{"id":774,"date":"2016-09-26T12:19:11","date_gmt":"2016-09-26T04:19:11","guid":{"rendered":"https:\/\/networkingnotesblog.wordpress.com\/?p=774"},"modified":"2016-09-26T12:19:11","modified_gmt":"2016-09-26T04:19:11","slug":"cisco-asa-routing-sample","status":"publish","type":"post","link":"http:\/\/notes4it.com\/?p=774","title":{"rendered":"Cisco ASA &#8211; routing sample"},"content":{"rendered":"<p>In this post, I will show you guys how to setup a Cisco ASA firewall serves as a layer 3 packet transfer device. The example will be demonstrate with 192.168.3.10\/32 machine accessing to 9.9.9.92\/32 via IPerf. There is only simple routing and has no NAT involve.<br \/>\nIn this setup, the ASA is acting as the gateway between office network and the internet. The 192.168.3.0\/24 is the internal subnet and 10.0.0.20\/30 is the internet. There are couple areas we have to handle, and they are routing, and policy. Since ASA is a stateful device, we have to apply policy to allow internal network to access external network, but not vise versa.<br \/>\n<!--more--><br \/>\nFirst, we have to associate interfaces to a &#8220;zone&#8221;.\u00a0 In this case, the internal network will be called\u00a0 &#8220;inside&#8221;\u00a0 and external as &#8220;untrust&#8221;. The behavior of ASA by default will deny traffic flow from low security level zone to high security level zone. Therefore, when inside has level 100 and untrust with level 0, traffic from inside are allowed to untrust without additional policy.<br \/>\ninterface GigabitEthernet0\/2<br \/>\nnameif inside<br \/>\nsecurity-level <strong>100<\/strong><br \/>\nip address 192.168.3.1 255.255.255.0<br \/>\ninterface GigabitEthernet0\/0<br \/>\nnameif untrust<br \/>\nsecurity-level <strong>0<\/strong><br \/>\nip address 10.0.0.22 255.255.255.252<br \/>\nAfter applying the interface and ping to the peers, the arp records are listed below.<br \/>\nLAB-ASA-03# sho arp<br \/>\nuntrust 10.0.0.21 000c.29ab.c69d 584<br \/>\ninside 192.168.3.10 000c.2953.a096 943<br \/>\n<!--more--><br \/>\nBut as of this moment, the 192.168.3.10 still cannot access to the 9.9.9.2 because there is no route applied yet in the ASA. So we will setup a default gateway into the ASA to route the traffic from internal to external. The below command is to set the default route with the next hop of 10.0.0.21.<br \/>\nLAB-ASA-03# sho run route<br \/>\nroute untrust 0.0.0.0 0.0.0.0 10.0.0.21<br \/>\n<!--more--><br \/>\nOnce we have applied the default route, the 192.168.3.10 can iperf to 9.9.9.2. As listed in the &#8220;show conn&#8221; output, we can ensure there is a TCP connection initial from 192.168.3.10 to 9.9.9.2 s port 5001.<br \/>\nFinal result:<br \/>\nLAB-ASA-03# sho conn<br \/>\n2 in use, 10 most used<br \/>\nTCP untrust\u00a0 9.9.9.2:5001 inside\u00a0 192.168.3.10:36712, idle 0:00:00, bytes 179232, flags UO<br \/>\nLAB-ASA-03# sho xlate<br \/>\n0 in use, 4 most used<br \/>\n&nbsp;<br \/>\n&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post, I will show you guys how to setup a Cisco ASA firewall serves as a layer 3 packet transfer device. The example will be demonstrate with 192.168.3.10\/32 machine accessing to 9.9.9.92\/32 via IPerf. There is only simple routing and has no NAT involve. In this setup, the ASA is acting as the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":780,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[13,14,26,46,69,77,82,131,141,147,151],"class_list":["post-774","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networking","tag-arp-en","tag-asa-en","tag-cisco-en","tag-firewall-en","tag-ifname-en","tag-ip-address-en","tag-iperf-en","tag-policy-en","tag-route-en","tag-routing-en","tag-security-level-en"],"_links":{"self":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=774"}],"version-history":[{"count":0,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/774\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/media\/780"}],"wp:attachment":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=774"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}