cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1583
Views
7
Helpful
20
Replies

ASA routing protocols?

jroy777
Level 1
Level 1

Looking for recommendations for routing traffic from ASA back to router on "inside" network so we do not have to add static routes on systems. We recently added an ASR1001 to our "inside" network that routes traffic to Amazon thru a Megaport link that is established to AWS Direct Connect cloud. I add static routes to servers but we have a mix of equipment and I don't want to manually do this hundreds of times. The servers default route is the ASA, the ASA has a static route to the AWS networks back behind the ASR but none of the systems can reach it unless I specifically add the network to the routing table on the system. If I enable a routing protocol on the ASA, does anyone have an idea of the load increase it might add? Current we have a 5555 pair and processors runs consistently between 60 and 85%. If a routing protocol is feasible, which one would any of you recommend and why?

Thanks for your input!


20 Replies 20

check this 
and ASA already connect to these three subnet DMZ Inside and UAT, so no need any eigrp
eigrp will use by ASA to reach the 169,254,38,181 subnet only 

check the topolog I draw below and please answer the Q

MHM

FortiSwitch-AWS-DC-vlan-Diagram.png

From host 192.168.50.92 on inside (blue), no static routes added to host, I can ping 10.33.160.10, I can traceroute. All works correctly. 

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.50.1 192.168.50.92 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.50.0 255.255.254.0 On-link 192.168.50.92 276
192.168.50.92 255.255.255.255 On-link 192.168.50.92 276
192.168.51.255 255.255.255.255 On-link 192.168.50.92 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.50.92 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.50.92 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.50.1 Default
0.0.0.0 0.0.0.0 192.168.50.1 Default
===========================================================================

C:\Users\jroy>ping 10.33.160.10

Pinging 10.33.160.10 with 32 bytes of data:
Reply from 10.33.160.10: bytes=32 time=37ms TTL=251
Reply from 10.33.160.10: bytes=32 time=37ms TTL=251

Ping statistics for 10.33.160.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 37ms, Maximum = 37ms, Average = 37ms
Control-C
^C

C:\Users\jroy>tracert -d 10.33.160.10

Tracing route to 10.33.160.10 over a maximum of 30 hops

1 1 ms * 1 ms 192.168.50.1 <-ASA
2 2 ms 1 ms 1 ms 192.168.51.249 <-ASR 
3 29 ms 29 ms 29 ms 169.254.38.181 <-AWS BGP neighbor
4 * * * Request timed out.
5 37 ms 36 ms 36 ms 10.33.160.10 <---Excellent

Trace complete.

C:\Users\jroy>


From host 10.1.1.90 on dmz (green), no static routes added to host, I CANNOT ping 10.33.160.10, I CANNOT traceroute. 

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.1.1 10.1.1.90 266
10.1.0.0 255.255.254.0 On-link 10.1.1.90 266
10.1.1.90 255.255.255.255 On-link 10.1.1.90 266
10.1.1.255 255.255.255.255 On-link 10.1.1.90 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.38.180 255.255.255.252 10.1.0.4 10.1.1.90 11
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.1.90 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.1.90 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.1.1.1 Default
===========================================================================

C:\Windows\system32>ipconfig

Windows IP Configuration
Ethernet adapter Ethernet 5:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.1.1.90
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.1.1

C:\Windows\system32>ping 10.33.160.10

Pinging 10.33.160.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.33.160.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\system32>tracert -d 10.33.160.10

Tracing route to 10.33.160.10 over a maximum of 30 hops

1 <1 ms * <1 ms 10.1.1.1
2 <1 ms <1 ms <1 ms 65.203.136.1 <-2nd hop wrong path, going out ASA
3 * * ^C

From host 10.10.2.20 on uat (purple), no static routes added to host, I CANNOT ping 10.33.160.10, I CANNOT traceroute. 

uat-ping-fail.png
2nd hop is wrong path going out ASA

10.33.160.10 <<- this IP behind the ASA or ASR ? 
I think I found the issue here but answer above Q and for my side I will run lab and check 

MHM

10.33.160.10 is behind ASR in the AWS cloud. Was this the Q or did I miss another Q?

I had to add to an acl that is assigned to a route-map and then traffic started to flow in the correct direction for UAT and DMZ. Only one thing left. DMZ is still not getting a response to my ping. UAT works.

I added the following to the route-VZ acl assigned to the route-map

access-list route-VZ remark #### Avoid dmz traffic to route through outside VZ int ####
access-list route-VZ extended deny ip object DMZ object-group AWS-DC-MP-Subnets
access-list route-VZ remark #### Avoid UAT traffic to route through outside VZ int ####
access-list route-VZ extended deny ip object UAT_NET object-group AWS-DC-MP-Subnets

From host on UAT (vlan35) it is working.

C:\Windows\system32>route print
===========================================================================
Interface List
 18...2a 74 5c 02 e8 28 ......XenServer PV Network Device #0
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.2.1       10.10.2.20    266
        10.10.2.0    255.255.255.0         On-link        10.10.2.20    266
       10.10.2.20  255.255.255.255         On-link        10.10.2.20    266
      10.10.2.255  255.255.255.255         On-link        10.10.2.20    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.10.2.20    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.10.2.20    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       10.1.1.163  Default
          0.0.0.0          0.0.0.0         10.1.1.1  Default
          0.0.0.0          0.0.0.0         10.1.1.1  Default
          0.0.0.0          0.0.0.0        10.10.2.1  Default
          0.0.0.0          0.0.0.0         10.1.1.1  Default
          0.0.0.0          0.0.0.0        10.10.2.1  Default
          0.0.0.0          0.0.0.0        10.10.2.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Windows\system32>ping 10.33.160.10

Pinging 10.33.160.10 with 32 bytes of data:
Reply from 10.33.160.10: bytes=32 time=34ms TTL=251
Reply from 10.33.160.10: bytes=32 time=34ms TTL=251

Ping statistics for 10.33.160.10:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 34ms, Average = 34ms
Control-C
^C
C:\Windows\system32>tracert -d 10.33.160.10

Tracing route to 10.33.160.10 over a maximum of 30 hops

  1    <1 ms     *       <1 ms  10.10.2.1
  2    <1 ms    <1 ms    <1 ms  192.168.51.249
  3    29 ms    28 ms    28 ms  169.254.38.181
  4     *        *        *     Request timed out.
  5    34 ms    34 ms    34 ms  10.33.160.10

Trace complete.

C:\Windows\system32>

From host on DMZ ping is not working but the traceroute shows it is taking the correct path

C:\Users\jroy>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.1.1.90
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.1.1.1

Tunnel adapter isatap.{C0D84F0E-B711-408F-8046-367A1D72E682}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

C:\Users\jroy>route print
===========================================================================
Interface List
 17...b2 8d 40 ac f8 02 ......XenServer PV Network Device #0
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.1.1        10.1.1.90    266
         10.1.0.0    255.255.254.0         On-link         10.1.1.90    266
        10.1.1.90  255.255.255.255         On-link         10.1.1.90    266
       10.1.1.255  255.255.255.255         On-link         10.1.1.90    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
   169.254.38.180  255.255.255.252         10.1.0.4        10.1.1.90     11
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.1.1.90    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         10.1.1.90    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         10.1.1.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\jroy>tracert -d 10.33.160.10

Tracing route to 10.33.160.10 over a maximum of 30 hops

  1    <1 ms     *       <1 ms  10.1.1.1
  2    <1 ms    <1 ms    <1 ms  192.168.51.249
  3    28 ms    40 ms    28 ms  169.254.38.181
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:\Users\jroy>ping 10.33.160.10

Pinging 10.33.160.10 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 10.33.160.10:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C

 

I think I know what it is. They may have not added a return path back to 10.10.2.0/24 in the AWS cloud

Review Cisco Networking for a $25 gift card