Routing to a wall of fire

–Routing on ASA–

The ASA supports static and dynamic routing protocols. As of ASA code release 8.3+ most routing protocols are supported. OSPF, EIGRP, RIPv2, and static routing are the protocols the ASA can use.

Static Routes

Static routes are entries in the routing table that will forward traffic to a different network. These are great for deployment in an environment where network traffic is predictable.

route outside 10.86.42.0 255.255.255.0 192.10.14.1

This route will send traffic with a source subnet of 10.86.42.0/24 to the outside named interface destined with a next hop IP of 192.10.14.1. Default administrative distance is 1. This can be changed by adding a different value to the end of the route.

route outside 10.84.42.0 255.255.255.0 192.10.14.1 15

This would change the static routes administrative distance to 15.

Default Route

Default routing is dirty. I will be honest that I do not like it as you should have control over what is in your routing table. Anyway, to configure

route outside 0.0.0.0 0.0.0.0 203.16.84.66 
route outside 0 0 203.16.84.66
route outside 0 0 203.16.84.66 distance 5

The above are three ways of implementing a default route. The first is if a more specific route is not found in the routing table to send any network any mask to 192.168.10.14. The second entry is mainly for reasons of brevity; the 0 represents 0.0.0.0. The third entry uses the brevity statement and alters the administrative distance to 5.

Here is some output of the examples above by issuing the show route command.

ciscoasa(config)# sh route
Gateway of last resort is 203.16.84.66 to network 0.0.0.0
C    203.16.84.0 255.255.255.0 is directly connected, outside
 S    10.84.42.0 255.255.255.0 [15/0] via 192.10.14.1, outside
 C    192.168.2.0 255.255.255.0 is directly connected, inside
 S*   0.0.0.0 0.0.0.0 [1/0] via 203.16.84.66, outside

The static route denoted with an S is the route we manually defined. Also notice the adjusted the administrative distance on to 15. Note that the S* route is the candidate default route. Any network that doesn’t have a match before this route is immediately forwarded to the outside interface with the next hop set as 203.16.84.66.

RIP Routing

RIP routing is basic distance vector routing. It uses hop count for its metric and is slow to converge. It is subject to split horizon rules and is designed for small networks. Below we will confirm that we have received routers with the show route command on the ASA firewall.

ciscoasa# sh route
Gateway of last resort is not set
C    1.1.1.0 255.255.255.0 is directly connected, Management
 R    192.168.0.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:01, inside
 R    192.168.1.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:01, inside
 C    192.168.2.0 255.255.255.0 is directly connected, inside
 R    192.168.3.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:01, inside

Note that the R indicates a RIP route. Administrative distance is 120 which is default for RIP.

EIGRP Routing

EIGRP routing is very similar to IOS devices. It is configured to behave the same way; it routes the same way due to being a Cisco proprietary protocol.

router eigrp 1
network 192.168.2.0 255.255.255.0
no auto-summary

With the above configuration the inside network interface has formed an adjacency with one of the core routers. It is important to issue no auto-summary as with EIGRP auto summary is enabled by default. This command will allow subnet masks to be passed with routing updates.

The ASDM configuration window resides at Configuration > Device Setup > Routing > EIGRP.

To confirm this we issue a show route.

ciscoasa# sh route
Gateway of last resort is 203.16.84.66 to network 0.0.0.0
D    172.16.26.0 255.255.255.0 [90/156160] via 192.168.2.2, 0:00:01, inside
 D    172.16.20.0 255.255.255.0 [90/156160] via 192.168.2.2, 0:00:01, inside
 D    172.16.23.0 255.255.255.0 [90/156160] via 192.168.2.2, 0:00:01, inside
 C    203.16.84.0 255.255.255.0 is directly connected, outside
 S    10.84.42.0 255.255.255.0 [15/0] via 192.10.14.1, outside
 C    192.168.2.0 255.255.255.0 is directly connected, inside
 S*   0.0.0.0 0.0.0.0 [1/0] via 203.16.84.66, outside

Note the routes with a D in the routing table. These have been learnt by our core router. A quick issue of show eigrp neighbors reveals some peering info.

ciscoasa# show eigrp neighbors
EIGRP-IPv4 neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq(sec)
0   192.168.2.2             Gi0              11  00:05:14 1860 5000  0    2

 

OSPF Routing

OSPF is a widely deployed, open standards protocol which uses link state algorithms and shortest path first technologies. Again, like EIGRP, its deployment on an ASA device is the same as IOS. The only funny caveat is that it does not use a wildcard mask unlike so much other implementations.

router ospf 1
router-id 1.1.1.10
network 192.168.2.0 255.255.255.0 area 0

As I said before it is odd that the wildcard mask isn’t used. It isn’t a big adjustment.

The ASDM configuration window resides at Configuration > Device Setup > Routing > OSPF.

Now to confirm the adjacency let us check our OSPF neighbor relationship. First command to check the OSPF database is show ospf database

ciscoasa# show ospf database
OSPF Router with ID (1.1.1.10) (Process ID 1)
Router Link States (Area 0)
Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         142         0x80000002 0x7d75 3
1.1.1.10        1.1.1.10        141         0x80000002 0xb87c 1
Net Link States (Area 0)
Link ID         ADV Router      Age         Seq#       Checksum
192.168.2.2     1.1.1.1         142         0x80000001 0x783f

Here we can see the database exchanging type 1 and 2 LSAs between Router 1 and ASA1. ASA1’s router ID is 1.1.1.10 and R1’s is 1.1.1.1. With the LSA exchange complete we can check our neighbourship with show ospf neighbor

ciscoasa# show ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DR         0:00:34     192.168.2.2     inside

We can see the neighbor router ID, the state is Full/DR (Designated Router) and the interface address it has and which interface we are receiving it on. The final command to confirm routes in our routing table is show route.

ciscoasa# show route
Gateway of last resort is 203.16.84.66 to network 0.0.0.0
C    203.16.84.0 255.255.255.0 is directly connected, outside
 S    10.84.42.0 255.255.255.0 [15/0] via 192.10.14.1, outside
 O    192.168.51.1 255.255.255.255 [110/11] via 192.168.2.2, 0:00:29, inside
 O    192.168.50.1 255.255.255.255 [110/11] via 192.168.2.2, 0:00:29, inside
 C    192.168.2.0 255.255.255.0 is directly connected, inside
 S*   0.0.0.0 0.0.0.0 [1/0] via 203.16.84.66, outside

Fantastic! Here you see the routers with the O next to them. These are routers learnt via OSPF. Note their administrative distance of 110 is OSPF’s default.

Multicast Routing

Multicast network traffic is the quiet achiever. It is taken for granted when so many of our current applications leverage it. It is great for scalability and delivers traffic efficiently in one to many situations. The ASA appliance can be either a IGMP proxy or a PIM-SM Rendezvous point. By default, multicast routing is disabled on the ASA.

multicast-routing

The CLI command above will enable multicast routing globally.The ASDM configuration window resides at Configuration > Device Setup > Routing > Multicast. Select Enable Multicast Routing. Once multicast routing has been enabled you can configure other multicast options. To enable IGMP forwarding issue the following command.

igmp forward interface dmz20

The ASDM configuration window resides at Configuration > Device Setup > Routing > Multicast > IGMP > Protocol. Select which interface you want to enable it on.

Leave a Reply

Your email address will not be published. Required fields are marked *


*