Tag#2 Routing over ASA

• Adding or Editing a Static Route

Simplest of route to configure is the Static route.

hostname(config)#route inside 200.0.122.0 255.255.255.0 10.0.125.12

You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, as shown in the following example: hostname(config)# route outside 0 0 192.168.1 1

The main part of the Static route to understand the Tracking and SLA part. The ASA implements this feature by associating a static route with a monitoring target that you define, and monitors the target using ICMP echo requests. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route.

We have added one extra interface on the same subnet to test the secondary route.

Since i added a new switch , there isn't any configuration made on the switch.

ASA has been configured with some commands.

ciscoasa(config)# sla monitor 1

type ECho Protocol IpIcmpEcho 200.0.122.2 interf outside

ciscoasa(config-sla-monitor-echo)# timeout 1000

ciscoasa(config-sla-monitor-echo)# frequency 3

ciscoasa(config)# sla monitor schedule 1 start-time now life forever

We can see that the ping packets are seen at captured on the interface of the switch (gi 0/0) because we don't have SLA configured for 200.0.122.1

Now that the SLA is running , let us tie this to a enhanced object.

ciscoasa(config)# track 2 rtr 1 reachability

ciscoasa(config)# show track

Track 2

Response Time Reporter 1 reachability

Reachability is Up

1 change, last change 00:01:43

Latest operation return code: OK

Latest RTT (millisecs) 10

Just observe the ouput of the SLA instance it is OK . (reachability is UP means the object is up).

until the object is up any routes representing the object can then be installed in the routing table.

Lets see if this works

ciscoasa(config)# route outside 0 0 200.0.122.2 track 2

ciscoasa(config)# route outside 0 0 200.0.122.1 2 (#increased AD value)

Notice that there is only 1 route in the routing table.

ciscoasa# traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

 1  200.0.122.2 10 msec 10 msec 10 msec

 2  200.0.1.1 40 msec *  30 msec

Lets pull that route down.

OUTSIDE(config)#int fa 0/0

OUTSIDE(config-if)#shut

 ciscoasa# traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

 1  200.0.122.1 10 msec 10 msec 10 msec

 2  200.0.0.1 20 msec *  10 msec

I just the brought the interface back up , but while reverting back to the primary route not even a single drop was observed.

ciscoasa# ping 10.1.1.1 repeat 1000000000

Type escape sequence to abort.

Sending 1000000000, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (795/795), round-trip min/avg/max = 10/23/40 ms

ciscoasa# traceroute 10.1.1.1

Type escape sequence to abort.

Tracing the route to 10.1.1.1

 1  200.0.122.2 10 msec 10 msec 10 msec

 2  200.0.1.1 20 msec *  10 msec

Just for information - When the outside interface was forced to be shut down the Latest operation return code was Timeout.

Whereas when it was brought up BACk!

IT WAS OKKKKK!!!!