Solved: Re: Cannot configure routes in Cisco ASA Firewall

pranaysahith · ‎09-23-2024

Hi,

I have deployed Cisco ASA Firewall in Azure and I am trying to configure the routes from Inside subnet to Internet. However, there is a default route to 0.0.0.0 on Management interface and it is conflicting with new routes I am trying to create. I am unable to delete the default route to 0.0.0.0 on Management interface as well. Any help to resolve this is highly appreciated.

Please move to appropriate Board if I have posted in the wrong Board.

Thanks,

Pranay

Aref Alsouqi · ‎09-24-2024

Please try to connect to the ASAv via Azure console portal, shutdown the management interface, add the default route, and finally bring up the management interface. Hope this helps.

View solution in original post

MHM Cisco World · ‎09-23-2024

For second route' there is direct connect prefix so you can not add static route for connect route

For third the outside is use different subnet than next hop use in static route?

For first one why ypu can not I will check it in lab.

MHM

pranaysahith · ‎09-24-2024

Hi, thanks for your reply. From outside interface, I want to route to internet via a public IP. Is it the correct way to create static route?

MHM Cisco World · ‎09-24-2024

Can I see

Show route management only

MHM

pranaysahith · ‎09-24-2024

MHM Cisco World · ‎09-24-2024

As I guess, you use nameif "" management"" in one of interfaces?

MHM

pranaysahith · ‎09-24-2024

yes, for the interface where I ssh to the firewall.

zaf.khan99 · ‎09-23-2024

It sounds like you’re facing a routing conflict due to the default route on the Management interface of your Cisco ASA Firewall. Here are some steps you can take to resolve this issue:

Modify the Management Interface Route:

You can change the metric of the default route on the Management interface to make it less preferred. This way, your new routes will take precedence.
Use the following command to modify the route:
route management 0.0.0.0 0.0.0.0 <gateway_ip> <metric>
Replace <gateway_ip> with the appropriate gateway IP and <metric> with a higher value than your new routes.
Use Policy-Based Routing (PBR):

Configure PBR to direct traffic from the Inside subnet to the Internet, bypassing the default route on the Management interface.
Example configuration:
access-list PBR_ACL extended permit ip <inside_subnet> any
route-map PBR_MAP permit 10
match ip address PBR_ACL
set ip next-hop <internet_gateway_ip>
interface <inside_interface>
policy-route route-map PBR_MAP
Remove the Default Route on the Management Interface:

If possible, remove the default route on the Management interface. This might require administrative privileges or changes in your network design.
Use the following command to remove the route:
no route management 0.0.0.0 0.0.0.0 <gateway_ip>

pranaysahith · ‎09-24-2024

I have updated the priority of the default route on management interface but its not allowing me to create new routes to 0.0.0.0.

I am unable to set management-only on the management interface too -

Aref Alsouqi · ‎09-24-2024

Please try to connect to the ASAv via Azure console portal, shutdown the management interface, add the default route, and finally bring up the management interface. Hope this helps.

pranaysahith · ‎09-24-2024

Thanks for the reply. Management interface doesn't come up as it says "ERROR: Cannot add route entry, conflict with existing route". When I try to delete the route, it says Error: no matching route to delete.

Aref Alsouqi · ‎09-24-2024

I don't have good experience with Azure, but I would check the VN routes that have been configured because it could be that the routes would need to be removed through Azure portal rather than on the ASAv itself?

pranaysahith · ‎09-25-2024

Thank you!, I managed to delete the static route from management interface using Azure serial console.

Aref Alsouqi · ‎09-25-2024

You are very welcome. Glad to know this is now sorted.