11-28-2011 01:17 PM - edited 03-11-2019 02:56 PM
If your inside interface has an IP address of x.110.215.17 and you have the following route statement.
route inside x.110.208.0 255.255.255.0 x.110.215.17
route inside x.110.209.0 255.255.255.0 x.110.215.17
route inside x.110.210.0 255.255.255.0 x.110.215.17
I'm assuming this means that anything coming into the ASA for the networks listed, will be routed to the
inside interface via x.110.215.17?
Note that the inside interface and the next hop on the route statements are the same.
Solved! Go to Solution.
11-28-2011 08:19 PM
The ARP request would only be sent out on the VLAN associated with the segment defined in the route statement
11-28-2011 01:28 PM
That will not work in ASA putting route towards inside means you have any other network devices in Inside zone.Say you have router which has got IP address x.110.215.18 and has got 208.0/209.0/210.0 behind it then from your ASA route would be--
route inside x.110.208.0 255.255.255.0 x.110.215.18 < This will be the next hop. Putting inside/dmz keywords indicate where is your next hope for route.
Thanks
Ajay
11-28-2011 02:04 PM
John
It does not work to specify a route statement which points to your own interface address. The route statement needs to point at the next hop IP address.
HTH
Rick
11-28-2011 02:40 PM
That's basically what I thought RIchard. But for some reason, this ASA is in production and it working. We have several other networks that are internally to our company but they all have next-hop IPs of the inside interface. My predessor ahs configured around 98% of all of our ASAs and this just didn't make sense to me.
11-28-2011 05:48 PM
You CAN successfully route traffic to the inside interface IP address. The ASA will broadcast ARP requests over the internal subnet range and look for responses from addresses that fall outside of the defined range.
For example:
Ethernet0/1 inside 10.10.10.1 255.255.255.0 manual
route inside 10.10.20.0 255.255.255.0 10.10.10.1
The ASA will broadcast ARP requests for any 10.10.20.X address over the internal 10.10.10.X range,
11-28-2011 06:14 PM
So basically the ASA will send ARP requests for network 10.10.20.0/24 to 10.10.10.0/24 and look for responses that
fall outside of 10.10.10.0? Well since ARP is a broadcast how would it receive a response for 10.10.20.x on 10.10.10.x?
Does it rely on Proxy ARP?
11-28-2011 06:26 PM
I should have been more technically correct in my last update. The ARP request has nothing to do with the 10.10.10.0/24 IP range but rather, the layer 2 VLAN associated with the inside interface behind the device. By adding the route statement pointing to the inside interface, the ASA will broadcast an ARP request to all the hosts within the VLAN.
So,
Ethernet0/1 inside 10.10.10.1 255.255.255.0 manual
route inside 10.10.20.0 255.255.255.0 10.10.10.1
-A request is made for 10.10.20.20, the ASA will generate something similar to the following:
arp-req: generating request for 10.10.20.20 at interface inside
arp-send: arp request built from 10.10.10.1 0015.46e7.8d55 for 10.10.20.20 at 53392994170
11-28-2011 07:07 PM
So if it is connected to a trunk port which had vlans 2 to 5, it would send out an arp on vlans 2 to 5?
11-28-2011 08:19 PM
The ARP request would only be sent out on the VLAN associated with the segment defined in the route statement
11-29-2011 02:06 AM
Thanks for the help everybody!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide