×

Message

PLG_KUNENADISCUSS_DEPENDENCY_FAIL

003. ROUTING ON THE ASA

Once you configure an IP address and a subnet mask on an ASA interface, the entire IP subnet used on that interface becomes reachable from the ASA. This is known as a directly connected subnet or route. Before the ASA can forward packets toward other subnets that are not directly connected, it needs additional routing information.

 

An ASA keeps a table of routes to all IP subnets that are known to it. At a minimum, each route contains an IP subnet, a subnet mask, and the IP address of the next-hop router that can reach the subnet. By default, the routing table is populated with every directly connected subnet, where the next hop is the ASA’s own interface. An ASA can also import routing information into its routing table from the following sources:

 

Static routes: Routes that are manually configured and do not change.

 

RIP version 2: Routes learned dynamically from other routers running the Routing Information Protocol version 2 (RIPv2)

 

EIGRP: Routes learned dynamically from other routers running the Enhanced Interior Gateway Routing Protocol (EIGRP).

 

OSPF: Routes learned dynamically from other routers running the Open Shortest Path First (OSPF) routing protocol.

 

An ASA can also advertise routes found in its own routing table to other routers running the RIPv2, EIGRP, and OSPF routing protocols. If multiple routing protocols are used, an ASA can even redistribute routing information from one protocol into another.

 

STATIC ROUTING ON THE ASA

Static routes are manually configured and are not learned or advertised by default. An IP subnet defined by an IP address and a subnet mask can be reached by forwarding packets out a specific ASA interface. The packets are forwarded to the next-hop gateway address. By default, a static route receives an administrative distance of 1. You can override this behavior by specifying a distance value of 1 to 255.

 

As an example, suppose an ASA has its inside interface configured for the 192.168.10.0/24 subnet. The ASA will automatically define a directly connected route to 192.168.10.0 255.255.255.0 using its inside interface. In addition, the subnets 10.0.10.0/24, 10.0.20.0/24, 10.0.30.0/24 and 10.0.30.0/24 can be found through gateway 192.168.10.2 located on the INSIDE interface. Because this subnet isn’t directly connected, we can configure a static route to reach it.

 

NETWORK TOPOLOGY

 

 

 

ROUTING VERIFICATION

By default traffic is allowed from interfaces with a higher Security level to interfaces of low security level. This is to say that if static routing is done right traffic from the ICT, HR, FINANCE and procurement in the INSIDE interface of the ASA with a security level of 100 will be allowed to the DMZ and OUTSIDE interfaces which have a security level of 50 and 0 respectively.

 

Also traffic from the DMZ of the security level of 50 will be allowed/statefully inspected to the OUTSIDE interface of the security level of 0. All traffic from low security level towards interfaces of high security level such as from the OUTSIDE (Security level 0) to the INSIDE interface (Security level 100) will be denied regardless of the correct routing done. So in this demonstration we should have traffic from the INSIDE interface towards the DMZ and the outside interface to go through and from the DMZ interface towards the outside interface to go through.

 

In this demo we are going to use a PC in the ICT department to simulate traffic from a higher security level interface towards the DMZ and the OUTSIDE interfaces.

 

PC1 (ICT PC) [From 10.0.10.0/24 to 172.16.0.0/24 {DMZ}]

 

 

 

PC1 (ICT PC) [From 10.0.10.0/24 to 209.165.200.0/24 {OUTSIDE}]

 

 

 

DMZ PC TO OUTSIDE PC [From 172.16.0.0/24 to 209.165.200.0/24 {OUTSIDE}]

 

 

 

STATIC ROUTING VERIFICATION OF THE INSIDE ROUTER

We are now going to see the static routing configuration on the INSIDE router as shown in the figure below.

 

 

 

STATIC ROUTING VERIFICATION OF THE ASA FIREWALL

 

 

 

THE END.

 

 

Go to top