Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Route statements in ASA

If your inside interface has an IP address of  x.110.215.17 and you have the following route statement.

route inside x.110.208.0 255.255.255.0 x.110.215.17

route inside x.110.209.0 255.255.255.0 x.110.215.17

route inside x.110.210.0 255.255.255.0 x.110.215.17

I'm assuming this means that anything coming into the ASA for the networks listed, will be routed to the

inside interface via x.110.215.17?

Note that the inside interface and the next hop on the route statements are the same.

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Route statements in ASA

The ARP request would only be sent out on the VLAN associated with the segment defined in the route statement

9 REPLIES

Route statements in ASA

That will not work in ASA putting route towards inside means you have any other network devices in Inside zone.Say you have router which has got IP address x.110.215.18 and has got 208.0/209.0/210.0 behind it then from your ASA route would be--

route inside x.110.208.0 255.255.255.0 x.110.215.18 < This will be the next hop. Putting inside/dmz keywords indicate where is your next hope for route.

Thanks

Ajay

Hall of Fame Super Silver

Route statements in ASA

John

It does not work to specify a route statement which points to your own interface address. The route statement needs to point at the next hop IP address.

HTH

Rick

Route statements in ASA

That's basically what I thought RIchard. But for some reason, this ASA is in production and it working. We have several other networks that are internally to our company but they all have next-hop IPs of the inside interface. My predessor ahs configured around 98% of all of our ASAs and this just didn't make sense to me.

Bronze

Re: Route statements in ASA

You CAN successfully route traffic to the inside interface IP  address.  The ASA will broadcast ARP requests over the internal subnet  range and look for responses from addresses that fall outside of the  defined range.

For example:

Ethernet0/1              inside                 10.10.10.1      255.255.255.0   manual

route inside 10.10.20.0 255.255.255.0 10.10.10.1

The ASA will broadcast ARP requests for any 10.10.20.X address over the internal 10.10.10.X range,

Route statements in ASA

So basically the ASA will send ARP requests for network 10.10.20.0/24 to 10.10.10.0/24 and look for responses that

fall outside of 10.10.10.0? Well since ARP is a broadcast how would it receive a response for 10.10.20.x on 10.10.10.x?

Does it rely on Proxy ARP?

Bronze

Route statements in ASA

I should have been more technically correct in my last update.  The ARP request has nothing to do with the 10.10.10.0/24 IP range but rather, the layer 2 VLAN associated with the inside interface behind the device.  By adding the route statement pointing to the inside interface, the ASA will broadcast an ARP request to all the hosts within the VLAN.

So,

Ethernet0/1              inside                 10.10.10.1      255.255.255.0   manual

route inside 10.10.20.0 255.255.255.0 10.10.10.1

-A request is made for 10.10.20.20, the ASA will generate something similar to the following:

arp-req: generating request for 10.10.20.20 at interface inside

arp-send: arp request built from 10.10.10.1 0015.46e7.8d55 for 10.10.20.20 at 53392994170

Route statements in ASA

So if it is connected to a trunk port which had vlans 2 to 5, it would send out an arp on vlans 2 to 5?

Bronze

Route statements in ASA

The ARP request would only be sent out on the VLAN associated with the segment defined in the route statement

Route statements in ASA

Thanks for the help everybody!

421
Views
0
Helpful
9
Replies