Routing on the Cisco ASA Firewalls

Routing on the Cisco ASA Firewalls

Routing on the Cisco ASA Firewalls

By default, Cisco ASA firewalls support routing capabilities enabling customers to configure various routing scenarios on it. Basically, Static routes are user-defined, manually created routes which can be created on a Cisco ASA Firewall using route command.

Generally, the administrators are responsible for creating routes for each network that is available on their topology. So, if a new route is added in the network, you would need to add the new route manually on each and every router. Although, static routes are not suitable for a large or dynamic environment.

Cisco ASA Static Route Configuration

The syntax for the static route command is as follows:

ASA# route [Exit Interface] [Destination Network] [Mask] [Next Hop]

For instance, if the ASA wants to reach the network, you should create a static route using the following command:

ASA# route inside

Note: The next Hop should be reachable or directly connected.

What is Default Routes?

Actually, default routes define a router as the default gateway for your device. When there is no entry for the destination network in routing table, the router will forward the packet to its default router. Default routes help in reducing the size of you routing table. Essentially, every default route is a static route with special destination network and network mask which can defined by in the most general term. The syntax for default route in the ASA firewall is:

ASA# route [Exit Interface] [Next Hop]

Cisco ASA Route Verification Commands

Customers can use the following commands to verify ASA route configuration:

ASA# show run route

ASA# show route

ASA# ping [IP]


Cisco ASA RIPv2 Configuration

Essentially, all routing protocols can be enables by using the “Router” command on the firewall. In order to enable RIP, you should use the following command:

ASA(config)# router rip

By default, a routing device sends updates using RIP version 1. You can change the version to 2 using the below command. This is the current and most popular version of RIP. Plus, auto-summarization of subnets is also turned on by default. It is highly recommended to disable auto-summary feature.

ASA(config)# router rip

ASA(config-router)# version 2

ASA(config-router)# no auto summary

ASA(config-router)# network

Cisco ASA EIGRP Configuration

First, to enable EIGRP, you should consider the Autonomous System number which must be match between neighboring routers. Also, auto-summarization of subnets is also turned on by default and it is highly recommended to disable it using the following commands:

ASA(config)# router eigrp 100

ASA(config-router)# no auto-summary

ASA(config-router)# network

Note: in ASA you should use the normal mask instead of wild card mask!

Cisco ASA OSPF Configuration

In order to enable OSPF, a process ID is needed. This ID is locally significant and does not need to match the remote router. Basically, the OSPF routers are grouped into a logical entry known as Area. Also, OSPF routers are identified by using a “IP Address” like identifier known as the router ID. It can be configured manually using the Router-ID command under the routing process. To configure OSPF on ASA firewalls proceed like the following commands:

ASA(config)# router OSPF 1

ASA(config-router)# router-id

ASA(config-router)# network area 0

Note: in ASA you should use the normal mask instead of wild card mask!

Cisco ASA BGP Configuration

Essentially, BGP is a protocol that is used by your company to communicate to a remote organization. It generally runs between ISPs although some enterprises can also use it to communicate to these ISPs. You have the ability to run BGP on the ASA as well as routers. The purpose of BGP is to advertise the Internal routes that are directly connected or learnt via IGP protocols like OSPF, Eigrp and etc., to external neighbors. To enable BGP on the ASA firewall proceed like the following example:

ASA(config)# router bgp 100

ASA(config-router)# neighbor remote-as 200

ASA(config-router)# neighbor activate

ASA(config-router)# network mask



Leave a Reply

Related Post
error: Alert: Content is protected !!