Solved: Route statements in ASA

JohnTylerPearce · ‎11-28-2011

If your inside interface has an IP address of x.110.215.17 and you have the following route statement.

route inside x.110.208.0 255.255.255.0 x.110.215.17

route inside x.110.209.0 255.255.255.0 x.110.215.17

route inside x.110.210.0 255.255.255.0 x.110.215.17

I'm assuming this means that anything coming into the ASA for the networks listed, will be routed to the

inside interface via x.110.215.17?

Note that the inside interface and the next hop on the route statements are the same.

Patrick0711 · ‎11-28-2011

The ARP request would only be sent out on the VLAN associated with the segment defined in the route statement

View solution in original post

ajay chauhan · ‎11-28-2011

That will not work in ASA putting route towards inside means you have any other network devices in Inside zone.Say you have router which has got IP address x.110.215.18 and has got 208.0/209.0/210.0 behind it then from your ASA route would be--

route inside x.110.208.0 255.255.255.0 x.110.215.18 < This will be the next hop. Putting inside/dmz keywords indicate where is your next hope for route.

Thanks

Ajay

Richard Burts · ‎11-28-2011

John

It does not work to specify a route statement which points to your own interface address. The route statement needs to point at the next hop IP address.

HTH

Rick

HTH

Rick

JohnTylerPearce · ‎11-28-2011

That's basically what I thought RIchard. But for some reason, this ASA is in production and it working. We have several other networks that are internally to our company but they all have next-hop IPs of the inside interface. My predessor ahs configured around 98% of all of our ASAs and this just didn't make sense to me.

Patrick0711 · ‎11-28-2011

You CAN successfully route traffic to the inside interface IP address. The ASA will broadcast ARP requests over the internal subnet range and look for responses from addresses that fall outside of the defined range.

For example:

Ethernet0/1 inside 10.10.10.1 255.255.255.0 manual

route inside 10.10.20.0 255.255.255.0 10.10.10.1

The ASA will broadcast ARP requests for any 10.10.20.X address over the internal 10.10.10.X range,

JohnTylerPearce · ‎11-28-2011

So basically the ASA will send ARP requests for network 10.10.20.0/24 to 10.10.10.0/24 and look for responses that

fall outside of 10.10.10.0? Well since ARP is a broadcast how would it receive a response for 10.10.20.x on 10.10.10.x?

Does it rely on Proxy ARP?

Patrick0711 · ‎11-28-2011

I should have been more technically correct in my last update. The ARP request has nothing to do with the 10.10.10.0/24 IP range but rather, the layer 2 VLAN associated with the inside interface behind the device. By adding the route statement pointing to the inside interface, the ASA will broadcast an ARP request to all the hosts within the VLAN.

So,

Ethernet0/1 inside 10.10.10.1 255.255.255.0 manual

route inside 10.10.20.0 255.255.255.0 10.10.10.1

-A request is made for 10.10.20.20, the ASA will generate something similar to the following:

arp-req: generating request for 10.10.20.20 at interface inside

arp-send: arp request built from 10.10.10.1 0015.46e7.8d55 for 10.10.20.20 at 53392994170

JohnTylerPearce · ‎11-28-2011

So if it is connected to a trunk port which had vlans 2 to 5, it would send out an arp on vlans 2 to 5?

Patrick0711 · ‎11-28-2011

The ARP request would only be sent out on the VLAN associated with the segment defined in the route statement

JohnTylerPearce · ‎11-29-2011

Thanks for the help everybody!