Translate

Monday 24 July 2017

Default and Static Routing on Cisco ASA

Hello and welcome to the tutorial on building up the Cisco ASA step by step.

In this tutorial i will describes how to configure IP routing (Default/Static) on the Cisco ASA. 




Let's know few important things first.

When we have dynamic routing protocols like OSPF or EIGRP which changes dynamically as per the situation then why we are learning static routes. Are they needed and important in ASA ?

Yes, Even if single context mode supports dynamic routing multiple context mode does not support those. We must use static routes in that case.
But
We may use static routes in single context mode in few cases:

The existing networks use a different routing protocol like EIGRP or OSPF.
OR 
The network is small and we can easily manage static routes.
OR
We do not want the traffic or CPU overhead due to routing protocols.

SO,

We can configure a default route to send all traffic to an next hop router, relying on the router to route the traffic for us. However, in cases the default gateway might not be able to reach the intended destination network and so we also configure more specific static routes. 

For example, if the default gateway(route) is pointing outside, then how can a default route direct traffic to any inside or DMZ network that are not directly connected to the security appliance.

AGENDA:

•Configuring Default Route on Cisco ASA.
Configuring Static Route on Cisco ASA.

Configuring Default Routes:

Default route is a route which forwards all the unknown traffic to one specified interface. The networks whose path is not known are sent to a default gateway which is an default route.

Here we will configure our ASA to send any unknown route to external routers connected interface from where it will routed to internet.


Topology:


To add default route, commands are:

Mountain(config)# route outside 0 0 192.168.3.254
or
Mountain(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.254
(Route any traffic of any subnet mask to 192.168.3.254 which is on Outside Interface)

Verify:



Now every unknown traffic will be routed to default gateway which is 192.168.3.254.
Lets try to ping the Internet IP "8.8.8.8" from the LAN network.




Configuring Static Routes:

We have to add a specific route for DMZ network so that it doesn't get routed to external router via default route. We will configure a static route so that any traffic to 10.144.16.254 coming on ASA will be routed to the DMZ routers connected interface.

To add static route commands are:

Mountain(config)# route DMZ 10.144.16.254 255.255.255.255 192.168.2.254
(Route traffic for 10.144.16.254/32 to 192.168.2.254 through DMZ interface)


Verify:


The distance is the administrative distance for the route. The default is 1 if you do not specify a value. 



Administrative distance is a parameter used to compare routes priority among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. 
If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.

Static routes remain in the routing table even if the specified gateway becomes unavailable. 
If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, dynamic routes are removed from the routing table if the specified interface goes down. 
They are reinstated when the interface comes back up.

If you create a static route with an administrative distance greater than the administrative distance of the routing protocol running on the security appliance, then a route to the specified destination discovered by the routing protocol takes precedence over the static route.
The static route is used only if the dynamically discovered route is removed from the routing table.

Friends, i have successfully demonstrated how to configure the ASA to enable the firewall admin to access the ASA from his management system via ASDM or SSH.

To get better clarification for the concepts, please watch the video tutorial linked above.

Subscribe my Youtube channel for further updates, like and comment your suggestions and also click the bell icon for update notification.

Thank You.


YouTube Channel    Facebook Group


No comments:

Post a Comment