Cisco ASA Redistribution example

Prerequisite – Adaptive security appliance (ASA)
In real scenarios, a condition can occur where an organization routes are using more than one routing protocol (EIGRP, OSPF or RIP).Also, static or default routing are being used. Now, the routes learned by one means (dynamic or static routing) should be redistributed to other means (dynamic routing protocol).This process is called Redistribution.

For example, If a router is operating EIGRP at one interface and RIP at other then the routes learned by EIGRP should be redistribute in RIP and vice versa.

Redistribution –
It is a process of advertising a route learned by method of static routing, directly connected route or a dynamic routing protocol into another routing protocol.

For example, Here, router2 one interface (fa0/0) is running EIGRP and other interface(fa0/1) is running OSPF then we have to advertise the routes of OSPF into EIGRP and vice-versa so that the routes learned by these routing protocols are advertised with each other. This process is called redistribution.
Otherwise, the router1 will not be able to learn routes of router3 and router3 will not be able to learn routes of Router1 therefore not reachable.

Redistribution (in ASA) –
We know that Cisco ASA can operate in two modes: Routed mode and transparent mode.

  1. Routed firewall mode –
    By default, ASA is in routed firewall mode. In this mode, Cisco ASA behaves as router hop therefore routing can be performed in this mode.

  2. Transparent Firewall mode –
    In this mode, the firewall behaves as a layer 2 device. Routing and Redistribution on ASA, in routed firewall mode, is performed in the same way as it is performed on the Cisco router.

Configuration example –
Before getting into the configuration, remember these things:

  1. By default, The traffic will be allowed from higher security level to lower security level but it will be denied if initiated from lower security level for higher security level.
  2. By default, the traffic allowed from higher to lower security level will be TCP and UDP.

There are 4 routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address-10.1.2.1/24), Router3 (IP address-10.1.3.1/24), Router4(IP address-10.1.4.1/24) and ASA(IP address-10.1.1.2/24 and Name- INSIDE on e0, 10.1.2.2/24 and Name- OUTSIDE on e1, 10.1.3.2/24 and name -DMZ2 on e2, 10.1.4.2/24 and name -DMZ1
on e3. In this task, we will inspect ICMP from INSIDE to OUTSIDE.

Note that traffic can be allowed from lower to higher security level either by inspection or by using access-list.
Configuring IP address on Router1:

Router1(config)#int fa0/0
Router1(config-if)#ip address 10.1.1.1 255.255.255.0 
Router1(config-if)#no shut 

Configuring IP address on Router2.

Router2(config)#int fa0/0
Router2(config-if)#ip address 10.1.2.1 255.255.255.0 
Router2(config-if)#no shut 

Configuring IP address on Router3.

Router3(config)#int fa0/0
Router3(config-if)#ip address 10.1.3.1 255.255.255.0 
Router3(config-if)#no shut 

Configuring IP address on Router2.

Router4(config)#int fa0/0
Router4(config-if)#ip address 10.1.4.1 255.255.255.0 
Router4(config-if)#no shut 

Now, configuring IP addresses and name on the interfaces of ASA.

asa(config)#int e0
asa(config-if)#no shut
asa(config-if)#ip address 10.1.1.2 255.255.255.0
asa(config-if)#nameif INSIDE
asa(config-if)#security level 100
asa(config-if)#exit
asa(config)#int e1
asa(config-if)#no shut
asa(config-if)#ip address 10.1.2.2 255.255.255.0
asa(config-if)#nameif OUTSIDE
asa(config-if)#security level 0
asa(config-if)#exit
asa(config)#int e2
asa(config-if)#no shut
asa(config-if)#ip address 10.1.3.2 255.255.255.0
asa(config-if)#nameif DMZ2
asa(config-if)#security level 60
asa(config-if)#exit
asa(config)#int e3
asa(config-if)#no shut
asa(config-if)#ip address 10.1.4.2 255.255.255.0
asa(config-if)#nameif DMZ1
asa(config-if)#security level 50

Now, configuring EIGRP on Router1

Router1(config)#router eigrp 100
Router1(config-router)#network 10.1.1.0
Router1(config-router)#no auto-summary

Now, configuring default route on Router2.

Router2(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.2

Configuring RIP on Router3.

Router3(config)#router rip
Router3(config-router)#network 10.1.3.0
Router3(config-router)#no auto-summary

Configuring OSPF on Router4.

Router4(config)#router OSPF 1
Router4(config-router)#network 10.1.4.0 0.0.0.255 area 0

Now, we have to enable routing on ASA.

asa(config)#router rip 
asa(config-router)#network 10.1.3.0
asa(config-router)#no auto-summary
asa(config-router)#exit
asa(config)#router OSPF 1
asa(config-router)#network 10.1.4.0 0.0.0.255 area 0
asa(config-router)#exit
asa(config)#router eigrp 100
asa(config-router)#network 10.1.1.0
asa(config-router)#exit

Giving default route on ASA

asa(config)#route outside 0 0 10.1.2.1

here, OUTSIDE is the interface name and 0 0 means any ip any mask and 10.1.2.1 is the next hop IP address.
Now, redistributing routes, in eigrp, on ASA.

asa(config)#router eigrp 100
asa(config-router)#redistribute ospf 1 metric 1 1 1 1 1
asa(config-router)#redistribute rip metric 1 1 1 1 1 
asa(config-router)#redistribute static metric 1 1 1 1 1

Now, redistributing routes in OSPF.

asa(config)#router ospf 1
asa(config-router)#redistribute rip subnets
asa(config-router)#redistribute eigrp 100 subnets
asa(config-router)#default-information originate 

Redistributing routes in RIP.

asa(config)#router rip
asa(config-router)#redistribute eigrp 100 metric 1
asa(config-router)#redistribute ospf 1 metric 1
asa(config-router)#default-information originate 

As we have done routing, now we will inspect ICMP.

asa(config)#fixup protocol ICMP 

Now, firewall will be able to allow the ICMP echo reply coming from lower security level for the higher security level.

Router1#ping 10.1.2.1

Not only from outside, it will allow replies (for INSIDE) from DMZ1 and DMZ2 also if the traffic is initiated from INSIDE.



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.