Cisco ASA – Route Outside Track Configuration

cisco-asa

I understand route outside (static route) configuration is used to tell the ASA to communicate to the outside world or to traverse internet traffic, but I am confused with this command:

route outside 10.10.10.0 255.255.255.0 192.168.1.1 [1]

route if_name dest_ip mask gateway_ip – what does the [1] in the end corresponds to?

and

route outside 10.10.10.0 255.255.255.0 192.168.1.1 track [number]

What does track means?

Regards,

Best Answer

In the first example, the 1 sets the administrative distance of the route. By default, the administrative distance of a static route is 1, so normally you wouldn't need to set it.

The track feature allows the route to be conditionally installed in the forwarding table based on the status of the tracked object -- usually an IP SLA monitor or an interface status. If the IP SLA monitor is valid, for example, if an external IP is pingable, the route gets installed in the forwarding table. If it isn't, the route is not installed.

These features can be combined to provide backup routing on the ASA. Imagine you have two interfaces: outside and backup. You want the default route to use the outside interface as long as the next hop is reachable. If it isn't, traffic should use the backup interface. You can configure something like this:

route outside 0.0.0.0 0.0.0.0 1.2.3.4 track 1

route backup 0.0.0.0 0.0.0.0 5.6.7.8 254

sla monitor 1
 type echo protocol ipIcmpEcho 1.2.3.4 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now

The monitor pings the next hop address every 10 seconds. As long as it gets a response, the first route is installed in the forwarding table. If the monitor fails, the route is removed.

Note that the second route has an administrative distance of 254. when the first route is valid, it will be installed in the routing table because it has a lower administrative distance compared to the second route. When the route is removed, the second route gets installed. This has the effect of routing traffic to 1.2.3.4 if that address is reachable. Otherwise traffic uses the backup route to 5.6.7.8.

Cisco has a similar example here

Related Solutions

Cisco ASA Dynamic Routing – Originating a NAT Block

Creating a static route for "10.100.00.0/23" and redistributing it to EIGRP should do the trick.

The static route would lift it into the routing table and the redistribution of static routs will announce the route to the EIGRP neighbors.

Cisco ASA 9.0(1) – NAT / PAT

Here's an example configuration for what you're looking to accomplish.

First create an object for you server:

object network SRV1
host 10.203.5.1

Next, create the PAT rule that uses your outside interface IP:

object network SRV1
nat (inside,outside) static interface service tcp 3389 10001

The packet processing order of operations on 8.2 code and below is ACL --> NAT. Post 8.3 code is NAT --> ACL, so your ACL will have a permit to the inside network IP.

Finally, create your ACL rule:(assuming your access list name is outside_access_in)

access-list outside_access_in extended permit tcp any object SRV1 eq 3389

Rinse and repeat.

Best Answer

Related Solutions

Cisco ASA Dynamic Routing – Originating a NAT Block

Cisco ASA 9.0(1) – NAT / PAT

Related Topic