cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1914
Views
0
Helpful
6
Replies

ASA as router

whanson
Level 2
Level 2

If you set same traffic intra-interface and run a routing protocol

can the ASA re-route traffic or is something it does not do under any circumstanc

es.

2 Accepted Solutions

Accepted Solutions

Hi,

For example on 8.2 you can run either RIP, OSPF or EIGRP on the ASA and with the same traffic permit intra-interface, the ASA can reroute traffic back out the same interface in which it receive it.

Keep in mind that the routing functionality has its limitations on the ASA, but what you're asking can be done.

Federico.

View solution in original post

Jon Marshall
Hall of Fame
Hall of Fame

whanson wrote:

If you set same traffic intra-interface and run a routing protocol

can the ASA re-route traffic or is something it does not do under any circumstanc

es.

Yes it can be done and in very small network with maybe a couple of vlans it can be used as such.

But the ASA is primarily a firewall and as such lacks a lot of the features of a router such as a full QOS set, PBR (Policy Based Routing) etc.. Personally i don't recommend using an ASA as a router as it is not designed to do this and can make the configuration quite messy.

Jon

View solution in original post

6 Replies 6

Hi,

For example on 8.2 you can run either RIP, OSPF or EIGRP on the ASA and with the same traffic permit intra-interface, the ASA can reroute traffic back out the same interface in which it receive it.

Keep in mind that the routing functionality has its limitations on the ASA, but what you're asking can be done.

Federico.

Thanks to both answers. I know but here's the scoop. customer has a main asa

for most folks but bought a cable service and an asa 5505 for a few others. I could have done what he wanted for certain

users by adding policy routing to his core switch but was reluctant to do that because no one ever remembers the whys and wherefores, so I told him to change the default route of those users to the cable asa and then I would run rip v2 (what he runs today) to redirect folks back to where they need to go othewise send them on their merry way out the cable internet connection. This new system baffles me somewhat so I assume hitting correct answer scores points?  Let me know if that's how it's done.  thx again.

let me ask you a question because internal routing doesn't seem

to work. If I have a nat so that traffic to the outside is natted do I need a nat (inside ) 0 so that all internal to internal is not natted.

thx again

To NAT traffic from inside to outside you need:

nat (inside) 1 0 0

global (outside) 1 interface

To bypass NAT, you use:

nat (inside) 0 x.x.x.x  --> Traffic that you want to excempt from NAT.

Federico.

Jon Marshall
Hall of Fame
Hall of Fame

whanson wrote:

If you set same traffic intra-interface and run a routing protocol

can the ASA re-route traffic or is something it does not do under any circumstanc

es.

Yes it can be done and in very small network with maybe a couple of vlans it can be used as such.

But the ASA is primarily a firewall and as such lacks a lot of the features of a router such as a full QOS set, PBR (Policy Based Routing) etc.. Personally i don't recommend using an ASA as a router as it is not designed to do this and can make the configuration quite messy.

Jon

francisco_1
Level 7
Level 7

Although the Cisco ASA appliance does not act as a router in the network and has some limitations,  Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2 and OSPF and EIGRP.  traffic permit intra-interface allows the ASA to route traffic back out the same interface in which it receive it.

see this http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: