Solved: When to use Route inside Command

mahesh18 · ‎10-29-2012

Hi Everyone,

I have ASA connected to inside and DMZ vlan.

DMZ Vlan has connection to Layer 3 switch which is on inside network.

OSPF is running between ASA and DMZ switch which is directly connected.

Lets say if DMZ switch has some new subnet and ASA has no route to it.

Here ASA to reach that new subnet as per me 2 things can be done

1>Advertise the new subnet in DMZ switch under OSPF.

2>Can we use the route inside command on ASA

route inside new subnet on DMZ switch Mask Next hop address

Need to confirm if 2nd is corrrect way to do ?

When we use route inside command on ASA ?

Thanks

Mahesh

Julio Carvajal · ‎10-29-2012

Hello Mahesh18,

When you say 2 vlans do you mean on the ASA ( interface vlan 1 and interface vlan 3) because if that is the case then you should not point this to inside, if it's different than this then yes you should have that route.

So when to use route inside?

As soon as you need to go across the inside interface of the ASA in order to reach a destination.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-29-2012

Hello Mahesh,

That looks like a design issue,

As you know each interface on an ASA on routed mode needs to be on a different broadcast domain.

So that means you can access x.x.x.x over only one interface.

Do you see the problem right now? In this case the switch should have 2 different vlans one connecting to inside and the other one to DMZ.

And of course you do not need to access the DMZ subnet over the inside interface as it's directly attached to the ASA on the DMZ vlan

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-30-2012

Hello Mahesh,

Thanks for the explanation

1>As you know each interface on an ASA on routed mode needs to be on a different broadcast domain.

So that means you can access x.x.x.x over only one interface

A/ Yes, that is correct

2-now that switch has one new subnet.so does this mean that ASA will not be able to access that new subnet as ASA supportsonly 1 subnet per interface?

No, what I mean is that you can access "x" network on one specific interface but you can have more than one subnet per interface ( with routing of course).

3>So when to use route inside?

As soon as you need to go across the inside interface of the ASA in order to reach a destination.

question

Can you please explain this with an example ?

Sure, here is the topology

192.168.10.0----Router----192.168.20.0-----Inside_ASA------ASA_Outside-----4.2.2.0----Internet

|

DMZ

172.16.0.0

So in this case if we want to go to 192.168.10.0 we will need to go across the inside interface of the ASA that is where we use route inside

Regards,

Julio

Remember to rate all of the helpful post, if you have any other query regarding this just let me know, this might be tricky.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-29-2012

Hello Mahesh18,

When you say 2 vlans do you mean on the ASA ( interface vlan 1 and interface vlan 3) because if that is the case then you should not point this to inside, if it's different than this then yes you should have that route.

So when to use route inside?

As soon as you need to go across the inside interface of the ASA in order to reach a destination.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-29-2012

Hi Julio,

ASA has inside Vlan 1 and VLAN 3 which has connection to DMZ switch.

DMZ switch has only vlan 3 right now.

So if i create new Vlan only on DMZ switch with new subnet then can ASA reach

this new VLAN which is only on DMZ switch with route inside command?

thanks

mahesh

Julio Carvajal · ‎10-29-2012

Hello Mahesh,

That looks like a design issue,

As you know each interface on an ASA on routed mode needs to be on a different broadcast domain.

So that means you can access x.x.x.x over only one interface.

Do you see the problem right now? In this case the switch should have 2 different vlans one connecting to inside and the other one to DMZ.

And of course you do not need to access the DMZ subnet over the inside interface as it's directly attached to the ASA on the DMZ vlan

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-30-2012

Hi Julio,

Let me give more info on this

Inside interface -- vlan is on ASA itself and it has no physical connection to any network device.

DMZ interface - vlan has connection to switch.

Hope this helps.

When you say ---

1>As you know each interface on an ASA on routed mode needs to be on a different broadcast domain.

So that means you can access x.x.x.x over only one interface

Question

So this means that in order to access say some new subnet say inside vlan has connection to some switch.

now that switch has one new subnet.so does this mean that ASA will not be able to access that new subnet as ASA supports

only 1 subnet per interface?

2>So when to use route inside?

As soon as you need to go across the inside interface of the ASA in order to reach a destination.

question

Can you please explain this with an example ?

Regards

Mahesh

Julio Carvajal · ‎10-30-2012

Hello Mahesh,

Thanks for the explanation

1>As you know each interface on an ASA on routed mode needs to be on a different broadcast domain.

So that means you can access x.x.x.x over only one interface

A/ Yes, that is correct

2-now that switch has one new subnet.so does this mean that ASA will not be able to access that new subnet as ASA supportsonly 1 subnet per interface?

No, what I mean is that you can access "x" network on one specific interface but you can have more than one subnet per interface ( with routing of course).

3>So when to use route inside?

As soon as you need to go across the inside interface of the ASA in order to reach a destination.

question

Can you please explain this with an example ?

Sure, here is the topology

192.168.10.0----Router----192.168.20.0-----Inside_ASA------ASA_Outside-----4.2.2.0----Internet

|

DMZ

172.16.0.0

So in this case if we want to go to 192.168.10.0 we will need to go across the inside interface of the ASA that is where we use route inside

Regards,

Julio

Remember to rate all of the helpful post, if you have any other query regarding this just let me know, this might be tricky.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-30-2012

Hi Julio,

Many thanks again for wonderfull explanation!

Best regards

Mahesh

Julio Carvajal · ‎10-30-2012

Hello Mahesh,

Glad I could help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC