Question regarding ASA static routes

Answered Question
Jul 3rd, 2012

Hi,

I am trying to configure static routes on ASA. The N/w diagram is:

RTR1 -- ASA -- NetVX -- Switch

This is the design, the ASA also has a different internet connection. This is just the voice traffic.

RTR1 - 172.10.x.x - inside int and outside int is connected to the internet

NetVX - 172.21.x.x- outside ip address conneted to ASA

ASA - inside(connected to netVX) - 172.21.x.x

ASA - outside (connected to router) - 172.10.x.x

dont have to worry about NETVX sending traffic to internal n/w.

I have to route the traffic from NETVX to RTR1 over ASA. Also NETVX has to know the external routes which are on RTR1 which would be 123.x.x.x. Also open voice ports between these two thru ASA.

Do i need to do any static routes or since they are directly connected, i dont need to.

also for external routes on RTR1,  i was thinking to have  - route RTR1 123.x.x.x 255.x.x.x 172.10.x.x

Any help would be really appreciated..

Thanks

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 1 year 9 months ago

1. Correct

2. Correct

3. Access list is correct, but for netvx you would need to apply it in the "in" direction, not "out":

access-group netvx in interface netvx

Correct Answer by Jennifer Halim about 1 year 9 months ago

As far as the ASA is concern, they are directly connected. But as far as the RTR1 and NetVX is concern, they are not directly connected. On the ASA, you do not need any other static routes.

1. Where is the ASA default gateway point to? If the ASA default route points to RTR1, then you do not need static routes on the ASA for the RTR1 external routes. If the ASA default route does not point to RTR1, then yes, you would need to configure those external routes static routes on the ASA to point to RTR1 on the ASA.

2. yes, you will need NAT exemption. You can configure static NAT to itself. What version of ASA are you running?

3. Which VOIP protocols are you using? SIP? H323? Skinny? I would allow IP between the subnet/host that you need to start with, and then restrict it further once you have it working. This is to ensure that routing and NAT works fine, and you can concentrate on the access-list after everything works fine.

Correct Answer by Jennifer Halim about 1 year 9 months ago

A few things to consider with ASA:

1) Assuming that inside has security level 100 (or higher) than outside, and you don't want to NAT the traffic, you would need to configure NAT exemption (nonat with ACL) or static NAT to itself:

eg:

static (inside,outside) 172.21.0.0 172.21.0.0 netmask 255.255.0.0

2) If you need to allow traffic from outside to inside, then you would need to configure access-list and apply that on the outside interface.

3) If you don't NAT, then you would need static route on NetVX to reach the RTR1 network, unless if the default gateway is the ASA inside interface. So is the RTR1, if you oneed to access the netVX network, you would need static route for the netVX network on the RTR1 to point to the ASA outside interface IP.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Jennifer Halim Tue, 07/03/2012 - 19:08

A few things to consider with ASA:

1) Assuming that inside has security level 100 (or higher) than outside, and you don't want to NAT the traffic, you would need to configure NAT exemption (nonat with ACL) or static NAT to itself:

eg:

static (inside,outside) 172.21.0.0 172.21.0.0 netmask 255.255.0.0

2) If you need to allow traffic from outside to inside, then you would need to configure access-list and apply that on the outside interface.

3) If you don't NAT, then you would need static route on NetVX to reach the RTR1 network, unless if the default gateway is the ASA inside interface. So is the RTR1, if you oneed to access the netVX network, you would need static route for the netVX network on the RTR1 to point to the ASA outside interface IP.

DivsGathe Tue, 07/03/2012 - 19:23

Hi Jennifer,

Thanks for replying.

I am working on the third scenario. The RTR1 has ASA outside interface IP. NetVX reaches the RTR1 through ASA inside interface.  Do i need any other static routes for them to communicate? or since they are directly connected no need.

so my question is,

1. RTR1 has some external routes which NETVx needs to access. I have configured Static routes on ASA to reach these via ASA outside IP. is that right?

2. I am not doing any  kind of NAT on these interfaces, do i need to do NAT exemption?

3. I need allow VOIP traffic between these two interfaces, what kind of access-lists do i need to create?

I am bit new to ASA, so might be basic questions...

Thanks a lot for your help.

Correct Answer
Jennifer Halim Tue, 07/03/2012 - 19:50

As far as the ASA is concern, they are directly connected. But as far as the RTR1 and NetVX is concern, they are not directly connected. On the ASA, you do not need any other static routes.

1. Where is the ASA default gateway point to? If the ASA default route points to RTR1, then you do not need static routes on the ASA for the RTR1 external routes. If the ASA default route does not point to RTR1, then yes, you would need to configure those external routes static routes on the ASA to point to RTR1 on the ASA.

2. yes, you will need NAT exemption. You can configure static NAT to itself. What version of ASA are you running?

3. Which VOIP protocols are you using? SIP? H323? Skinny? I would allow IP between the subnet/host that you need to start with, and then restrict it further once you have it working. This is to ensure that routing and NAT works fine, and you can concentrate on the access-list after everything works fine.

DivsGathe Tue, 07/03/2012 - 20:02

Hi Jennifer,

ASA default gw is set to a diff RTR, So,

1. I would create static routes on ASA to RTR1 on the ASA.

2. NAT exemption has to be created, version is 8.4(3)

3. An access-list allowing ip on the interfaces:

access-list netvx permit ip 172.21.0.0 255.255.255.0 172.10.0.0 255.255.255.252

Access-list netvx out interface eth0/2

access-list rtr1 permit ip 172.10.0.0 255.255.255.252 172.21.0.0 255.255.255.0

Access-list rtr1 in interface eth0/1

Voip traffic to be allowed is the udp ports..

is the access lists okay? anything i m missing?

Correct Answer
Jennifer Halim Tue, 07/03/2012 - 20:09

1. Correct

2. Correct

3. Access list is correct, but for netvx you would need to apply it in the "in" direction, not "out":

access-group netvx in interface netvx

DivsGathe Tue, 07/03/2012 - 20:17

Hi,

Thanks a lot..I shall let you know, once i am done testing...:))

Actions

Login or Register to take actions

This Discussion

Posted July 3, 2012 at 3:35 PM
Stats:
Replies:7 Avg. Rating:5
Views:1096 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446