Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2510
Views
0
Helpful
6
Replies

Cisco ASA default route

Go to solution
LionKin1984
Level 1
Level 1

‎08-27-2013 12:41 AM - edited ‎02-21-2020 04:58 AM

Hello everyone, I am new to networking and the question I am about to ask is probably pretty dumb to most of you in here, but anyway ...

Question: -

If I want traffic to flow from inside interface on ASA firewall to outside, does a default route(or some sort of routing) always need to be configured FIRST? prior to ACL or NAT?

                  

cheers

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to LionKin1984

‎08-27-2013 01:35 AM

The ASA needs to know how to reach the destination. It the destination is a directly connected network on the ASA, then no additional route is needed. But if it is a remote network, the ASA needs to learn the route through a dynamic routing-protocol or through an explicit configured route (which could be the default-route).

If you need an ACL depends on your setup. By default all communication from higher to lower security-level is allowed. The inside interface typically has a security-level of 100 and the outside interface of 0. So by default it will work without an ACL. But if there is an ACL on the inside interface, then this ACL has to permit the initial traffic.

And for the communication to an outside remote destination you probably also need NAT configured.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎08-27-2013 12:47 AM

For these elemts, the order of configuration if completely unimportant. You can configure them in any order.

As a rule of thumb, you should always configure things first that are referenced later.

Some examples:

  • configure an object-group and use that in an ACL
  • configure the ACL first and then apply it to the interface with access-group
  • configure an object and use that object in a nat-statement

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
LionKin1984
Level 1
Level 1
In response to Karsten Iwen

‎08-27-2013 01:14 AM

Thanks for the reply Karsten, if I want the traffice to flow from inside to outside on a different subnet, would this be achieved by configuring a simple ACL only without any routing?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to LionKin1984

‎08-27-2013 01:35 AM

The ASA needs to know how to reach the destination. It the destination is a directly connected network on the ASA, then no additional route is needed. But if it is a remote network, the ASA needs to learn the route through a dynamic routing-protocol or through an explicit configured route (which could be the default-route).

If you need an ACL depends on your setup. By default all communication from higher to lower security-level is allowed. The inside interface typically has a security-level of 100 and the outside interface of 0. So by default it will work without an ACL. But if there is an ACL on the inside interface, then this ACL has to permit the initial traffic.

And for the communication to an outside remote destination you probably also need NAT configured.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
LionKin1984
Level 1
Level 1
In response to Karsten Iwen

‎08-27-2013 02:03 AM

"The ASA needs to know how to reach the destination.", that is the line I am after, so in other words the ASA needs to know how to reach the destination first before any ACL takes effect.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to LionKin1984

‎08-27-2013 02:19 AM

In your first post you were asking for the order in which things are configured. Is that what you are looking for or is it the order of operation when a packet is processed by the ASA?

If the later, then the ACL comes first (only if it is a new connection), then NAT and last the global roouting lookup.

More on this flow through the ASA (with additional steps to ACL, NAT, Route) is in the following document:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
LionKin1984
Level 1
Level 1
In response to Karsten Iwen

‎08-27-2013 02:33 AM

what I meant to ask was: does the connectivity between various interfaces/network need to established first? before ACL can do anything?

I think your second post answered my question

Thanks a lot Karsten

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card