09-23-2024 12:51 PM
Hi,
I have deployed Cisco ASA Firewall in Azure and I am trying to configure the routes from Inside subnet to Internet. However, there is a default route to 0.0.0.0 on Management interface and it is conflicting with new routes I am trying to create. I am unable to delete the default route to 0.0.0.0 on Management interface as well. Any help to resolve this is highly appreciated.
Please move to appropriate Board if I have posted in the wrong Board.
Thanks,
Pranay
Solved! Go to Solution.
09-24-2024 08:04 AM
Please try to connect to the ASAv via Azure console portal, shutdown the management interface, add the default route, and finally bring up the management interface. Hope this helps.
09-23-2024 12:56 PM
For second route' there is direct connect prefix so you can not add static route for connect route
For third the outside is use different subnet than next hop use in static route?
For first one why ypu can not I will check it in lab.
MHM
09-24-2024 02:31 AM
Hi, thanks for your reply. From outside interface, I want to route to internet via a public IP. Is it the correct way to create static route?
09-24-2024 02:40 AM
Can I see
Show route management only
MHM
09-24-2024 02:47 AM
09-24-2024 03:03 AM
As I guess, you use nameif "" management"" in one of interfaces?
MHM
09-24-2024 03:12 AM
yes, for the interface where I ssh to the firewall.
09-23-2024 09:02 PM
It sounds like you’re facing a routing conflict due to the default route on the Management interface of your Cisco ASA Firewall. Here are some steps you can take to resolve this issue:
Modify the Management Interface Route:
You can change the metric of the default route on the Management interface to make it less preferred. This way, your new routes will take precedence.
Use the following command to modify the route:
route management 0.0.0.0 0.0.0.0 <gateway_ip> <metric>
Replace <gateway_ip> with the appropriate gateway IP and <metric> with a higher value than your new routes.
Use Policy-Based Routing (PBR):
Configure PBR to direct traffic from the Inside subnet to the Internet, bypassing the default route on the Management interface.
Example configuration:
access-list PBR_ACL extended permit ip <inside_subnet> any
route-map PBR_MAP permit 10
match ip address PBR_ACL
set ip next-hop <internet_gateway_ip>
interface <inside_interface>
policy-route route-map PBR_MAP
Remove the Default Route on the Management Interface:
If possible, remove the default route on the Management interface. This might require administrative privileges or changes in your network design.
Use the following command to remove the route:
no route management 0.0.0.0 0.0.0.0 <gateway_ip>
09-24-2024 04:57 AM
I have updated the priority of the default route on management interface but its not allowing me to create new routes to 0.0.0.0.
I am unable to set management-only on the management interface too -
09-24-2024 08:04 AM
Please try to connect to the ASAv via Azure console portal, shutdown the management interface, add the default route, and finally bring up the management interface. Hope this helps.
09-24-2024 09:15 AM
Thanks for the reply. Management interface doesn't come up as it says "ERROR: Cannot add route entry, conflict with existing route". When I try to delete the route, it says Error: no matching route to delete.
09-24-2024 09:38 AM - edited 09-24-2024 09:38 AM
I don't have good experience with Azure, but I would check the VN routes that have been configured because it could be that the routes would need to be removed through Azure portal rather than on the ASAv itself?
09-25-2024 01:39 AM
Thank you!, I managed to delete the static route from management interface using Azure serial console.
09-25-2024 01:41 AM
You are very welcome. Glad to know this is now sorted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide