topic Re: Routing in ASA in Network Security

Routing in ASA

alex.dersch — Mon, 11 Mar 2019 19:48:15 GMT

Hello Members,

i have a routing problem with with my asa. The ASA has an inside (172.16.2.25) and outside interface (public IP address) and a management interface (10.0.128.2) which is not the default gateway for the management LAN. In the management LAN there are also Cisco LMS and other Network Tools. On the Inside interface are the local LAN's.

The ospf process is also running distributing all the required networks to the ASA. The management LAN has a Metric of 0 because it is a connected network and this causes asymetric routing behaviour when packets coming from the inside interface to the management LAN. Inside packets hitting the outside interface and leaving the ASA through the management interface and the return packets leaving through the default gateway.

I tried static routing on the ASA for packets with destination to my management LAN with default interface Inside. This works but after a while it goes back to the management interface and i have no idea why. Somehow the static route to the management lan is not persistent.

thanks in advanced

alex

Re: Routing in ASA

PAUL GILBERT ARIAS — Wed, 09 Feb 2011 19:19:36 GMT

is it possible for you to load a sanitized version of your config?

Re: Routing in ASA

Kureli Sankar — Thu, 10 Feb 2011 00:41:57 GMT

This is classic asymmetry issue that we see quiet often.

Once solution to this is to have a route-map on the inside router/switch to set the next-hop as the mgmt interface IP of the ASA based on the source IP and destination IP.

-KS

Re: Routing in ASA

alex.dersch — Thu, 10 Feb 2011 08:40:10 GMT

Hi Paul,

here come the config.

thanks for having a look at it.

regards

alex

ASA Version 8.3(1)
!
terminal width 511

names
dns-guard
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address Public IP Address 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 172.16.2.25 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface Management0/0
nameif MANAGEMENT
security-level 100
ip address 10.0.128.2 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup INSIDE
dns domain-lookup MANAGEMENT
dns server-group DNS-GROUP_BS
name-server 10.0.128.10
name-server 172.28.1.2
name-server 172.28.1.3

pager lines 24
logging enable
logging timestamp
logging list UserAuth level emergencies class auth
logging asdm-buffer-size 512
logging console warnings
logging monitor debugging
logging trap notifications
logging history notifications
logging asdm debugging
logging host MANAGEMENT 10.0.128.11
logging permit-hostdown
flow-export destination INSIDE 10.0.128.5 2055
flow-export delay flow-create 15
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MANAGEMENT 1500
ip verify reverse-path interface OUTSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

!
router ospf 1
router-id 172.16.2.25
network 172.16.2.24 255.255.255.248 area 0
network 172.24.5.0 255.255.255.0 area 0
network 172.24.6.0 255.255.255.0 area 0
network 192.168.254.112 255.255.255.240 area 0
area 0
log-adj-changes detail
redistribute static metric-type 1 subnets
default-information originate always metric 1
!
route OUTSIDE 0.0.0.0 0.0.0.0 194.209.59.1 1
route INSIDE 10.0.128.0 255.255.255.0 172.16.2.30 1
route INSIDE 10.0.128.1 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.3 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.4 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.5 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.6 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.7 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.8 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.9 255.255.255.255 172.16.2.30 1
route INSIDE 10.0.128.10 255.255.255.255 172.16.2.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 MANAGEMENT
http 0.0.0.0 0.0.0.0 INSIDE
snmp-server host INSIDE 10.0.128.11 poll community ***** version 2c
snmp-server host INSIDE 10.0.128.5 poll community ***** version 2c
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 MANAGEMENT
ssh timeout 30
console timeout 0
management-access MANAGEMENT
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.0.128.0 255.255.255.0
threat-detection scanning-threat shun duration 60
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.128.1 source MANAGEMENT prefer

!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp error
inspect icmp
class global-class
flow-export event-type all destination 10.0.128.5

: end

Re: Routing in ASA

PAUL GILBERT ARIAS — Thu, 10 Feb 2011 14:06:37 GMT

I think there might be a problem with this:

interface Management0/0

nameif MANAGEMENT

security-level 100

ip address 10.0.128.2 255.255.255.0

route INSIDE 10.0.128.0 255.255.255.0 172.16.2.30 1

Your management interface is 10.0.128.0/24 and there is a route for that same subnet but going through the inside. The prefered route should be the directly connected in this case the interface m0/0.

Is that something you have noticed before?

Re: Routing in ASA

alex.dersch — Thu, 10 Feb 2011 15:14:46 GMT

Hello Paul,

no i want traffic to and from the devices in the management LAN going through the inside interface It's working now i configured a route map on the default

gateway in this VLAN.

But thank you for your support.

regards

alex