Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
10
Helpful
4
Replies

Cisco ASA 5520, can it route?

Go to solution
rstrunk
Level 1
Level 1

‎03-13-2006 09:47 AM - edited ‎03-05-2019 11:48 AM

Hi guys,

Currently configuring an ASA 5520 for a customer. Some of the things they want require me to route, but it doesn't seem like the ASA can route things either properly or at all. Can anyone tell me if the ASA is capable of routing? Here's an overview of my setup:

Internet <- modem <- 5509 switch <- ASA <- computer.

I'd like the computer to be able to browse the web. Everything in front of the ASA has an ip of 172.* while the computer has an ip of 10.*.

Thanks for any and all help!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7
In response to rstrunk

‎03-14-2006 03:55 AM

please excuse me for providing an unclear example.

internet <--> modem <--> switch <--> asa <--> inside

with this topology, the asa really just forwarding the packet from the inside to the outisde, which is connected to the switch, and vice versa. there should be no doubt that asa will be able to cope with this scenario.

now, this may be a little bit more complicated than your scenario, however it is critical to know. and this is the point i was going to make with my previous post.

internet <--> modem <--> switch <--> asa <--> inside <--> internal router <--wan link--> branch

with this topology, the inside host should really have the internal router as the default gateway. the reason being the nature of pix/asa doesn't allow a packet in/out the same interface. e.g. assuming the default gateway of the inside host is the asa inside interface. a packet originated from the inside host destined for the branch office will firstly forward to the asa inside interface, as this is the default gateway of the inside host. asa receives this packet, check the routing table and determine the next hop is the internal router. having said that, asa needs to forward the packet to the internal router via the inside interface. again, the same packet was received from the inside interface, and thus asa will simply drop the packet as its nature.

you mentioned a host connected to the main router is able to ping the asa interface, i believe you are referring to the asa outside interface. nonetheless, please verify firstly, there is a default route configured on the asa.

e.g.

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx, where xx.xx.xx.xx is the ip of the switch.

secondly, verify the security level of each interface. for outside interface, the security level is 0; whereas for inside interface, the security level is 100.

for further assistance, please post the entire config with public ip masked.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jackko
Level 7
Level 7

‎03-13-2006 02:15 PM

as per the posted scenario, it doesn't involve much routing. i would say it's more like forwarding from one to another interface. if so, there should be no doubt that asa does this. there is a decision to be made on whether you prefer nat or no-nat between the two subnets.

further, asa does support routing procotol as well, such as ospf.

nonetheless, one matter needs to be reminded is that asa doesn't support a packet in/out a single interface. e.g. the topology is like asa <--> computer <--> router <--wan--> branch,

if asa receives packet originated from the computer destined fro the branch, then the packet will be dropped. the reason being the packet is received on the asa inside interface, and according to the routing table, it needs to be forwarded out the inside interface again.

Go to solution
rstrunk
Level 1
Level 1
In response to jackko

‎03-13-2006 04:22 PM

Ah, thanks for the reply! After I initially posted I searched the other conversations and found a little more of what I need.

So you're saying that a computer (computer1) behind say the inside interface trying to send a packet to the internet on the outside interface will have the packet dropped?

What I've tried to do is get the ASA to route all packets to our main internet router. I can get on another computer (computer2) connected to our main router and successfully ping the ASA interface where computer1 is connected, but vice versa doesn't work. I forgot the icmp command I saw in another forum, but I tried it and that doesn't seem to work either. I admit I have much to learn about Cisco routing, but the setup I'm trying to do sounds very easy. For some reason I'm either missing a small set of commands or I just can't wrap my head around what I need to do.

Thanks for your help!

0 Helpful

Go to solution
nethelper
Level 3
Level 3
In response to rstrunk

‎03-14-2006 12:31 AM

Hello,

you might want to check the security level of both your interfaces, make sure that the level is not the same, since that would prohibit the interfaces to communicate (unless you use the global command ' same-security-traffic permit inter-interface').

Regards,

Nethelper

Go to solution
jackko
Level 7
Level 7
In response to rstrunk

‎03-14-2006 03:55 AM

please excuse me for providing an unclear example.

internet <--> modem <--> switch <--> asa <--> inside

with this topology, the asa really just forwarding the packet from the inside to the outisde, which is connected to the switch, and vice versa. there should be no doubt that asa will be able to cope with this scenario.

now, this may be a little bit more complicated than your scenario, however it is critical to know. and this is the point i was going to make with my previous post.

internet <--> modem <--> switch <--> asa <--> inside <--> internal router <--wan link--> branch

with this topology, the inside host should really have the internal router as the default gateway. the reason being the nature of pix/asa doesn't allow a packet in/out the same interface. e.g. assuming the default gateway of the inside host is the asa inside interface. a packet originated from the inside host destined for the branch office will firstly forward to the asa inside interface, as this is the default gateway of the inside host. asa receives this packet, check the routing table and determine the next hop is the internal router. having said that, asa needs to forward the packet to the internal router via the inside interface. again, the same packet was received from the inside interface, and thus asa will simply drop the packet as its nature.

you mentioned a host connected to the main router is able to ping the asa interface, i believe you are referring to the asa outside interface. nonetheless, please verify firstly, there is a default route configured on the asa.

e.g.

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx, where xx.xx.xx.xx is the ip of the switch.

secondly, verify the security level of each interface. for outside interface, the security level is 0; whereas for inside interface, the security level is 100.

for further assistance, please post the entire config with public ip masked.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card