Solved: ASA Static Routing same IP with different subnet masks

tselby3 · ‎11-14-2024

Hi

Would having static routes on an ASA with the same IP but with a different subnet mask present any issues?

For example:

192.168.0.0/16

192.168.2.0/24

From what I understand it wouldn't present an issue because although they may have the same IP, the subnet mask places them on a different network.

Thanks

TLS3

Rob Ingram · ‎11-14-2024

@tselby3 the /24 would be preferred when routing to the specific /24 network, else traffic to any other 192.168.0.0/16 network would go via the other next hop.

Example from my ASA, via same interface different next hop.

ASA(config)# show run route
route LAB 192.168.0.0 255.255.0.0 192.168.250.1 1
route LAB 192.168.10.0 255.255.255.0 192.168.250.2 1
ASA(config)# show route 192.168.10.0

Routing entry for 192.168.10.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.2, via LAB
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.20.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.1, via LAB
Route metric is 0, traffic share count is 1

Or different interface, different next hop.

route LAB 192.168.0.0 255.255.0.0 192.168.250.3 1
route VLAN7 192.168.12.0 255.255.255.0 192.168.7.2

ASA(config)# show route 192.168.12.0

Routing entry for 192.168.12.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.7.2, via VLAN7
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.0.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.3, via LAB
Route metric is 0, traffic share count is 1

View solution in original post

Rob Ingram · ‎11-14-2024

@tselby3 that will be fine, the route for 192.168.2.0/24 is more specific, so traffic will be routed via the configure next hop.

MHM Cisco World · ‎11-14-2024

It issue'

If you have packet to 192.168.2.1 that need to route via 192.168.0.0/16 then asa will never forward it to correct interface' asa use longest match and hence always use 192.168.2.0/24

Try dont use overlapping subnet in any device

MHM

tselby3 · ‎11-14-2024

MHM

Sorry, not quite following what you are saying. The static route entries would look like the below, they both would use a different interface and gateway.

Existing route: Interface-A 192.168.0.0 255.255.0.0 x.x.x.x

New route: Interface-B 192.168.2.0 255.255.255.0 y.y.y.y

TLS3

MHM Cisco World · ‎11-14-2024

If asa need to forward traffic to host have IP 192.168.2.x and it connect via interface- A which static route asa will use?

Asa like ios devices use longest match and hence it will use static route 192.168.20/24 instead of 192.168.0.0/24 to forward packet to 192.168.2.x

This will make blackhole and packet drop.

So try avoiding use overlapping subnet as much as you can.

MHM

tselby3 · ‎11-14-2024

I see what you are referring to with a possibility of it having to go out interface-a. I'll triple check, but I don't think 192.168.2.x on the /16 is used. I do agree with you on not overlapping subnets on routes, but this is a network i inherited.

Rob Ingram · ‎11-14-2024

@tselby3 the /24 would be preferred when routing to the specific /24 network, else traffic to any other 192.168.0.0/16 network would go via the other next hop.

Example from my ASA, via same interface different next hop.

ASA(config)# show run route
route LAB 192.168.0.0 255.255.0.0 192.168.250.1 1
route LAB 192.168.10.0 255.255.255.0 192.168.250.2 1
ASA(config)# show route 192.168.10.0

Routing entry for 192.168.10.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.2, via LAB
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.20.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.1, via LAB
Route metric is 0, traffic share count is 1

Or different interface, different next hop.

route LAB 192.168.0.0 255.255.0.0 192.168.250.3 1
route VLAN7 192.168.12.0 255.255.255.0 192.168.7.2

ASA(config)# show route 192.168.12.0

Routing entry for 192.168.12.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.7.2, via VLAN7
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.0.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.3, via LAB
Route metric is 0, traffic share count is 1

tselby3 · ‎11-14-2024

Rob

Thanks for your detailed replies. I've got a few things to check before I enter the route and I'll go from there.

TLS3

tselby3 · ‎11-14-2024

One more question, does the same apply if it is the same interface but different gateways?

Interface1 192.168.0.0 255.255.0.0 x.x.x.x

Interface1 192.168.2.0 255.255.255.0 y.y.y.y

Thanks

TLS3

Rob Ingram · ‎11-14-2024

@tselby3 yes that will work, I updated the example above to reflect that scenario.

MHM Cisco World · ‎11-15-2024

Sorry it not work.

Still asa see overlapping.

The asa will still prefer longest match and never try use 192.168.0.0 to forward traffic for 192.168.2.0.

MHM