Open In App

Cisco ASA Redistribution example

Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite – Adaptive security appliance (ASA) 
In real scenarios, a condition can occur where an organization routes are using more than one routing protocol (EIGRP, OSPF, or RIP). Also, static or default routing is being used. Now, the routes learned by one means (dynamic or static routing) should be redistributed to other means (dynamic routing protocol). This process is called Redistribution. 

For example, If a router is operating EIGRP at one interface and RIP at another then the routes learned by EIGRP should be redistributed in RIP and vice versa. 

Redistribution – 
It is a process of advertising a route learned by method of static routing, directly connected route, or a dynamic routing protocol into another routing protocol. 

For example, Here, router2 one interface (fa0/0) is running EIGRP and another interface (fa0/1) is running OSPF then we have to advertise the routes of OSPF into EIGRP and vice-versa so that the routes learned by these routing protocols are advertised with each other. This process is called redistribution. 
Otherwise, router1 will not be able to learn the routes of router3 and router3 will not be able to learn routes of Router1 therefore not reachable. 

Redistribution (in ASA) – 
We know that Cisco ASA can operate in two modes: Routed mode and transparent mode. 

  1. Routed firewall mode – 
    By default, ASA is in routed firewall mode. In this mode, Cisco ASA behaves as router hop therefore routing can be performed in this mode. 
     
  2. Transparent Firewall mode – 
    In this mode, the firewall behaves as a layer 2 device. Routing and Redistribution on ASA, in routed firewall mode, is performed in the same way as it is performed on the Cisco router. 

Configuration example – 
Before getting into the configuration, remember these things:  

  1. By default, The traffic will be allowed from higher security level to lower security level but it will be denied if initiated from lower security level for higher security level. 
     
  2. By default, the traffic allowed from higher to lower security levels will be TCP and UDP. 

There are 4 routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address-10.1.2.1/24), Router3 (IP address-10.1.3.1/24), Router4(IP address-10.1.4.1/24) and ASA(IP address-10.1.1.2/24 and Name- INSIDE on e0, 10.1.2.2/24 and Name- OUTSIDE on e1, 10.1.3.2/24 and name -DMZ2 on e2, 10.1.4.2/24 and name -DMZ1 
on e3. In this task, we will inspect ICMP from INSIDE to OUTSIDE. 

Note that traffic can be allowed from lower to higher security levels either by inspection or by using an access list. 
Configuring IP address on Router1: 

Router1(config)#int fa0/0
Router1(config-if)#ip address 10.1.1.1 255.255.255.0 
Router1(config-if)#no shut 

Configuring IP address on Router2. 

Router2(config)#int fa0/0
Router2(config-if)#ip address 10.1.2.1 255.255.255.0 
Router2(config-if)#no shut 

Configuring IP address on Router3.  

Router3(config)#int fa0/0
Router3(config-if)#ip address 10.1.3.1 255.255.255.0 
Router3(config-if)#no shut 

Configuring IP address on Router2.  

Router4(config)#int fa0/0
Router4(config-if)#ip address 10.1.4.1 255.255.255.0 
Router4(config-if)#no shut 

Now, configuring IP addresses and names on the interfaces of ASA.  

asa(config)#int e0
asa(config-if)#no shut
asa(config-if)#ip address 10.1.1.2 255.255.255.0
asa(config-if)#nameif INSIDE
asa(config-if)#security level 100
asa(config-if)#exit
asa(config)#int e1
asa(config-if)#no shut
asa(config-if)#ip address 10.1.2.2 255.255.255.0
asa(config-if)#nameif OUTSIDE
asa(config-if)#security level 0
asa(config-if)#exit
asa(config)#int e2
asa(config-if)#no shut
asa(config-if)#ip address 10.1.3.2 255.255.255.0
asa(config-if)#nameif DMZ2
asa(config-if)#security level 60
asa(config-if)#exit
asa(config)#int e3
asa(config-if)#no shut
asa(config-if)#ip address 10.1.4.2 255.255.255.0
asa(config-if)#nameif DMZ1
asa(config-if)#security level 50

Now, configuring EIGRP on Router1  

Router1(config)#router eigrp 100
Router1(config-router)#network 10.1.1.0
Router1(config-router)#no auto-summary

Now, configure the default route on Router2.  

Router2(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.2

Configuring RIP on Router3.  

Router3(config)#router rip
Router3(config-router)#network 10.1.3.0
Router3(config-router)#no auto-summary

Configuring OSPF on Router4.  

Router4(config)#router OSPF 1
Router4(config-router)#network 10.1.4.0 0.0.0.255 area 0

Now, we have to enable routing on ASA.  

asa(config)#router rip 
asa(config-router)#network 10.1.3.0
asa(config-router)#no auto-summary
asa(config-router)#exit
asa(config)#router OSPF 1
asa(config-router)#network 10.1.4.0 0.0.0.255 area 0
asa(config-router)#exit
asa(config)#router eigrp 100
asa(config-router)#network 10.1.1.0
asa(config-router)#exit

Giving default route on ASA  

asa(config)#route outside 0 0 10.1.2.1

here, OUTSIDE is the interface name and 0 0 means any IP any mask, and 10.1.2.1 is the next-hop IP address. 
Now, redistributing routes, in eigrp, on ASA.  

asa(config)#router eigrp 100
asa(config-router)#redistribute ospf 1 metric 1 1 1 1 1
asa(config-router)#redistribute rip metric 1 1 1 1 1 
asa(config-router)#redistribute static metric 1 1 1 1 1

Now, redistributing routes in OSPF.  

asa(config)#router ospf 1
asa(config-router)#redistribute rip subnets
asa(config-router)#redistribute eigrp 100 subnets
asa(config-router)#default-information originate 

Redistributing routes in RIP.  

asa(config)#router rip
asa(config-router)#redistribute eigrp 100 metric 1
asa(config-router)#redistribute ospf 1 metric 1
asa(config-router)#default-information originate 

As we have done routing, now we will inspect ICMP.  

asa(config)#fixup protocol ICMP 

Now, the firewall will be able to allow the ICMP echo reply coming from a lower security level for the higher security level.  

Router1#ping 10.1.2.1

Not only from outside, it will allow replies (for INSIDE) from DMZ1 and DMZ2 also if the traffic is initiated from INSIDE.
 


Last Updated : 22 Nov, 2021
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads