L3 Switch

default route to the IP of the ASA Context ONE

PBR for the traffic sourced 172.16.0.0/24 next-hop the IP of the ASA Context TWO.

Dan

routing on asa

prashantrecon — Fri, 13 Apr 2012 10:45:56 GMT

THanks very much.

One last question i think it will we better if i another interface on firewall .and name it as outside1

And than route the traffic for that partcular valn through that outside1 interface.

Thus it work ?

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 11:00:38 GMT

No will not work for what you want to achieve.

Why ? When you configure the route on the ASA as you first posted :

ROUTE OUTSIDE1 172.16.X.X 255.255.255.0 124.X.X.X

You will instruct the ASA to route all the traffic GOING ( this means having the destination ) to 172.16.0.0/24 to the OUTSIDE1 interface.This will never happen, because the 172.16.0.0 is on the L3 switch.

So you will need to source route - meaning that you will need to route not after destination but after source ( using Policy Based Routing ) , in order to route the traffic sourced by 172.16.0.0/24 to the second router.

Regards

Dan

routing on asa

prashantrecon — Fri, 13 Apr 2012 11:24:28 GMT

I am confused.

from l3 there is dfault route to firewaall.

and from firewall there is default route to router.

now from l3 all the traffic will first reach firewall .

on firewall ther are two outside interface otside 1 and outside

for outside 1 i will provide ip as in same range of 124.x.x.x

so for 172.16.x.x i will route as route inside 172.16.x.x 255.255.255.0 172.16.x.1(vlan ip created on l3 as svi)

on firewall

route outside1 172.16..x.x 255.255.255.0 124.x.x.x(ip of secound router)

so it will work or not.

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 11:52:25 GMT

"route outside1 172.16..x.x 255.255.255.0 124.x.x.x"

this command tells the equipment where is the 172.16.x.x 255.255.255.0. Not where to send the traffic for that prefix.

So you are telling the ASA that the 172.16.x.x 255.255.255.0 is located on the outside1 interface.

To answer your question : no , will not work

Regards

Dan

routing on asa

prashantrecon — Fri, 13 Apr 2012 14:33:05 GMT

Hi,

You are right

So now if i want to route 172.16.x.x traffic to outside 1 interface .how can i make it possible.

i do not want to nat this traffic...

routing on asa

Dan-Ciprian Cicioiu — Fri, 13 Apr 2012 15:06:09 GMT

What type of access does those two routers offer ? Internet ?

Dan

Re: routing on asa

prashantrecon — Sat, 14 Apr 2012 03:46:28 GMT

My requirement is like

i want to use router 1(bgp is runing) for internet.

and i want to use router 2(bgp is runing) for many site to site vpn.

i have a apnic range that i want to use in both router 1 and 2

Now requirement is like i want to use firewall in any case (for security reason all traffic router 1 and router should go through firewall))

Now i want to make a site to site vpn with this 172.16.x.x lan on router 2.

Thats why i am asking how to route 172.16.x.x range to router 2 on firewall.

please find the attahment

Re: routing on asa

Julio Carvajal — Sat, 14 Apr 2012 04:22:36 GMT

Hello Prashant,

Long time no see..

As you know the ASA does not support PBR and can have only one default route on on its routing table..

So what I would like to know if its the both routers and the ASA are on the same broadcast domain???

If they are you could configure a default route pointing ro R1 and then create a route pointing to R2 with the subnet network on the other side of the VPN tunnel.

That should do it!!

Regards,

DO rate all the helpful posts

Julio

Re: routing on asa

prashantrecon — Sat, 14 Apr 2012 06:37:20 GMT

Thanks for your concern

Firewall ,router 1 and router 2 are in same broadcast domain

Please share an example regarding your suggestion

Regards,

Prashant

Re: routing on asa

Julio Carvajal — Sat, 14 Apr 2012 07:16:04 GMT

Hello Prashant,

It looks really simple to me unless I am not understanding this.

You want to send all traffic to the x.x.x.x. (vpn destination) subnet to router 2 and all the internet traffic to router 1 so all you need on the ASA

is a nat 0 ACL for the traffic going to the vpn subnet and the regular nat and global for the internet

Then for the routes you need

route outside 0 0 R1_Ip

route outside x.x.x.x x.x.x.x.x R2_IP

that's all

DO Rate all the helpful posts

Julio