• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1153
  • Last Modified:

cisco asa 5500 static route

Our setup was:-
ASA5500 firwall - inside
ASA5500 firwall - outside
route to internet -

I therfore has to enter static rule telling it the defualt route was all trafiic to

This worked fine

however, I have changed the setup so that the ASA outside has public ip address which is reachable from the internet.

What puzzles me is that I di dnot have to change the static route (eveni though was no longer there) and the ASA correctly routed traffic out.

Is this by diegsin and can I remove the static dfault route from the setup?
  • 3
  • 3
1 Solution
What does the route table look like?  Are you running any type of dynamic routing protocols?
MawallaceAuthor Commented:
NB I got my 2 and 1's ,mixed up! The Netgear router to internet is - The ASA outside is!

I have OSPF turned on on the inside if you have a look at the config - but not on the outside connection - so I still puzzled how it learnt the new route from the netgear router

I had to put the netwrok back to the orginal configuration. and this is what I get now!
Routing table:-
S    Bury_LAN [1/0] via, outside
S    Newmarket_LAN [1/0] via, outside
S [1/0] via, outside
S    Sudbury_LAN [1/0] via, outside
C is directly connected, outside
C    Thetford_LAN is directly connected, inside
S* [1/0] via, outside

EXTRACT of config

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Thetford_LAN
access-group inside_access_in in interface inside
route outside 1
router ospf 10
 network Thetford_LAN area 0
 redistribute static subnets
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 4
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy VPNUsers internal
group-policy VPNUsers attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec

Pete LongTechnical ConsultantCommented:
router ospf 10
 network Thetford_LAN area 0
 redistribute static subnets

Your in an ospf routing group - the ASA can learn routes :)
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

The current routing table shows that all routes are either defined staticly or defined "dynamically" because the ASA has a interface on that network (a.k.a. connected).

As PeteLong pointed out, you are part of an OSPF group and so the ASA can learn routes.

What you need to do is display the routing table and the log after you make the changes you want.  Any route that the ASA learns will have a "O" in front of it (S = static and C = connected).  The log should show you where it learned the route from.
MawallaceAuthor Commented:
I am a bit confused (does not take much)

the interface that is Thetford LAN is the inside (internal) netwrok,

the side I made changes to was the outside interface

does that fact that the internal inerface has ospf turned on mean that it will "learn" routes to the outside on the outside ?

I thought the router that the outside was connected to did not support OSPF (it is a Netgear) - the Netgear does support RIP though but II thought this was a differnce protcol.
Need to see the config and the route table when it was in the state that you are asking the question about.

MawallaceAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now