Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets.
When a packet arrives to a network interface on the ASA firewall, the packet undergoes several security controls, such as ACL filtering, NAT, deep-packet inspection etc.
Routing Support on ASA
After the packet passes all firewall controls, the security appliance needs to send the packet to its destination address. It therefore checks its routing table to determine the outgoing interface where the packet will be sent.
Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2, EIGRP and OSPF.
I recommend not to use dynamic routing though and stick with just static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network addressing and topology. By configuring dynamic routing support, you might be advertising routes to untrusted networks thus exposing your network to threats.
Cisco ASA Static Route Configuration
The scenario in the diagram above will help us understand how to configure static routing.
The ASA connects to the internet on the outside and also has a DMZ and Internal zones. The default gateway towards the ISP is 184.108.40.206. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24.
LAN1 is directly connected to the Inside interface of the firewall. Additionally, there is another internal network, namely LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Rather, there is an internal router with address 192.168.1.1 through which we can reach LAN2.
Therefore, in order for the ASA to reach network LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be reached via 192.168.1.1.
So we need to configure two static routes. One Default Static route for Internet access, and one internal static route to reach network LAN2. For directly connected networks (DMZ and LAN1) we don’t need to configure a static route since the firewall already knows about these networks as they are directly connected to its interfaces.
Static Route Configuration:
The format of the static route command is:
ASA(config)# route [interface name] [destination address] [netmask] [gateway]
! First configure a default static route towards the default gateway
ASA(config)# route outside 0.0.0.0 0.0.0.0 220.127.116.11
! Then configure an internal static route to reach network LAN2
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall
- Cisco ASA as DHCP Server with Multiple Internal LANs (Configuration)
- Cisco ASA Firewall with PPPoE (Configuration Example on 5505)
- Allowing Microsoft PPTP through Cisco ASA (PPTP Passthrough)
- Configuring site-to-site IPSEC VPN on ASA using IKEv2