Solved: ASA 5585-x Static Routes

geoff · ‎03-16-2019

Hi,

System image = asa982-smp-k8.bin

Is it possible to configure only static routes only without default gateway ("Gateway of last resort is x.x.x.x to network 0.0.0.0")?

The reason for question is that we have eBGP connect via ASR to ISP routing into ASA and an existing link from same ISP on different subnet directing into ASA.

Many thanks for your kind assistance in advance.

Cheers

Geoff

Richard Burts · ‎03-19-2019

Geoff

Thanks for the improved diagram. It does clarify some things while still leaving some questions. It clearly shows the two paths to the Internet, but it does not explain how you want to use the two paths. If you want two active paths to the Internet I can think of 3 alternatives for you to consider.

1) You might want to use Policy Based Routing, which the ASA does support in relatively recent versions of code. You could have a default route point at one path, and have PBR identify certain types of traffic which would use the second path.

2) You might want to configure your ASA for multiple contexts and have each context have its own default route.

3) You might be able to set up static routes for certain things (perhaps certain services, perhaps business partners, perhaps customers/clients) and have these static routes use the second connection. I did this for a customer who had many site to site vpns. Each vpn peer had a static route for its peer address. Most traffic used the primary connection and vpn traffic used the second connection.

HTH

Rick

HTH

Rick

View solution in original post

Dennis Mink · ‎03-16-2019

Can you add a diagram of your setup. Its not clear exactly what yur trying to achiev.

Please remember to rate useful posts, by clicking on the stars below.

geoff · ‎03-17-2019

Hey Dennis,

Many thanks for your prompt response.

Please find attached our proposed design.

Cheers

Geoff

Jon Marshall · ‎03-17-2019

Still not sure what you are asking but if it is can you have static routes on the ASA without having a default route then yes you can.

Jon

geoff · ‎03-17-2019

Hi Jon,

Many thanks for your response.

All nat rule attached to outside interface is working;

nat (abc,outside) after-auto source dynamic abc-subnet interface

nat (xyz-vlan,DMZ) after-auto source dynamic xyz-subnet interface

route outside 0.0.0.0 0.0.0.0 y.y.246.161 1

route DMZ 0.0.0.0 0.0.0.0 x.x.14.1 2

Outbound traffic for DMZ interface is failing.

sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is y.y.246.161 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via y.y.246.161, outside

The DMZ route is not listed in show route output.

Both Outside & DMZ interfaces are link to internet. 1 via ASR\Edge switch and the other directly to ISP.

Hope this is clearer?

Cheers

Geoff

Richard Burts · ‎03-18-2019

Geoff

I am not entirely clear on what you are trying to accomplish. But the answer to your immediate question is clear. You have configured two default routes and have assigned different Administrative Diatance to each one

route outside 0.0.0.0 0.0.0.0 y.y.246.161 1

route DMZ 0.0.0.0 0.0.0.0 x.x.14.1 2

In this configuration the DMZ default route will be used only when the outside default route is not available.

HTH

Rick

HTH

Rick

geoff · ‎03-18-2019

Hi Richard,

Many thanks for your contribution, its very much appreciated and it now makes sense.

Is it possible to NAT traffic from interface VLANX to interface DMZ which than routes it to ASR router which than route the traffic to 0.0.0.0 0.0.0.0 next-hop ISP?

Would this work on ASA --- "route DMZ x.x.14.0 255.255.255.0 x.x.14.1 1" ?

Cheers

Geoff

Richard Burts · ‎03-19-2019

Geoff

I am still slightly confused about what you are asking. Parts of your questions are asking about doing routing and parts seem to be asking about doing address translation. The specific question in your recent post asks about

route DMZ x.x.14.0 255.255.255.0 x.x.14.1 1"

I can not tell whether the x.x.14.0 is the same as x.x.14.1. If the first x.x is the same as the second x.x then I do not understand the logic of saying that you can get to a subnet by accessing a specific address in that subnet. If the second x.x is different from the first one then the configuration would be valid.

Your drawing seems to show the ASA has an interface connecting to the ASR and another interface connecting to the ISP for VPN. Is your DMZ the interface for vpn or is it something else?

HTH

Rick

HTH

Rick

geoff · ‎03-19-2019

Hi Rick,

Please kindly refer to attached network topology.

Sorry if my explanation is confusing and hopefully now a picture paints a thousand words.

With reference to diagram, green path is working fine (via 0.0.0.0 0.0.0.0 111.111.246.161), we are struggling to get the red path working due to the ASA only allowing 1 default path (via green path) to internet.

Clearly I am not a network engineer, although with my limited knowledge, shouldn't one be able to red path route traffic from ASA through the ASR's default static route 0.0.0.0 0.0.0.0 111.222.245.90?

Rick, are we chasing the pot of gold at the end of the rainbow?

Cheers

Geoff

Richard Burts · ‎03-19-2019

Geoff

Thanks for the improved diagram. It does clarify some things while still leaving some questions. It clearly shows the two paths to the Internet, but it does not explain how you want to use the two paths. If you want two active paths to the Internet I can think of 3 alternatives for you to consider.

1) You might want to use Policy Based Routing, which the ASA does support in relatively recent versions of code. You could have a default route point at one path, and have PBR identify certain types of traffic which would use the second path.

2) You might want to configure your ASA for multiple contexts and have each context have its own default route.

3) You might be able to set up static routes for certain things (perhaps certain services, perhaps business partners, perhaps customers/clients) and have these static routes use the second connection. I did this for a customer who had many site to site vpns. Each vpn peer had a static route for its peer address. Most traffic used the primary connection and vpn traffic used the second connection.

HTH

Rick

HTH

Rick

geoff · ‎03-19-2019

Hi Rick,

Many thanks for your prompt response!

Option 1, I am can to learn about PBR for ASA's, can you point me in a directions to find out more?

Option 2, is a great option, although I want to use this for setting up Active/Active cluster between the 2 DC's.

Option 3, we are currently trialing this option at 1 of the DC's, it just doesn't feel right, it seemed to me to be more of a hack (hitting panel nail with sledge hammer) rather than a robust solution. I am thinking that possibly option 1 could be a hybrid of option 2 & 3, what do you think?

Again, many thanks for your valued insight to our problem.

Cheers

Geoff

geoff · ‎03-19-2019

Hi Rick,

Just letting you know that we finally sorted out our problem and its now working.

We were able to get PBR working for BGP link, although did have a minor challenge with outside traffic coming inside on same path as PBR route but resolve it.

Now onto the last part of our design which failover BGP and active/active clustering of ASA's.

Again many thanks for your time and very kind assistance.

Cheers

Geoff

Richard Burts · ‎03-20-2019

Geoff

Thanks for the update. Glad to know that you have sorted out the issue and that it is now working. Best wishes as you move forward with BGP failover and with active/active clustering.

HTH

Rick

HTH

Rick