cisco asa 5500 static route

Our setup was:-
ASA5500 firwall - inside 192.168.0.1
ASA5500 firwall - outside 192.168.1.1
route to internet - 192.168.1.2

I therfore has to enter static rule telling it the defualt route was all trafiic to 192.168.1.2

This worked fine

however, I have changed the setup so that the ASA outside has public ip address which is reachable from the internet.

What puzzles me is that I di dnot have to change the static route (eveni though 192.168.1.2 was no longer there) and the ASA correctly routed traffic out.

Is this by diegsin and can I remove the static dfault route from the setup?
MawallaceAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

giltjrCommented:
What does the route table look like?  Are you running any type of dynamic routing protocols?
0
MawallaceAuthor Commented:
NB I got my 2 and 1's ,mixed up! The Netgear router to internet is 192.168.2.1 - The ASA outside is 192.168.2.2!

I have OSPF turned on on the inside if you have a look at the config - but not on the outside connection - so I still puzzled how it learnt the new route from the netgear router

I had to put the netwrok back to the orginal configuration. and this is what I get now!
Routing table:-
S    Bury_LAN 255.255.255.0 [1/0] via 192.168.2.1, outside
S    Newmarket_LAN 255.255.255.0 [1/0] via 192.168.2.1, outside
S    172.21.0.1 255.255.255.255 [1/0] via 192.168.2.1, outside
S    Sudbury_LAN 255.255.255.0 [1/0] via 192.168.2.1, outside
C    192.168.2.0 255.255.255.0 is directly connected, outside
C    Thetford_LAN 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.2.1, outside

EXTRACT of config

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Thetford_LAN 255.255.255.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
!
router ospf 10
 network Thetford_LAN 255.255.255.0 area 0
 log-adj-changes
 redistribute static subnets
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 4
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy VPNUsers internal
group-policy VPNUsers attributes
 wins-server value 210.0.0.1
 dns-server value 210.0.0.1
 vpn-tunnel-protocol IPSec


0
Pete LongTechnical ConsultantCommented:
router ospf 10
 network Thetford_LAN 255.255.255.0 area 0
 log-adj-changes
 redistribute static subnets

 
Your in an ospf routing group - the ASA can learn routes :)
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

giltjrCommented:
The current routing table shows that all routes are either defined staticly or defined "dynamically" because the ASA has a interface on that network (a.k.a. connected).

As PeteLong pointed out, you are part of an OSPF group and so the ASA can learn routes.

What you need to do is display the routing table and the log after you make the changes you want.  Any route that the ASA learns will have a "O" in front of it (S = static and C = connected).  The log should show you where it learned the route from.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MawallaceAuthor Commented:
I am a bit confused (does not take much)

the interface that is Thetford LAN is the inside (internal) netwrok,

the side I made changes to was the outside interface

does that fact that the internal inerface has ospf turned on mean that it will "learn" routes to the outside on the outside ?

I thought the router that the outside was connected to did not support OSPF (it is a Netgear) - the Netgear does support RIP though but II thought this was a differnce protcol.
0
giltjrCommented:
Need to see the config and the route table when it was in the state that you are asking the question about.

0
MawallaceAuthor Commented:
No
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.