Finding the longest match prefix in ASA routing table

ds6123 — Mon, 11 Mar 2019 22:23:15 GMT

What is the correct way to find the longest matching prefix in the ASA's routing table? It seems to be very difficult/impossible to do. In IOS, the default behavior (if not specifying the subnet mask) gives you the best match (with the exception of the default route). The ASA seems to, at least partially, use IOS's "longer-prefixes" logic which shows you any possible matches then lets you figure out which one is really the longest?

The ASA expects you to know the egress interface and subnet mask to which the entry belongs?!?!?! If I knew that, I probably wouldn't need to check the routing table.

I was reading the IP Routing Config Guide on the ASA and am aware that the ASA may, under certain scenarios, use NAT entries/definition to select the egress interface. But suppose I'm not using NAT (or want to see where a simple ping will go without specifying the interface) and simply want to see the *best* match for a routing entry, how do I do it? Especially when there are multiple routes entries that actually match.

fw1# show route ?

Current available interface(s):

INSIDE Name of interface Ethernet0/1

OUTSIDE Name of interface Ethernet0/0

| Output modifiers

<cr>

How Routing Behaves Within the Adaptive Security Appliance

The ASA uses both routing table and XLATE tables for routing decisions. To handle destination IP translated traffic, that is, untranslated traffic, the ASA searches for existing XLATE, or static translation to select the egress interface. The selection process is as follows:

Egress Interface Selection Process

1. If destination IP translating XLATE already exists, the egress interface for the packet is determined from the XLATE table, but not from the routing table.

2. If destination IP translating XLATE does not exist, but a matching static translation exists, then the egress interface is determined from the static route and an XLATE is created, and the routing table is not used.

3. If destination IP translating XLATE does not exist and no matching static translation exists, the packet is not destination IP translated. The ASA processes this packet by looking up the route to select egress interface, then source IP translation is performed (if necessary).

For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using existing XLATE or static translation rules.

How Forwarding Decisions are Made

Forwarding decisions are made as follows:

•If the destination does not match an entry in the routing table, the packet is forwarded through the interface specified for the default route. If a default route has not been configured, the packet is discarded.

•If the destination matches a single entry in the routing table, the packet is forwarded through the interface associated with that route.

•If the destination matches more than one entry in the routing table, and the entries all have the same network prefix length, the packets for that destination are distributed among the interfaces associated with that route.

•If the destination matches more than one entry in the routing table, and the entries have different network prefix lengths, then the packet is forwarded out of the interface associated with the route that has the longer network prefix length.

Re: Finding the longest match prefix in ASA routing table

integreon — Fri, 03 Feb 2012 00:06:28 GMT

Interesting friend. Have to research

Sent from Cisco Technical Support iPad App

Finding the longest match prefix in ASA routing table

David White — Thu, 17 May 2012 16:06:21 GMT

Today, the ASA unfortunately does not provide a way to see the 'best' route, without specifying an interface. Reason being, the routing on the ASA is 2-parts:

local to a specified interface
global

Initially, the PIX was really only 'interface' based routing. Now that we also perform global routing, I agree that we should have a way of allowing a user to see the 'best' route, globally. Therefore, I have submitted an enhancement request (bug

CSCtz96946) requesting this functionality.

Sincerely,

David.

topic Finding the longest match prefix in ASA routing table in Network Security

Finding the longest match prefix in ASA routing table

How Routing Behaves Within the Adaptive Security Appliance

Egress Interface Selection Process

How Forwarding Decisions are Made

Re: Finding the longest match prefix in ASA routing table

Finding the longest match prefix in ASA routing table