Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA as router

If you set same traffic intra-interface and run a routing protocol

can the ASA re-route traffic or is something it does not do under any circumstanc

es.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: ASA as router

Hi,

For example on 8.2 you can run either RIP, OSPF or EIGRP on the ASA and with the same traffic permit intra-interface, the ASA can reroute traffic back out the same interface in which it receive it.

Keep in mind that the routing functionality has its limitations on the ASA, but what you're asking can be done.

Federico.

Hall of Fame Super Blue

Re: ASA as router

whanson wrote:

If you set same traffic intra-interface and run a routing protocol

can the ASA re-route traffic or is something it does not do under any circumstanc

es.

Yes it can be done and in very small network with maybe a couple of vlans it can be used as such.

But the ASA is primarily a firewall and as such lacks a lot of the features of a router such as a full QOS set, PBR (Policy Based Routing) etc.. Personally i don't recommend using an ASA as a router as it is not designed to do this and can make the configuration quite messy.

Jon

6 REPLIES

Re: ASA as router

Hi,

For example on 8.2 you can run either RIP, OSPF or EIGRP on the ASA and with the same traffic permit intra-interface, the ASA can reroute traffic back out the same interface in which it receive it.

Keep in mind that the routing functionality has its limitations on the ASA, but what you're asking can be done.

Federico.

Community Member

Re: ASA as router

Thanks to both answers. I know but here's the scoop. customer has a main asa

for most folks but bought a cable service and an asa 5505 for a few others. I could have done what he wanted for certain

users by adding policy routing to his core switch but was reluctant to do that because no one ever remembers the whys and wherefores, so I told him to change the default route of those users to the cable asa and then I would run rip v2 (what he runs today) to redirect folks back to where they need to go othewise send them on their merry way out the cable internet connection. This new system baffles me somewhat so I assume hitting correct answer scores points?  Let me know if that's how it's done.  thx again.

Community Member

Re: ASA as router

let me ask you a question because internal routing doesn't seem

to work. If I have a nat so that traffic to the outside is natted do I need a nat (inside ) 0 so that all internal to internal is not natted.

thx again

Re: ASA as router

To NAT traffic from inside to outside you need:

nat (inside) 1 0 0

global (outside) 1 interface

To bypass NAT, you use:

nat (inside) 0 x.x.x.x  --> Traffic that you want to excempt from NAT.

Federico.

Hall of Fame Super Blue

Re: ASA as router

whanson wrote:

If you set same traffic intra-interface and run a routing protocol

can the ASA re-route traffic or is something it does not do under any circumstanc

es.

Yes it can be done and in very small network with maybe a couple of vlans it can be used as such.

But the ASA is primarily a firewall and as such lacks a lot of the features of a router such as a full QOS set, PBR (Policy Based Routing) etc.. Personally i don't recommend using an ASA as a router as it is not designed to do this and can make the configuration quite messy.

Jon

Re: ASA as router

Although the Cisco ASA appliance does not act as a router in the network and has some limitations,  Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2 and OSPF and EIGRP.  traffic permit intra-interface allows the ASA to route traffic back out the same interface in which it receive it.

see this http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html

646
Views
0
Helpful
6
Replies
CreatePlease to create content