Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA default route

Hello everyone, I am new to networking and the question I am about to ask is probably pretty dumb to most of you in here, but anyway ...

Question: -

If I want traffic to flow from inside interface on ASA firewall to outside, does a default route(or some sort of routing) always need to be configured FIRST? prior to ACL or NAT?

                  

cheers

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Cisco ASA default route

The ASA needs to know how to reach the destination. It the destination is a directly connected network on the ASA, then no additional route is needed. But if it is a remote network, the ASA needs to learn the route through a dynamic routing-protocol or through an explicit configured route (which could be the default-route).

If you need an ACL depends on your setup. By default all communication from higher to lower security-level is allowed. The inside interface typically has a security-level of 100 and the outside interface of 0. So by default it will work without an ACL. But if there is an ACL on the inside interface, then this ACL has to permit the initial traffic.

And for the communication to an outside remote destination you probably also need NAT configured.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
6 REPLIES
VIP Purple

Cisco ASA default route

For these elemts, the order of configuration if completely unimportant. You can configure them in any order.

As a rule of thumb, you should always configure things first that are referenced later.

Some examples:

  • configure an object-group and use that in an ACL
  • configure the ACL first and then apply it to the interface with access-group
  • configure an object and use that object in a nat-statement

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco ASA default route

Thanks for the reply Karsten, if I want the traffice to flow from inside to outside on a different subnet, would this be achieved by configuring a simple ACL only without any routing?

VIP Purple

Cisco ASA default route

The ASA needs to know how to reach the destination. It the destination is a directly connected network on the ASA, then no additional route is needed. But if it is a remote network, the ASA needs to learn the route through a dynamic routing-protocol or through an explicit configured route (which could be the default-route).

If you need an ACL depends on your setup. By default all communication from higher to lower security-level is allowed. The inside interface typically has a security-level of 100 and the outside interface of 0. So by default it will work without an ACL. But if there is an ACL on the inside interface, then this ACL has to permit the initial traffic.

And for the communication to an outside remote destination you probably also need NAT configured.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco ASA default route

"The ASA needs to know how to reach the destination.", that is the line I am after, so in other words the ASA needs to know how to reach the destination first before any ACL takes effect.

VIP Purple

Cisco ASA default route

In your first post you were asking for the order in which things are configured. Is that what you are looking for or is it the order of operation when a packet is processed by the ASA?

If the later, then the ACL comes first (only if it is a new connection), then NAT and last the global roouting lookup.

More on this flow through the ASA (with additional steps to ACL, NAT, Route) is in the following document:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco ASA default route

what I meant to ask was: does the connectivity between various interfaces/network need to established first? before ACL can do anything?

I think your second post answered my question

Thanks a lot Karsten

1928
Views
0
Helpful
6
Replies