Cisco ASA Management and Routing Help

ciscocisco-asafirewallrouting

Hoping somebody can help me understand what I'm doing wrong here. Here is the diagram:

[![enter image description here][1]][1]

We have an ASA sitting at the edge. The FirePower module is connected via the management interface (with "no ip address" configured on ASA, but IP configured on FirePower). The ASA is managed through interface 1/2.

There is an exit subnet configured that should be used for routing all traffic to/from the outside.

The environment has a separate subnet for management (physical devices mostly, hyper-v, storage, etc) which is the 10.10.5.0/24 network and another subnet for end-user-accessed servers, pretty much all VMs. The ASA has to contact some of these servers for various network services like DNS, RADIUS, and others. So if I want the ASA to authenticate a VPN user through RADIUS, I would like it to send that traffic via 10.10.5.1, not 172.16.98.1. I can't get this to work. I believe the routing is breaking. I've been reading about management-only routes, but I can't seem to wrap my head around what I'm doing wrong here. The TAC engineer is very intelligent, but uninterested in going beyond break/fix. Is this is architecture design flaw?

Much appreciated.

Best Answer

I know this is not the answer that you're hoping to hear, but the answer is to manage your ASA in-band, not out-of-band. The ASA does not have VRF capabilities, meaning that the Man1/1 port (or whatever interface you designate, like Gig1/2) does not have a separate routing table, but rather functions like a regular interface and uses the regular routing table. This can cause several issues in the way the device processes certain traffic flows.

Your best path forward is to shutdown your Gi1/2 interface, and remove the MANAGEMENT_SUBNET nameif. Then, add a static route for the 10.10.5.0/24 pointing to 172.16.98.1 like everything else.

All your problems will then go away except your nagging desire to manage the firewall on the management network, "like everything else". The thing is, your firewall isn't like everything else. Management networks are designed for non-network devices (meaning servers, storage, whatever else) and probably layer 2 switches. Layer 3 devices like routers and firewalls use their IP addresses to make behavioral decisions, and are much more effectively managed with a loopback address, or an in-band IP address.

Related Solutions

Cisco – How to install SSL key and certificate on SG 300-10 (and SSH functionality)

I use an SG300 at home as my core switch. Getting SSH set up is not too bad:

conf t
crypto key generate rsa
ip ssh server
end

That will generate the SSH key and enable the SSH server. If you question-mark your way along those command structures you will find some options.

You can view the public and private RSA SSH keys with:

show crypto key rsa

I've not done an SSL cert import myself, but looking through the CLI I'd take a stab at the following:

conf t
crypto certificate 1 import
ip https certificate 1

There are two "slots" for certificates, so you can specify slot 1 or 2 for the import or a self-signed certificate generation.

The import function does not seem to have an option to install a PKCS12 certificate, so you may need to import the private key separately with:

conf t
crypto key import rsa

I'm not 100% sure on the SSL setup, but the SSH key setup above works.

Cisco ASA Routing Issue

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10