Thursday, December 20, 2012

Tutorial of Static & Dynamic Routing and Configuring Static Routing on Cisco ASA Firewall

The main features of static routing:
1.       Manually set up a route in a dormant manner.
2.       Stable.
3.       Has no impact made by traffic and transmission failures.
4.       Creates no traffic derived from routing protocols.

Advantages & Disadvantages:
Static routing needs a network administrator, with knowledge of the internetwork topology, manually builds and updates the routing table, programming all routes in the routing table. Static routers can work well for small internetworks but do not scale well to large or dynamically changing internetworks due to their manual administration.
Static routers are not fault tolerant. The lifetime of a manually configured static route is infinite and, therefore, static routers do not sense and recover from downed routers or downed links.
With the above points, for small business, I recommend not using dynamic routing though and stick with just static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network addressing and topology. By configuring dynamic routing support, you might be advertising routes to untrusted networks thus exposing your network to threats.
Cisco ASA Configuration

The main features of dynamic routing:
1.       Automatically sets up a route.
2.       Respond to the changes of the network.
3.       Automatically select the optimized route.
4.       Automatically select the backup route.

Advantages & Disadvantages:
Except for their initial configuration, dynamic routers require little ongoing maintenance, and therefore can scale to larger internetworks. Dynamic routing is fault tolerant. Dynamic routes learned from other routers have a finite lifetime. If a router or link goes down, the routers sense the change in the internetwork topology through the expiration of the lifetime of the learned route in the routing table. This change can then be propagated to other routers so that all the routers on the internetwork become aware of the new internetwork topology.
The ability to scale and recover from internetwork faults makes dynamic routing the better choice for medium, large, and very large internetworks.

Details of configuring static routing on Cisco ASAFirewall
Configuring Static Routing on Cisco ASA Firewall
The above picture will show the details and help us understand how to configure static routing better.
To begin with, the ASA connects to the internet on the outside and also has a DMZ and Internal zones. The default gateway towards the ISP is 200.1.1.1. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24. LAN1 is directly connected to the Inside interface of the firewall.     
Additionally, there is another internal network, namely LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Rather, there is an internal router with address 192.168.1.1 through which we can reach LAN2. Therefore, in order for the ASA to reach network LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be reached via 192.168.1.1.
Therefore, we need to configure two static routes---One Default Static route for Internet access, and one internal static route to reach network LAN2. For directly connected networks (DMZ and LAN1) we don’t need to configure a static route since the firewall already knows about these networks as they are directly connected to its interfaces.
Configuration:
The format of the static route command is:
ASA (config)# route [interface name] [destination address] [netmask] [gateway]
! First configure a default static route towards the default gateway
ASA (config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1
! Then configure an internal static route to reach network LAN2
ASA (config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1
 Related to:  tech21century.com/configure-static-routing-on-cisco-asa-firewall

No comments:

Post a Comment