cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1731
Views
4
Helpful
24
Replies

Using an ASA as a router

abtt-39
Level 1
Level 1

Hello,

the question is in the title. 

Is it possible to use the ASA as a router between 2 internal networks?

 

interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 10.0.1.254 255.255.255.0


interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.40.1.249 255.255.255.0

"outside" interface, connected to an L2 switch. 


A PC ( PC1) is connected to this switch

10.0.1.110 255.255.255.0 GW : 10.01.254

The "inside" interface is also connected to an L2 switch, to which PCs are connected. These PCs have IP 10.40.1.X /24 and Gateway 10.40.1.254. This gateway is the IP of the ISP router (VPN MPLS router).

From the "inside" network, I need to retrieve FTP data on PC1. And allow ICMP too. Same thing in reverse (from outside to inside).

But the problem is that if I add a route on the ASA, it asks me to configure the next hop Ip address. But in this diagram, I don't have one?

The goal is to isolate PC1. A laboratory analyzer is connected to this PC (PC not supplied by us). It sends data to this PC, and I can retrieve data via FTp on it to send it to the inside network.

 

 

 

 

24 Replies 24

@abtt-39 you can either change the routing on your to make the ASA the next hop, you would also need to configure an ACL to explictly permit the traffic between the interfaces.

Or you could configure the ASA in transparent mode - https://integratingit.wordpress.com/2021/05/30/asa-transparent-mode/

 

abtt-39
Level 1
Level 1

Hello rob,

Unfortunately, on the inside station, I cannot change the gateway to ASA. These PCs need their current gateway to access the MPLS VPN network between sites.

For transparent mode, I didn't know, but in the link indicated, it is written that switching to transparent mode will erase the ASA configuration. However, I also use it for other things not mentioned in my post

@abtt-39 without knowing your topology I see no reason why you cannot change the routing on the LAN. Or alternatively create another network behind the ASA and route accordingly. Or depending on your ASA hardware you could convert to ASA Multi-context, 1 using your existing routed configuration and another context as transparent.

I'd recommend you look to change your LAN topology to route between the different networks.

ebenaven
Cisco Employee
Cisco Employee

I believe that you don´t need to configure static routes, due both network is directly connected to the ASA.
But is needed traffic permits between both security zones.

Kind regards

 

 

From what you are describing you want to use FTP between two devices that have IPs in the same subnet as the Inside and Outside interfaces?  If this is the case then no routing is needed as these are "directly connected" subnets, the ASA already knows how to reach these networks.  So all that is needed is that the PCs need either a default gateway or a route for the PC in question pointing to the relevant ASA interface and access rules allowing the FTP connection (if using active FTP you will need to open for both tcp/20 and tcp/21).

As for ICMP, as this is stateless you will need to add an inspect icmp command under the global policy-map configuration as well as allow this in the access list.

policy-map global_policy

  class inspeciton_default

    inspect icmp

 

 

--
Please remember to select a correct answer and rate helpful posts


I'm attaching a little diagram, it will be easier.ld.JPG

 

LOL, never mind the last comment, I see it is a L2 switch.  In this case you would need to implement static routes on PC2 to point to the ASA for network 10.0.1.0/24.  Also, you still need the access list entries to allow access for FTP as well as inspect ICMP in the global policy map.

Or place an L3 device between PC2 and the ISP and the rest of the internal network.

--
Please remember to select a correct answer and rate helpful posts

it's already the case :

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp

 

and i can't ping

Indeed, it seemed to me that it was not possible as shown in the diagram without a router somewhere.
I'm going to try adding a static route on a PC (it's a Windows PC), I've never tried it on Windows.

go a head use FW as router 

but I want to mention that we normally named the Interface connect to ISP OUTSIDE and level 0
and interface connect to LAN as INSIDE and level 100

MHM

If you will use the ASA as a router you would need to provision a new subnet for PC2 as you will end up with asynchronous routing towards the ISP if left as is.  Or configure tcp bypass on the ASA, but I would not recommend going that direction.

--
Please remember to select a correct answer and rate helpful posts

You are totally correct 
the traffic path will be 
PC2->ISP->ASA->PC1
the return will be 
PC1->ASA->PC2 (since ASA and PC2 share same subnet)

So He can use ASA as router but he need 

ld.JPG

it work not issue 

NOTE:- R2 in my lab is pure L2 SW.

Screenshot (143).pngScreenshot (144).png

abtt-39
Level 1
Level 1

Good morning,

I'm re-uploading this post because I haven't worked on this problem again.

If I put the diagram back, it has evolved. A commenter added 2 routers/firewalls (not managed by us), 201 and 202

Capture d’écran 2024-09-18 114827.jpg

From a pc on the 10.40.1.0 network, I can ping 10.0.0.50

On this PC 10.0.0.50, there is a local web server in https

I would like to be able to access this local web server from a computer on the 10.40.1.0 network

https://10.0.0.50/

ERR_CONNECTION_REFUSED

 

Gateway of last resort is 10.40.1.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 10.40.1.254, inside
S 10.0.0.1 255.255.255.255 [1/0] via 10.0.1.253, outside
S 10.0.0.10 255.255.255.255 [1/0] via 10.0.1.252, outside
S 10.0.0.20 255.255.255.255 [1/0] via 10.0.1.253, outside
S 10.0.0.50 255.255.255.255 [1/0] via 10.0.1.253, outside
S 10.0.0.101 255.255.255.255 [1/0] via 10.0.1.253, outside
C 10.0.1.0 255.255.255.0 is directly connected, outside
S 10.0.1.5 255.255.255.255 [1/0] via 10.0.1.251, outside
L 10.0.1.254 255.255.255.255 is directly connected, outside
S 10.39.1.0 255.255.255.0 [1/0] via 10.40.1.254, inside
C 10.40.1.0 255.255.255.0 is directly connected, inside
L 10.40.1.249 255.255.255.255 is directly connected, inside
S 10.239.11.0 255.255.255.0 [1/0] via 10.40.1.254, inside

In this topology, I have 2 networks connected directly to the ASA, and a 3rd, not directly connected 10.0.0.0/24

 

with packet tracer :

#packet-tracer input inside tcp 10.40.1.4 12345 10.0.0.50 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.253 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access in interface inside
access-list inside_access extended permit object-group DM_INLINE_SERVICE_4 object inside-network 10.0.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object udp
service-object tcp destination eq https
service-object tcp destination eq www
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 10.40.1.4/12345 to 10.0.1.254/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 223558, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.253 using egress ifc outside

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0008.da79.1d1e hits 0 reference 1

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

#PING from 10.40.1.4 to 10.0.0.50 = OK

Traceroute from 10.40.1.4 to 10.0.0.50 = OK
1 <1 ms <1 ms <1 ms 10.40.1.254
2 4 ms 3 ms 3 ms 10.0.1.253
3 4 ms 4 ms 4 ms 10.0.0.50

# sh nat detail
Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic obj_any interface
translate_hits = 3389, untranslate_hits = 9874
Source - Origin: 0.0.0.0/0, Translated: 10.0.1.254/24

In terms of nat, I'm not sure?

Review Cisco Networking for a $25 gift card