Route statements in ASA

Similar Messages

• Routing issue with ASA and UC540 phone system - at ASA???

  Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
  Here are some facts:
  1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
  2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
  3. The ASA is the default gateway for the PC.
  4. I have a route inserted at the asa that is:
                 route 10.1.10.1 255.255.255.0 10.19.250.254 1
  5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.
  6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
  7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
                 route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
       Is is only with this route that I am able to get to the web GUI on the phone system.
  8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1
  9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.
  Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
  Here are the routing tables:
  ASA:
  Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
  C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
  S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
  S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
  C    10.19.250.0 255.255.254.0 is directly connected, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
  The UC540 phone system's router side:
  Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx
        10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
  C        10.1.1.0/24 is directly connected, BVI100
  L        10.1.1.1/32 is directly connected, BVI100
  C        10.1.10.0/30 is directly connected, Loopback0
  S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
  L        10.1.10.2/32 is directly connected, Loopback0
  C        10.19.250.0/23 is directly connected, BVI1
  L        10.19.250.254/32 is directly connected, BVI1
        XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
  L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
        172.16.0.0/24 is subnetted, 1 subnets
  S        172.16.100.0 [1/0] via 10.19.250.1
  The UC540's internal CUE server:
  Main Routing Table:
             DEST            GATE            MASK                     IFACE
        10.1.10.0            0.0.0.0           255.255.255.252       eth0
          0.0.0.0             10.1.10.2         0.0.0.0                    eth0
  Any help appreciated!!!
  Thanks!

  Hello,
  Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
  I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
  Here is a info page on the TCP State Bypass:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
  Please let me know how it works out.

• Routing issues on ASA 5525X running version 8.6(1)2

  Hello ,
  I am migration from PIX 515E to ASA 5525X  running version 8.6(1)2 .
  The company uses pix as its Internet GW to the ISP ,behind the PIX there's a Cisco 3845 (C3845-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3) 
  Both devices are running NAT and PAT .
  PIX 515
  WAN ip   41.x.x.x
  LAN ip  192.168.5.1
  gw ip  41.x.x.x
  Cisco 3845
  WAN ip  192.168.5.2
  Gig 0/0.1  158.29.x.x
  GIG 0/0.2  172.16.0.1
  gw ip  192.168.5.1
  Mail server 158.29.x.x
  With the current setup they working ok and the pix can route to the the 158.29.X.X  and forward smtp traffic to the mail server .
  now my issue is the ASA cant route to 158.29.X.X  addresses internally . I have route inside 172.16.0.0 /24 192.168.5.2 and I can reach all the devices with 172 series ip  .if I add route inside 158.29.X.X /24  or  /16 their whole class 192.168.5.2 ..I cant cant even ping the 158 ip on the router interface  .I tried running eigrp btwn the router and ASA and had same issues with 158 series .
  What could be the problem or what am I missing thanks a lot in advance

  Hello Jeremiah,
  Routing speaking should be the same behavior,
  Is there a way that you could provide us the configuration from both devices this because I will need to see the Ip addresses, route statements and NAT configuration
  Also the show route from both boxes ,
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• Need Help for configuring Floating static route in My ASA.

  Hi All,
  I need your support for doing a floating static route in My ASA.
  I have tried this last time but i was not able to make it. But this time i have to Finish it.
  Please find our network Diagram and configuration of ASA
  route outside 0.0.0.0 0.0.0.0 6.6.6.6 1 track 1
  route outside 0.0.0.0 0.0.0.0 6.6.6.6 1
  route rOutside 0.0.0.0 0.0.0.0 3.3.3.3 10
  route inside 10.10.4.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.8.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.9.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.15.0 255.255.255.0 10.10.3.1 1
  route rOutside x.x.x.x 255.255.255.255 5.5.5.5 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.10.3.77 255.255.255.255 inside
  http 10.10.8.157 255.255.255.255 inside
  http 10.10.3.59 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 123
  type echo protocol ipIcmpEcho 8.8.8.8 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  crypto ipsec transform-set cpa esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map vpn_cpa 1 match address acl_cpavpn
  crypto map vpn_cpa 1 set peer a.a.a.a
  crypto map vpn_cpa 1 set transform-set abc
  crypto map vpn_cpa 1 set security-association lifetime seconds 3600
  crypto map vpn_cpa interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  track 1 rtr 123 reachability
  telnet 10.10.3.77 255.255.255.255 inside
  telnet 10.10.8.157 255.255.255.255 inside
  telnet 10.10.3.61 255.255.255.255 inside
  telnet timeout 500
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 10.10.3.14
  webvpn
  tunnel-group .a.a.a.a ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
  inspect sip 
    inspect xdmcp
  service-policy global_policy global
  smtp-server 10.10.5.11
  prompt hostname context
  Cryptochecksum:eea6e7b6efe5d1a180439658c3912942
  : end
  i think half of the configuration stil there in the ASA.
  Diagram.
  Thanks
  Roopesh

  You have missed the last command in your configuration, Please check it again
  route ISP1  0.0.0.0 0.0.0.0 6.6.6.6 track 1
  route ISP2   0.0.0.0 0.0.0.0 3.3.3.3
  sla monitor 10
  type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability
  You can do NAT in same way, here the logical name of the interface will be different.
  Share the result
  Please rate any helpful posts.

• Is it possible to create a VTI tunnel from my 877 router to my ASA

  Hi all
  I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
  cheers
  Carl

  Yes you can
  Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
  Sent from Cisco Technical Support iPhone App

• Network address as the next hop address in ip route statement???

  Hi All,
  I am confused about ip route statements in the following Cisco document.
  Configuring ISDN DDR with Dialer Profiles
  Document ID: 9568
  http://www.cisco.com/warp/public/793/access_dial/ddr_dialer_profile.html
  The statements are;
  ip route 172.22.0.0 255.255.0.0 172.22.80.0
  ip route 172.22.80.0 255.255.255.0 Dialer1
  Why does it use network address as next hop address on the first line?
  And it is a source network address on the second line.
  Please suggest me.
  Thanks a lot,
  Nitass

  When you specify a network address as next hop in a ip route statement, the router does recursive lookup. When it matches a packet for a network other than 172.22.80.0, it will match the router 172.22.0.0 and the route basically says use 172.22.80.0 as the next hop. Now the router looks up the routing table for how to reach 172.22.80.0 and ends up routing via Dialer 1.

• Exactly how do I post router stats

  Please be patient with this total "numpty", but exactly how does one cut and paste router stats. I get error message to the effect that "invalid HTML content has been removed...etc" Sorry if this request is in wrong place, but I've done a search and can't find anything. Thanks.
  JohnF
  “Dogs come when they're called; cats take a message and get back to you later.”
  Mary Bly
  Solved!
  Go to Solution.

  Thanks, much obliged.  I was getting in an awful mess cutting and pasting in MS Word and trying to get rid of cells etc. to no avail.
  Regards
  John F
  “Dogs come when they're called; cats take a message and get back to you later.”
  Mary Bly

• Acceptable ranges for router stats

  There are many queries posted here about line speed which result in repliers asking the questioner to post their router stats.
  Two of the main figures that always seem to be mentioned are the Line Attenuation and Noise Margin.
  Is there anywhere that gives an acceptable range for these figures and a simple explanation of what affects them?
  Same for any other useful stat figures e.g. values given by BT speedtester.
  Cheers
  John

  http://kitz.co.uk/adsl/linestats.htm

• Broadband speed & router stats

  I'm hoping someone will be able to comment on the download speeds I'm getting for my broadband (BT opt 1).
  According to the BT checker, I should be able to get up to 6Mb, and I'm fairly close to the exchange (700m). My router stats look like this:
  ADSL Link
  Downstream
  Upstream
  Connection Speed
  2272 kbps
  288 kbps
  Line Attenuation
  25 db
  7 db
  Noise Margin
  26 db
  30 db
  After a lot of tidying up of the internal phone wiring these are now fairly consistent whether I'm plugged in to the master socket or one of the extensions. These were taken from the router fairly soon after rebooting it earlier.
  My question is whether the 2Mb downstream I'm getting seems reasonable, or could I be expecting more than that? And is it possible that the 2Mb is being imposed as a limit, rather than being the maximum speed?
  Any thoughts and comments gratefully received.

  If you are that close to the exchange, there must be something wrong with your line, it takes a circuitous route to get to you, or you are on a 2Mbit package still. I am approximately 3/4km (750m) from my exchange, and get the following:
  Speed: 8126 down, 440 up
  Att: 18.5 down, 8.5 up
  SNR: 19.5 down, 32.5 up
  Although, the 7db up attenuation you are getting suggests that is the limit that your line can support, rather than you being on a 2Mbit capped connection.

• Hhub2 router stats

  Where on the Hh2 do you find the router stats ?
  Ta,
  djh22

  djh22 wrote:
  I've  just moved to BT and I was wondering what the stats were on the hhub2 compared to my Netgear 834g and strangely there is a difference in downstream connection, Netgear reports 8034 and Hhub2 reports 7127.
  I have a dect phone connected to the Hhub2 I wonder if it accounts for the difference.
  My Netgear always sync'd at a higher speed that the HHub which is why I threw the HHub away.  Netgear will give you better control over port forwarding etc. 
  The important speeds are not the sync speeds which always show higher than reality (maybe that's why they show them in the hub) the important one is the IP profile which is the max that your connection will handle and can only be found at http://speedtester.bt.com
  BW 10 days is a myth to keep you out of the helpdesk's hair. It all happens in the first two or three days once connected.
  ..... Jarviser's Home Hub Index

• IP SLA Default Route state down to much

  Hello,
  I am attempting to use IP SLA trackers to dynamically set the default route going out over a DSL connection.  if the sla trackers are down the default route learned from the WAN will take over, but normally we want to send internet/default route bound traffic out over the DSL connection.  
  ip route 208.67.220.220 255.255.255.255 1.2.3.4
  ip route 208.67.222.222 255.255.255.255 1.2.3.4
  ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 3
  track 1 ip sla 1
   delay down 60 up 60
  track 2 ip sla 2
   delay down 60 up 60
  track 3 list boolean or
   object 1
   object 2
  ip sla 1
   icmp-echo 208.67.222.222 source-ip 1.2.3.5
   threshold 1000
   frequency 10
  ip sla schedule 1 life forever start-time now
  ip sla 2
   icmp-echo 208.67.220.220 source-ip 1.2.3.5
   threshold 1000
   frequency 10
  ip sla schedule 2 life forever start-time now
  the issue we are having is if the SLA threshold is breached, it immediately sends the trackers into a delay down state.  the tracker delays down for 60 seconds, then very quickly comes back up.  What we want to accomplish is only if the sla tracker has breached the threshold or is down for 60 seconds, then put the tracker into a down state.
  Thanks.

  The configuration seems to be correct: IP SLA change as soon as the icmp fail but the tracker delay should ensure the it changes its state after 60seconds of icmp failure. Do you experience a different behaviour ?
  What I'm worried about is that, after the default router through the WAN is in routing table,  the ip sla ping will be successful and therefore the static route 
  ip route 0.0.0.0 0.0.0.0 71.32.39.46 track 3
  will be used but, at that point, which is the path to 71.32.39.46 ? 
  Another thing is that, in case of DSL link failure, this configuration will not automatically revert to WAN link because 71.32.39.46 will be still up and running, isn't it ?
  Let me know,
  enrico

• Dynamic routing alternative between ASA and edge routers?

  This is the current setup between two edge routers and an ASA 5580.  The edge routers carry approximately 9200 BGP routes with ISP A also supplying the default route.  Is there a good, i.e. has been successfully implemented, dynamic routing situation between the edge routers and ASA such that the ASA can send traffic to the particular edge router that carries the best specific route?

  Hello,
  Let's remember that the ASA was built as a High-Level Next Generation Firewall.
  That does not mean it's not useful for routing but here we are talking about thousands of routes, I do not think there will be a performance issue on the FW because of that. I mean you have one of the greatest Cisco Firewalls (functionality and power speaking).
  So if that's the case and you really want to do that you will need to implement either RIP,EIGRP,OSPF on the link and then do the redistribution on the routers.
  Makes sense?
  Regards,
  Jcarvaja
  CCIE 42930

• Dynamic Routing Gateway and ASA

  Greetings,
  We have a requirement to configure a multisite gateway and have run into an issue. According to http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx, dynamic routing gateways are not supported on the ASA platform. Does this simply mean that MS does
  not support this configuration or that this configuration is not possible? I cannot negotiate an ikev2 proposal with a dynamic gateway so I fear that it isn't possible.
  Has anyone here made this work?
  Thanks in advance.

  Hello
  In the link you provided, the combination of ASA with dynamic routing says it is not compatible (it does not say not supported).
  From that I understand that it will not work.
  We have tried a few Juniper combinations in the past with static and dynamic routing that were not on the list you mention - only to find out that they indeed did not work.
  My recommendation is to stick to the supported setup.

• Tracing a route passing through ASA

  Hi Everyone,
  Need help on tracing a route IP 192.168.27.0  that is passing through ASA
  i did sh route on ASA
  S    192.168.27.0 255.255.255.0 [1/0] via 192.168.101.14, Xnet
  so this means that this ASA is learning this route statically through int Xnet  right ?
  when i do sh int on ASA  it shows Xnet as interface.
  what should be my next step?
  also i am able to ping this IP from ASA  but whne i do sh arp it does not show this IP 192.168.27.251 and mac address
  Thanks
  Mahesh
  Message was edited by: mahesh parmar

  So I presume you have ASA5550 or you have bought addiotional 4 GigabitEthernet module.
  When you look at the ASA from the side where the physical ports are
  The usual ports (without the module) should be in the Right side
  The modules ports should be on the Left side
  The module should contain 8 ports
  4 Ports are for SFP slots (usually for fiber connections)
  4 Ports are for basic Ethernet connectivity
  The configuration should have some line "media-type" which defines which type is used "rj45" of "sfp"
  rj45 for Ethernet
  sfp for SFP module
  So GigabitEthernet 1/2 port should be to my understanding either the Third Ethernet or Third SFP port of the module depending on the above port configuration mentioned (media-type rj45/sfp)
  The ports GigabitEthernet0/0 - x are the ports that are in every ASA, Ports GigabitEthernet1/0 - x are the expansion modules ports
  Hope this helps. Hopefully I remembered that right.
  - Jouni

• Router stats?

  Recently moved my router downstairs due to building work and router speed is very very slowthese are my stats System Up Time: 74:16:36PortStatusTxPktsRxPktsCollision PktsTx b/sRx b/sUp TimeWANMER1387159820103413083001227490574:15:17LANUp99433774273306757184074:16:36WLANUp1960284513453293924392728934474:16:13Broadband LinkDownstreamUpstreamConnection Speed20000 kbps3690 kbpsLine Attenuation24.6 dB0.0 dBNoise Margin7.8 dB6.6 dB

  According to those stats, you are getting 20Mbps downstream and about 3.7 upstream.
  What speeds are you getting and how are you measuring them?
  Try performing a speedtest using www.speedtest.net with a wired connection to the Sky Hub and see what it says.