How to configure Static Routes on Cisco ASA Firewall

In this article, we will discuss and configure static routing on Cisco ASA Firewall in detail. Cisco ASA supports both static as well as dynamic routing protocols such as RIP, OSPF, EIGRP & BGP. You can configure the static routing using the ASDM or command-line interface. We will cover both ways to configure static routes on Cisco ASA. So, Let’s start!

static-routing-on-cisco-asa-firewall

Cisco ASA: Understanding the topology for Static Routing Configuration

Before starting the static routing configure, let’s first understand the topology so you will configure the static routes more easily. Let’s understand the below image:

static-route-configuration-on-cisco-asa-firewall

We have configured three interfaces, i.e. Outside, Inside, and DMZ on Cisco ASA Firewall. Outside Interface is connected with ISP. Some of the web servers are hosted in DMZ. Inside interface is connected with Internal Core. Further, we have two different networks are configured on the internal Core.

In this topology, we need to configure a static default route towards ISP. Since we have two networks connected with the internal core switch, then we need to configure both routes towards the internal Core.

Configuring Static Route on Cisco ASA Firewall

We must have proper privileges to configure static routes. This is an example to configure static routes on ASA Firewall

route <interface> <destination> <netmask> <next-hop>

Well, we just need to change the values like interface, a destination address, netmask, and next-hop. The interface will be the nameif you have assigned to a particular interface. Then, we need to specify the destination address with the netmask. Finally, you have to configure the next-hop IP address.

So, the default route configuration example will be

ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 101.1.1.2

Similarly, we can configure inside routes that are towards our internal Core switch. Here, we need to configure two routes, i.e. 192.168.1.0/24 & 192.168.2.0/24 and the gateway will be the internal Core switch.

ciscoasa(config)#route inside 192.168.1.0 255.255.255.0 192.168.90.2
ciscoasa(config)#route inside 192.168.2.0 255.255.255.0 192.168.90.2

In this way, we have successfully configured all three static routes on Cisco ASA Firewall. You can check all these routes using the below show command:

ciscoasa# show route static
Codes: L -- local, C -- connected, S -- static, R -- RIP, M -- mobile, B -- BGP
D -- EIGRP, EX -- EIGRP external, O -- OSPF, IA -- OSPF inter area
N1 -- OSPF NSSA external type 1, N2 -- OSPF NSSA external type 2
E1 -- OSPF external type 1, E2 -- OSPF external type 2
i -- IS-IS, su -- IS-IS summary, L1 -- IS-IS level-1, L2 -- IS-IS level-2
ia -- IS-IS inter area, * -- candidate default, U -- per-user static route
o -- ODR, P -- periodic downloaded static route, + -- replicated route
Gateway of last resort is 101.1.1.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 101.1.1.2, outside
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.90.2, inside
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.90.2, inside

All the highlighted entries with red color is the static routes we have configured on Cicso ASA Firewall.

Configure Static Routes on Cisco ASA Firewall using ASDM

In this session, we will configure the static routes using Cisco ASDM. Before starting, make sure that you have access to Cisco ASA Firewall using ASDM.

Well, now let’s access the Cisco ASA using the ASDM application and navigate to Configuration > Device Setup > Routing > Static Routes and click on Add.

cisco-asa-static-routes-configuration

Once you click on Add button, a popup window will appear. In this window, first, you need to select the interface, then you need to define the destination address with netmask and gateway. You can refer to the below image.

static-route-on-cisco-asa

By default, the matric is 1 for static routes. However, you can change the matrix as per your requirement. I’ve configured the destination address without any address object. It will be a great idea to have address objects configured on ASA Firewall.

Similarly, you can configure different static routes pointing to the Internal Core. Once, you finish the configuration, you must need to apply the changes so that the changes are effective on the Cisco ASA appliance.

Related Articles

Reference

Summary

Routing is essentials for all firewalls in routing mode. Cisco ASA supports both static and dynamic routing. In this article, we have configured static routes using CLI and ASDM. Both ways are very easy and helpful to configure static routes. Finally, we have checked static routes on Cisco Firewall using CLI.

Hope you like this article. If you like this article, just share it on social media platforms. Also, in case if you have some issues during the configuration, don’t hesitate to comment in the comment box!

Leave a Reply

Your email address will not be published.