Solved: ASA Static Routing same IP with different subnet masks

tselby3 · ‎11-14-2024

Hi

Would having static routes on an ASA with the same IP but with a different subnet mask present any issues?

For example:

192.168.0.0/16

192.168.2.0/24

From what I understand it wouldn't present an issue because although they may have the same IP, the subnet mask places them on a different network.

Thanks

TLS3

Rob Ingram · ‎11-14-2024

@tselby3 the /24 would be preferred when routing to the specific /24 network, else traffic to any other 192.168.0.0/16 network would go via the other next hop.

Example from my ASA, via same interface different next hop.

ASA(config)# show run route
route LAB 192.168.0.0 255.255.0.0 192.168.250.1 1
route LAB 192.168.10.0 255.255.255.0 192.168.250.2 1
ASA(config)# show route 192.168.10.0

Routing entry for 192.168.10.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.2, via LAB
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.20.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.1, via LAB
Route metric is 0, traffic share count is 1

Or different interface, different next hop.

route LAB 192.168.0.0 255.255.0.0 192.168.250.3 1
route VLAN7 192.168.12.0 255.255.255.0 192.168.7.2

ASA(config)# show route 192.168.12.0

Routing entry for 192.168.12.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.7.2, via VLAN7
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.0.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.3, via LAB
Route metric is 0, traffic share count is 1

View solution in original post

Rob Ingram · ‎11-14-2024

@tselby3 that will be fine, the route for 192.168.2.0/24 is more specific, so traffic will be routed via the configure next hop.

MHM Cisco World · ‎11-14-2024

It issue'

If you have packet to 192.168.2.1 that need to route via 192.168.0.0/16 then asa will never forward it to correct interface' asa use longest match and hence always use 192.168.2.0/24

Try dont use overlapping subnet in any device

MHM

tselby3 · ‎11-14-2024

MHM

Sorry, not quite following what you are saying. The static route entries would look like the below, they both would use a different interface and gateway.

Existing route: Interface-A 192.168.0.0 255.255.0.0 x.x.x.x

New route: Interface-B 192.168.2.0 255.255.255.0 y.y.y.y

TLS3

MHM Cisco World · ‎11-14-2024

If asa need to forward traffic to host have IP 192.168.2.x and it connect via interface- A which static route asa will use?

Asa like ios devices use longest match and hence it will use static route 192.168.20/24 instead of 192.168.0.0/24 to forward packet to 192.168.2.x

This will make blackhole and packet drop.

So try avoiding use overlapping subnet as much as you can.

MHM

tselby3 · ‎11-14-2024

I see what you are referring to with a possibility of it having to go out interface-a. I'll triple check, but I don't think 192.168.2.x on the /16 is used. I do agree with you on not overlapping subnets on routes, but this is a network i inherited.

Rob Ingram · ‎11-14-2024

@tselby3 the /24 would be preferred when routing to the specific /24 network, else traffic to any other 192.168.0.0/16 network would go via the other next hop.

Example from my ASA, via same interface different next hop.

ASA(config)# show run route
route LAB 192.168.0.0 255.255.0.0 192.168.250.1 1
route LAB 192.168.10.0 255.255.255.0 192.168.250.2 1
ASA(config)# show route 192.168.10.0

Routing entry for 192.168.10.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.2, via LAB
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.20.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.1, via LAB
Route metric is 0, traffic share count is 1

Or different interface, different next hop.

route LAB 192.168.0.0 255.255.0.0 192.168.250.3 1
route VLAN7 192.168.12.0 255.255.255.0 192.168.7.2

ASA(config)# show route 192.168.12.0

Routing entry for 192.168.12.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.7.2, via VLAN7
Route metric is 0, traffic share count is 1

ASA(config)# show route 192.168.0.0

Routing entry for 192.168.0.0 255.255.0.0, supernet
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.250.3, via LAB
Route metric is 0, traffic share count is 1

tselby3 · ‎11-14-2024

Rob

Thanks for your detailed replies. I've got a few things to check before I enter the route and I'll go from there.

TLS3

tselby3 · ‎11-14-2024

One more question, does the same apply if it is the same interface but different gateways?

Interface1 192.168.0.0 255.255.0.0 x.x.x.x

Interface1 192.168.2.0 255.255.255.0 y.y.y.y

Thanks

TLS3

Rob Ingram · ‎11-14-2024

@tselby3 yes that will work, I updated the example above to reflect that scenario.

MHM Cisco World · ‎11-15-2024

Sorry it not work.

Still asa see overlapping.

The asa will still prefer longest match and never try use 192.168.0.0 to forward traffic for 192.168.2.0.

MHM

ASA Static Routing same IP with different subnet masks

ASA: IP Routingと処理順序について

ASA: Policy Based Routing (PBR) について

changing a subnet mask in production

Configuración de Subnet Masks e IP Addresses

nexus 对接 ACI 模拟 EP，EP 无法 ping 通 BD subnet gateway

ASA Static Routing same IP with different subnet masks

ASA: IP Routingと 処理順序について

ASA: Policy Based Routing (PBR) について

changing a subnet mask in production

Configuración de Subnet Masks e IP Addresses

nexus 对接 ACI 模拟 EP，EP 无法 ping 通 BD subnet gateway

ASA: IP Routingと処理順序について