Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
1
Replies

Cisco ASA routing behavior

Christian Besselmann
Level 4
Level 4

‎02-20-2013 05:26 AM - edited ‎03-11-2019 06:03 PM

Hello,

I would like to know more about the behavior of the asa-routing.
Unfortunately i have not found any answers to this question:

Suppose we have an ASA which have two interfaces (inside and outside).

We configure a  static route to the subnet 10.0.0.0 /8 via the inside interface.

Can i configure a subnet of this address range eg. 10.0.250.0/24 use for my AnyConnect IP-Pool?

I am not shure about this routing behavior, because there are two interfaces with a route to 10.0.250.0/24.

Which route is going to win?


greetz

chris

please do not forget to rate.
Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-20-2013 09:26 AM

Hi,

To my understanding this should be no problem.

The more specific route should be chosen.

Take this example from my home ASA

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.255.0

!

interface Vlan10

description WAN

nameif WAN

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Vlan20

no forward interface Vlan1

nameif WLAN

security-level 99

ip address 10.0.255.1 255.255.255.0

route WAN 0.0.0.0 0.0.0.0 y.y.y.y 1

route WLAN 10.0.0.0 255.0.0.0 10.255.1.2 1

route LAN 10.0.0.0 255.255.255.0 10.0.10.1 1

route LAN 10.0.1.0 255.255.255.0 10.0.10.1 1

For examples sake:

  • WLAN has the route for the whole 10.0.0.0/8
  • LAN has routes for 2 networks
    • 10.0.0.0/24
    • 10.0.1.0/24

PACKET-TRACER ROUTE-LOOKUP TEST

First test has a destination IP address belonging to one of the LAN networks. Traffic gets forwarded through LAN interface.

ASA(config)# packet-tracer input LAN tcp 10.0.0.10 1234 10.0.0.1 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.255.255.0   LAN

Second test has a destination IP address that doesnt have any other route than the 10.0.0.0/8 and therefore gets forwarded through the WLAN interface.

ASA(config)# packet-tracer input LAN tcp 10.0.0.10 1234 10.0.2.1 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.0.0.0       WLAN

I imagine in the case of VPN Pool it might actually show to the ASA as a directly connected network which furthermore overrides Static routing.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card