Although the device Cisco ASA does not act as a router in the network, but it still has a routing table and it is necessary to configure static or dynamic routing so that the device knows where to send packets.
When a packet arrives at a network interface on the ASA firewall, it goes through a number of security controls, such as ACL filtering, NAT, deep-packet inspection, etc.
Routing support on ASA
Once the packet passes all firewall controls, the security device needs to send the packet to its destination address. Therefore, it checks its routing table to determine the outgoing interface where the packet should be sent.
Cisco ASA Firewall Supports both static and dynamic routing. For dynamic routing, ASA supports RIPv2, EIGRP, and OSPF.
We recommend that you do not use dynamic routing and only use static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network address and topology. By configuring dynamic routing support, you can advertise routes to untrusted networks, thereby exposing your network to threats.
Static Route configuration on Cisco ASA
The scenario in the above diagram will help us understand how to configure static routing.
The ASA connects to the internet externally and also has a DMZ and internal zone. The default gateway towards the ISP is 200.1.1.1. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24.
LAN1 is directly connected to the Inside interface of the firewall. In addition, there is another internal network, which is LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Instead, there is an internal router with address 192.168.1.1 so we can access LAN2.
Therefore, for the ASA to reach LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be accessed through 192.168.1.1.
So we need to configure two static routes. A default static route to access the Internet and an internal static route to LAN2. For directly connected networks (DMZ and LAN1), we do not need to configure a static route because the firewall already knows about these networks as they are directly connected to its interfaces.
Static Route Configuration:
The format of the Static route command is:
ASA(config)# route (interface name) (destination address) (netmask) (gateway)
! First configure a default static route towards the default gateway
ASA(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1
! Then, configure an internal static route to access LAN2
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1
Verification order
Now let’s see how to check the routing table in the ASA device and verify the static route:
ASA#show route
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route
Gateway of last resort is 200.1.1.1 to network 0.0.0.0
C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.2.0 255.255.255.0 (1/0) via 192.168.1.1, inside
C 200.1.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0/0 (1/0) via 200.1.1.1
Routes denoted with “S” are static routes, and routes denoted with “C” are directly connected routes.
Xem tiếp...
