Solved: Are the interfaces you posted

suwaisfa_Sec · ‎12-11-2014

Hi,

I would ask if this configuration is right or not,

I have this list of interfaces

interface   Vlan240
   shutdown
   nameif   dmz2
   security-level   50
   ip   address   10.180.63.193   255.255.255.192   standby   10.180.63.194
!
interface   Vlan3
   nameif   dmz1
   security-level   70
   ip   address   10.60.3.1   255.255.255.0   standby   10.60.3.2
!
interface   Vlan997
   nameif   outside
   security-level   0
   ip   address   10.59.255.120   255.255.255.0   standby   10.59.255.121
!
interface   Vlan1506
   nameif   DCN_Router
   security-level   70
   ip   address   10.60.255.249   255.255.255.248   standby   10.60.255.250
!

then this is the routing

6722   route   dmz2   10.60.29.11   255.255.255.255   10.60.4.69   1
6723   route   dmz2   10.60.29.12   255.255.255.255   10.60.4.69   1
6724   route   dmz2   10.60.29.22   255.255.255.255   10.60.4.74   1
6725   route   dmz2   10.60.29.13   255.255.255.255   10.60.4.70   1
6726   route   dmz2   10.60.29.14   255.255.255.255   10.60.4.70   1
6727   route   dmz2   10.60.29.23   255.255.255.255   10.60.4.46   1
6728   route   outside   0.0.0.0   0.0.0.0   10.59.255.1   1

my Q is about the routing definition, for the last one "6728" it looks fine, as the IP@ 10.59.255.1 is part of the outside interface,

but how about the other routing definition, is it wrong, or i should somewhere else in the configuration, to check its validity?

Vibhor Amrodia · ‎12-13-2014

Hi,

I am ont sure where these routes are installed from ? I think you can check the configuration and see if they are manually configured.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Marius Gunnerud · ‎03-29-2015

Are the interfaces you posted above the only VLANs configured on your 5505? If so then the 10.60.4.x network is not even connected to your ASA and will never be used as a next hop as the ASA has no idea where the next hop is. If this is the case, then these routes can safely be removed.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Vibhor Amrodia · ‎12-11-2014

Hi,

This is only pointing that you default Gateway Ip is 10.59.255.1 .

Thanks and Regards,

Vibhor Amrodia

suwaisfa_Sec · ‎12-12-2014

Thanks Vibhor,

does this mean those routes

6722   route   dmz2   10.60.29.11   255.255.255.255   10.60.4.69   1
6723   route   dmz2   10.60.29.12   255.255.255.255   10.60.4.69   1
6724   route   dmz2   10.60.29.22   255.255.255.255   10.60.4.74   1
6725   route   dmz2   10.60.29.13   255.255.255.255   10.60.4.70   1
6726   route   dmz2   10.60.29.14   255.255.255.255   10.60.4.70   1
6727   route   dmz2   10.60.29.23   255.255.255.255   10.60.4.46   1

are not required, and could be removed,

as 10.60.4.xxx is not part of any interface?

Vibhor Amrodia · ‎12-13-2014

Hi,

I am ont sure where these routes are installed from ? I think you can check the configuration and see if they are manually configured.

Thanks and Regards,

Vibhor Amrodia

suwaisfa_Sec · ‎03-28-2015

HI,

any specific place in configuration I should look at?

as I couldn't find it

Marius Gunnerud · ‎03-29-2015

Are the interfaces you posted above the only VLANs configured on your 5505? If so then the 10.60.4.x network is not even connected to your ASA and will never be used as a next hop as the ASA has no idea where the next hop is. If this is the case, then these routes can safely be removed.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Configuration mapping between Interfaces and routing definition