Configure Static Routing on Cisco ASA Firewall
Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets. When a packet arrives to a network interface on the ASA firewall, the packet undergoes several security controls, such as ACL filtering, NAT, deep-packet inspection etc. After the packet passes all firewall controls, the security appliance needs to send the packet to its destination address. It therefore checks its routing table to determine the outgoing interface where the packet will be sent.
Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2 and OSPF. I recommend not to use dynamic routing though and stick with just static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network addressing and topology. By configuring dynamic routing support, you might be advertising routes to untrusted networks thus exposing your network to threats.
The scenario in the diagram above will help us understand how to configure static routing. The ASA connects to the internet on the outside and also has a DMZ and Internal zones. The default gateway towards the ISP is 200.1.1.1. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24. LAN1 is directly connected to the Inside interface of the firewall. Additionally, there is another internal network, namely LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Rather, there is an internal router with address 192.168.1.1 through which we can reach LAN2. Therefore, in order for the ASA to reach network LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be reached via 192.168.1.1.
So we need to configure two static routes. One Default Static route for Internet access, and one internal static route to reach network LAN2. For directly connected networks (DMZ and LAN1) we don’t need to configure a static route since the firewall already knows about these networks as they are directly connected to its interfaces.
Configuration:
The format of the static route command is:
ASA(config)# route [interface name] [destination address] [netmask] [gateway]
! First configure a default static route towards the default gateway
ASA(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1
! Then configure an internal static route to reach network LAN2
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1
Tagged with: asa static route • static route
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
Hi BlogAdmin.
I have done accordingly as per your advice….
But still. no ping or access from the inside zone to the dmz.
Basically for the dmz interface, the E0/2 connects directly to a switch (normal switch) and from this switch is where the 172.16.16.80 www and 172.16.17.25 email servers are.
On the other side… just to clarify….i got a router before Asa and bellow is the router 2800 series sh run
GW-RTR#sh run
Building configuration…
Current configuration : 1481 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW-RTR
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$h.LH$3sc8ez.Vb62zHi86u1SYl1
!
aaa new-model
!
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip cef
!
!
!
!
ip domain name tchipa.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip name-server 66.110.119.2
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username tchipa privilege 15 password 7 0010100E0D4B0A
archive
log config
hidekeys
!
!
!
!
!
!
!
interface FastEthernet0/0
description “Link-To-Angola-Telecom”
ip address 66.110.122.126 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description “Link-To-LocalLAN”$ES_LAN$
ip address 41.223.156.108 255.255.255.248
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 66.110.122.125
ip route 41.223.156.104 255.255.255.248 FastEthernet0/1 41.223.156.109
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^C
PLEASE DO NOT LOGIN YOU NOT AUTHORIZED ^C
!
line con 0
password 7 09584D01101516
logging synchronous
line aux 0
password 7 1403110305142B
line vty 0 4
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end
Any other Idea Master BlogAdmin please. you anyone knew how much i must have this working….other wise from next week my www and smtp mail server will be launched….and as any one can imagine…my internal PCs wont be able to access them…
Please any help??
BD
If you need access only from inside to dmz, you can configure PAT from inside to dmz interface.
First Remove the static NAT, and then do the following:
global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0
Hi ADMIN
thatnx for your repply
By the way, you mean i should remove this static :
static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0
and past this one above:
global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0
right?
And according to my router theres nothing that could stop or block any acces right.
Thank you so much
BD
Hi The BlogAdmin
My appology for not being able to give you the feedback of your last reply to my quations coz i´ve been out for work to a place with no internet accesas. my problem was that my internal PCs cannot reach my dmz.
Last reply of you, you said i should remove this static :static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0 coz when i past it, it still didnt work.
So then you said, if my problem is just the communication between inside to dmz, i should do this:
First Remove the static NAT, and then do the following:
global (dmz) 2 interface
nat (inside) 2 10.1.4.0 255.255.252.0
well i did it, i past the global (dmz) 2 interface
and when i past this; nat (inside) 2 10.1.4.0 255.255.252.0 it said duplicated entry….result my internal PCs still cannot access my server on dmz.
Dear BlogAdmin….im really so disparated and sorry for that. so any other help please?
by the way i have pasted my updated ASA sh run so you can have a better idea.
:
ASA Version 7.0(8)
!
hostname ASA2
domain-name assembleia.ao
enable password YVYn8G/3D1COct9U encrypted
passwd YVYn8G/3D1COct9U encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description “Link-To-GW-Router”
nameif outside
security-level 0
ip address 41.223.xx.xx 255.255.255.0
!
interface GigabitEthernet0/1
description Link To Local Lan
nameif inside
security-level 100
ip address 10.1.4.x 255.255.255.0
!
interface GigabitEthernet0/2
description “Link-To-DMZ”
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INSIDE extended permit ip 10.1.4.x 255.255.255.0 any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.xx.xx eq www
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
5.0
access-list cap extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.25
5.0
access-list nonat extended permit ip 10.1.4.0 255.255.255.0 172.16.16.0 255.255.
255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.4.0 255.255.255.0
nat (inside) 1 10.1.4.0 255.255.252.0
static (dmz,outside) tcp 41.223.XX.XX www 172.16.16.80 www netmask 255.255.255
.255
static (dmz,outside) tcp 41.223.XX.XX smtp 172.16.16.25 smtp netmask 255.255.2
55.255
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
http server enable
http 10.1.4.0 255.255.255.0 inside
http 10.1.6.0 255.255.255.0 inside
http 10.1.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.0 255.255.255.255 inside
ssh 10.1.5.0 255.255.255.255 inside
ssh 10.1.6.0 255.255.255.255 inside
ssh 10.1.7.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:1442681c2a378d10f026df4cf1005452
: end
Pls help.
Do the following:
no nat (inside) 1 10.1.4.0 255.255.255.0
no global (dmz) 2 interface
global (dmz) 1 interface
Hi Dear BlogAdmin.
I have procceede accordingly exactly as you said….
but unfortunatly it still didnt work…..insteady, after that i have no internet at all…
All the Inside PC or my entire network has no internet connection…it fails automatically after that…
How do i remove the above commands pls… i need the internet back or to bring back everything as before pls.
And as for my issue…any other clear idea why im not accessing my dmz from the inside network??
BD
OK, you have sent me so many configurations that you got me confused.
Put back the nat statements as below:
nat (inside) 1 10.1.4.0 255.255.255.0
global (outside) 1 interface
global (dmz) 1 interface
and remove the nat 0 command:
no nat (inside) 0 access-list nonat
OK Dear BlogAdmin
I did accordingly to your above statement, and everything is back to normal, i mean the inside network now can access internet back, and thank you so much for your precious time and cooperation for being there as great IT professional, and as well for sharing your vision….i thank you Sir.
So by the way, the internal network still cannot reach my dmz.
Anyone can help according to the ASA 5520 v7 sh run please?
BD
Hi dear BlogAdmin
As you may know im stil struggling in getting my inside network to access or communicate to my dmz .
As i got another ASA5520 for my test, so i have configured the other asa, and according to this configuration bellow, i have installed a the EASYphp web server on the Server with 172.16.16.80 the wwww on the dmz. so now, from the inside network i can access that page, but i got dont get successfull ping like for instence at the same server with 172.16.16.80 even though i can access the web server on it through the easy php applic.
The other thing is that i dont have internet connection on my dmz, i mean the servers with 172.16.16.80 the www and 172.16.16.25 emal server
However, my concern is……does it really means that my inside network is communicating with the dmx now?
How do i enable reall ping?? is there any command to enable ping?
Dear BlogAdmin, according to my config bellow, can you recheck it for me if i have missed anything else.
Why im not getting succeessfull ping to dmz?but it can open the web server i have installed on server on the dmz? why im not getting internet on the dmz? can you pls help?
What other real test i should make to make sure im reaching my dmz? since right now i dont have yet the www and smtp email server running?
Dear BlogAdmin, i should always thank you so much for your time and cooperation, and remember that ant single help from you will be highly appretiated.
Thanx in advanced:
ciscoasa(config)# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name parlamento.ao
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Link to Gateway
nameif outside
security-level 0
ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
description Link to Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description Link to dmz
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside_in extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_in extended permit tcp any host 41.223.156.107 eq www
access-list dmz_int extended permit tcp host 172.16.16.25 any eq smtp
access-list dmz_int extended permit tcp host 172.16.16.80 any eq www
access-list outside_int extended permit tcp any host 41.223.156.106 eq smtp
access-list outside_int extended permit icmp any any
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.252.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0
static (dmz,outside) 41.223.156.106 172.16.16.25 netmask 255.255.255.255
static (dmz,outside) 41.223.156.107 172.16.16.80 netmask 255.255.255.255
access-group dmz_int in interface dmz
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.4.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.100 255.255.255.255 inside
ssh timeout 10
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:48ba8cf4e31f2940e44293256d84ce38
: end
BD
If you access the web server from inside, it means that the inside communicated with dmz just fine. Pinging is not a reliable way to say if you have communication or not. Accessing real services (such as HTTP) is what proves that you actually have proper communication.
To allow ping you must allow icmp echo-reply on the dmz_int access-list. Also, to allow internet access from the dmz, you must allow DNS udp 53 on the dmz_int access list as well.
Hi Dear BlogAdmin.
Well im really sorry for my insistence or for being so hard to understand you. but one thing is for sure, since i started writting you, i´ve been improving my skill as far as asa appliance is concern.
Well as i said before and as you know i was having a problem with my internal users who couldnot access my dmz zone…but now with the above sh run config (still the latest) it seem i can reach my dmz zone specifically to the server with ip 172.16.16.80 for www, as i have installed in this server a EASY PHP WEBSERVER..and from the inside pc or network (10.1.4.x) i can access that webserver through the browser 172.16.16.80:8080 and it open that web server.
So now the problem is: the server on dmz doent have internet access…could you please help me with the right config command (access list) hat will allow server on dmz to have internet?pls
On the Other side…..from the outside, or internet i tried to reach that server on dmz through its private or translated ip address, so through the browser i type (41.223.156.106:8080)or even without the 8080…but i couldnt reach that webpage on the server on dmz.
Could you pls help me finding out why im not accessing my server on dmz??pls
Dear Admin….pls forive as im still to young and just learning about the security appliance…..remember your help could be so vital and could make such a big impact.
I thank you in advanced.
BD
BD,
Assuming you have the configuration you have posted above, you will need to allow DNS protocol on the dmz_int access list as below:
access-list dmz_int extended permit udp host 172.16.16.80 any eq 53
Also, to access the web server on port 80 from outside, you need to create a static NAT command between dmz and outside ( something that you have done already) and also allow port 80 on the outside acl (which you have done already as well). The problem is that you have not attached the outside_in acl on the outside interface:
access-group outside_in in interface outside
After you do the above, you will be able to access the web server via 41.223.156.107 (on port 80 though, NOT on 8080)
OK??