CHAPTER 9: ROUTING PROTOCOL SUPPORT Firstly you need to know that the ASA appliance is not a full-functioning router. However, it still has a routing table which is used to select the best path to reach a certain destination network. After all, ifa packet successfully passes all firewall rules, it needs to be routed by the firewall to its destination, ‘The Cisco ASA Firewall appliance supports both Static and Dynamic Routing. Three dynamic routing protocols are supported, namely RIP, OSPF, and EIGRP. It is highly recommended to prefer static routing configuration on the ASA firewall, instead of dynamic routing. This is because the usage of dynamic routing protocols might expose your internal network structure to the outside world. If you are not careful with dynamic routing configuration, itis possible to start advertising your internal network subnets to external untrusted networks, thus revealing your hidden networks to the outside world However, there are situations where dynamic routing configuration is necessary. Such a case would bea large network in which the ASA firewall is located within the internal network campus or data center. In such a case, you will benefit from using a dynamic routing protocol on the ASA since you will not have to configure tons of static routes, and also you will not run into the risk of revealing, any hidden subnets to untrusted networks (since the ASA is located deep inside the campus network). ‘The following are some routing protocol best practices for the ASA: * For small networks, use only static routes. Use a default static route pointing to the gateway connected to the outside interface (usually Internet), and also use static routes for internal networks which are more than one hop away (i.e not directly connected). ‘+ Any network that is directly connected on an ASA interface DOES NOT need any static route configuration since the ASA firewall already knows how to reach this network. «Ifthe ASA is connected on the perimeter of the network (ie border between trusted and untrusted networks), then configure a default route towards the outside untrusted zone, and then connigure specitic static routes towards the mternal networks. 92‘+ IF the ASA is located deep inside a large network campus with many internal network routes, then configure a dynamic routing protocol. STATING ROUTING There are three types of static routes: * Directly Connected Route * Normal Static Route + Default Route Directly Connected Route ‘The Directly Connected Route is automatically created in the ASA routing table when you configure an IP address on an appliance interface. For example, if you configure the IP address 192.168.1.10/24 on the inside interface of ASA, then a Directly Connected Route of 192.168.1.0 255.255.255.0 will be automatically created. Normal Static Route and Default Route For configuring a Normal Static Route and Default Static Route refer to the diagram below. Default Route Static Route Aout 192.168.1.1 192.168.2.0/24 93,A static route configuration on the ASA is like telling the appliance the following: “Yo send a packet to the specified network, give it to this router gateway’. Use the route command to enter either a static or default route, The command format is: ASA(config)# route [interface-name] [destination-network] [netmask] [gateway] [interface-name}: This is the ASA interface from wiich the packet will exit. [destination-network] [netmask]: This is the destination network/mask we want to reach [gateway]: Next hop device that ASA will send the packet to. Let’s see an example configuration below (refer to diagram above): ASA(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1 € Default Route ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1 € Static Route. To reach network 192.168.2.0 send the packets to 192.168.1.1 For the default route (usually towards the Internet), you set both the destination-network and netmask to 0.0.0.0. All traffic for which the ASA has no route in its routing table will be sent to 100.1.1.1 (the gateway in the default route), To see what is included in the appliance’s routing table, use the “show route” command: ASA# show route $ 0.0.0.0 0.0.0.0 [1/0] via 100.1.1.1, outside € Default Static Route € 192.168.1.0 255.255.255.0 is directly connected, inside € Connected Route € 100.1.1.0 255,255.255.0 is directly connected, outside € Connected Route $ 192.168.2.0 255,255.255.0 [1/0] via 192.168.1.1, inside € Static Route ‘Static Route Tracking When you configure a static route on the security appliance, the route remains permanently in the routing table. The only way for the static route to get removed from the routing table is when the associated ASA interface goes physically down. Inall other cases, such as for example when the remote default gateway goes down, the ASA will keep sending packets to its gateway router without knowing that itis actually down. From ASA version 7.2 and upwards, the Static Route Tracking feature was introduced. The ASA tracks the availability of static routes by sending ICMP echo request packets through the primary static route path and waits for replies. If the primary path is down, a secondary path is used. This etteature is useful when you want to implement Dual-ISP redundancy, as we will see in the scenario below. 100.1.1.1 Etho/1 200.2.2.2 Backup In the network scenario above, interface Eth0/0 (outside) is connected to the Primary ISP and interface Eth0/1 (backup) is connected to the Secondary ISP. Two default static routes will be configured (one for each ISP) which will use the “track” feature. The primary ISP path will be tracked using ICMP echo requests. If an echo reply is not received within a predefined period, the secondary static route will he used. Note however that the scenario ahove is suitable only for ‘outbound communication (that is, from the insidenetwork towards the Internet). Configuring Static Route Tracking 1, Use the “sla monitor” command to specify the monitoring protocol (e.¢ ICMP). the target address to track (eg ISP gateway router) and the tracking timers. 2. Use the “sla monitor schedule” command to schedule the monitoring process (usally the ‘monitoring process ts configured to run “forever” but duration and start times are configurable), 3. Define the primary static route to be tracked using the “route” command with the “track” option. 4. Define the backup static route and set its metric higher than the primary static route. 85,Let's see an example contiguration below (related to the diagram shown above) ASA(config)# global (outside) 1 interface ASA(config)# global (backup) 1 interface ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0 ASA(config)# sla monitor 100 € Define SLA_ID 100 ASA(config-sla-monitor)# type echo protocol iplempEcho 100.1.1.1 interface outside ASA(config-sla-monitor)# timeout 3000 € Define timeout 3000 milliseconds (3 sec) ASA(config-sla-monitor)# frequency 5 € track target 5 times ASA(config-sla-monitor)# exit ASA(config)# sla monitor schedule 100 life forever start-time now € Schedule the monitoring process SLA_ID 100 to start now and run forever ASA(config)# track 10 rtr 100 reachability € Associate a Track ID 10 with the SLA_ID 100 ASA(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1 1 track 10 € Associate the Track 1D 10 to the primary static route. Define also a metric 1 for this route. ASA(config)# route backup 0.0.0.0 0.0.0.0 200.2.2.2 254 € Define the backup static route with a higher route metric of 254 In the scenario above, the firewall appliance will be tracking the primary ISP gateway router (100.1.1.1) . fan echo reply is not received within 3 sec (timeout 3000 milliseconds) and the process is repeated 5 times (frequency 5), the primary default route is considered down and therefore the secondary backup route will be used. DyNAMIC ROUTING USING RIP RIP is one of the oldest dynamic routing protocols. Although it is not used a lot in modern networks, you still find it in some cases. Cisco ASA version 7x supports RIP in a limited fashion. The ASA appliance (v7.x) can only accept RIP routes and optionally advertise a default route, However, it cannot receive RIP advertisements from one neighbor and then advertise these routes to another neighbor. From ASA version 8.x however, the security appliance supports full RIP functionality. Both RIPv1 and RIPv2 are supported. However, using RIPV1 is not recommended because it does not support routing updates authentication. 86ontiguring RIP Configuration of RIP on the ASA appliance is similar with a Cisco router. RIP is configured using the “router rip” Global Configuration command. RIP authentication security is configured under Interface Configuration. ASA(config)t router rip ASA(config-router)# network [network-subnet] € network to advertise via RIP ASA(config-router)# version [1 / 2] € select RIP version ASA(config-router)# default-information originate € Inject a default route into the network ASA(config-router)# passive-interface [ASA interface name] € disable RIP updates propagation on specified interface ASA(config-router)# no auto-summarize € disable automatic route summarization The “no auto-summarize” command works only for RIPv2. It disables automatic route summarization to their network Class boundary. For example if you have a route 10.1.3.0/24 which you want to advertise via RIP, by default it will be advertised as 10.0.0.0/8 by the ASA. Using the “no auto-summarize” command, the route will be advertised as 10.1.3.0/24. Regarding RIP updates authentication, this is configured on a per Interface basis: ASA(config)# interface [interface number] ASA(config-if}# rip authentication mode [text / md5] € | suggest to always use md5 auth. authentication key [cocret key] kay-id [key ID number] € Use the came: secret authentication key to all neighbor devices runt ig RIP. [secret key] can be up to 16 characters, and [key ID number] is a number between 0-255, The diagram below shows an example network topology with an ASA firewall running RIP within a network with other routers. 97192.168.2.0°24 192.168.1.0124 —+ Inject Detaut Route Default Sai Route Mot Default Rout Assume the ASA is located between the Campus Network and the Data Center Network. All router neighbors behind the inside interface are running RIP. Configuration Example: ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.2.2 ASA(config)# router rip ASA(config-router)# network 192.168.1.0 ASA(config-router)# version 2 ASA(config-router)# default-information originate ASA(config-router)# exit ASA(config)# interface GigabitEthernet0/1 ASA(config-if)# rip authentication mode mdS ASA(config-it)# rip authentication key somesecrethere key-id 10 DYNAMIC ROUTING USING OSPF OSPF (Open Shortest Path First) is a dynamic routing protocol based on Link States rather than Distance Vectors (such as RIP) for optimal path selection. It is a much better and more scalable routing protocol compared to RIP, that’s why is widely used in large Enterprise networks. OSPF can be very complex and one can write a whole book for it. In this section I will keep OSPF discussion as brief as possible, and I will try to discuss features and scenarios that are most commonly used in real networks. (Note: IPv6 is not currently supported on Cisco ASA running OSPF.)