Re: Using an ASA as a router

abtt-39 · ‎03-04-2024

Hello,

the question is in the title.

Is it possible to use the ASA as a router between 2 internal networks?

interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 10.0.1.254 255.255.255.0

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.40.1.249 255.255.255.0

"outside" interface, connected to an L2 switch.

A PC ( PC1) is connected to this switch

10.0.1.110 255.255.255.0 GW : 10.01.254

The "inside" interface is also connected to an L2 switch, to which PCs are connected. These PCs have IP 10.40.1.X /24 and Gateway 10.40.1.254. This gateway is the IP of the ISP router (VPN MPLS router).

From the "inside" network, I need to retrieve FTP data on PC1. And allow ICMP too. Same thing in reverse (from outside to inside).

But the problem is that if I add a route on the ASA, it asks me to configure the next hop Ip address. But in this diagram, I don't have one?

The goal is to isolate PC1. A laboratory analyzer is connected to this PC (PC not supplied by us). It sends data to this PC, and I can retrieve data via FTp on it to send it to the inside network.

Rob Ingram · ‎03-04-2024

@abtt-39 you can either change the routing on your to make the ASA the next hop, you would also need to configure an ACL to explictly permit the traffic between the interfaces.

Or you could configure the ASA in transparent mode - https://integratingit.wordpress.com/2021/05/30/asa-transparent-mode/

abtt-39 · ‎03-04-2024

Hello rob,

Unfortunately, on the inside station, I cannot change the gateway to ASA. These PCs need their current gateway to access the MPLS VPN network between sites.

For transparent mode, I didn't know, but in the link indicated, it is written that switching to transparent mode will erase the ASA configuration. However, I also use it for other things not mentioned in my post

Rob Ingram · ‎03-04-2024

@abtt-39 without knowing your topology I see no reason why you cannot change the routing on the LAN. Or alternatively create another network behind the ASA and route accordingly. Or depending on your ASA hardware you could convert to ASA Multi-context, 1 using your existing routed configuration and another context as transparent.

I'd recommend you look to change your LAN topology to route between the different networks.

ebenaven · ‎03-04-2024

I believe that you don´t need to configure static routes, due both network is directly connected to the ASA.
But is needed traffic permits between both security zones.

Kind regards

Marius Gunnerud · ‎03-04-2024

From what you are describing you want to use FTP between two devices that have IPs in the same subnet as the Inside and Outside interfaces? If this is the case then no routing is needed as these are "directly connected" subnets, the ASA already knows how to reach these networks. So all that is needed is that the PCs need either a default gateway or a route for the PC in question pointing to the relevant ASA interface and access rules allowing the FTP connection (if using active FTP you will need to open for both tcp/20 and tcp/21).

As for ICMP, as this is stateless you will need to add an inspect icmp command under the global policy-map configuration as well as allow this in the access list.

policy-map global_policy

class inspeciton_default

inspect icmp

--
Please remember to select a correct answer and rate helpful posts

abtt-39 · ‎03-04-2024

I'm attaching a little diagram, it will be easier.

Marius Gunnerud · ‎03-04-2024

LOL, never mind the last comment, I see it is a L2 switch. In this case you would need to implement static routes on PC2 to point to the ASA for network 10.0.1.0/24. Also, you still need the access list entries to allow access for FTP as well as inspect ICMP in the global policy map.

Or place an L3 device between PC2 and the ISP and the rest of the internal network.

--
Please remember to select a correct answer and rate helpful posts

abtt-39 · ‎03-04-2024

it's already the case :

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp

and i can't ping

abtt-39 · ‎03-04-2024

Indeed, it seemed to me that it was not possible as shown in the diagram without a router somewhere.
I'm going to try adding a static route on a PC (it's a Windows PC), I've never tried it on Windows.

MHM Cisco World · ‎03-04-2024

go a head use FW as router

but I want to mention that we normally named the Interface connect to ISP OUTSIDE and level 0
and interface connect to LAN as INSIDE and level 100

MHM

Marius Gunnerud · ‎03-04-2024

If you will use the ASA as a router you would need to provision a new subnet for PC2 as you will end up with asynchronous routing towards the ISP if left as is. Or configure tcp bypass on the ASA, but I would not recommend going that direction.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎03-04-2024

You are totally correct
the traffic path will be
PC2->ISP->ASA->PC1
the return will be
PC1->ASA->PC2 (since ASA and PC2 share same subnet)

So He can use ASA as router but he need

MHM Cisco World · ‎03-04-2024

it work not issue

NOTE:- R2 in my lab is pure L2 SW.