Cisco ASA – routing sample

In this post, I will show you guys how to setup a Cisco ASA firewall serves as a layer 3 packet transfer device. The example will be demonstrate with machine accessing to via IPerf. There is only simple routing and has no NAT involve.

In this setup, the ASA is acting as the gateway between office network and the internet. The is the internal subnet and is the internet. There are couple areas we have to handle, and they are routing, and policy. Since ASA is a stateful device, we have to apply policy to allow internal network to access external network, but not vise versa.

First, we have to associate interfaces to a “zone”.  In this case, the internal network will be called  “inside”  and external as “untrust”. The behavior of ASA by default will deny traffic flow from low security level zone to high security level zone. Therefore, when inside has level 100 and untrust with level 0, traffic from inside are allowed to untrust without additional policy.

interface GigabitEthernet0/2
nameif inside
security-level 100
ip address

interface GigabitEthernet0/0
nameif untrust
security-level 0
ip address

After applying the interface and ping to the peers, the arp records are listed below.

LAB-ASA-03# sho arp
untrust 000c.29ab.c69d 584
inside 000c.2953.a096 943

But as of this moment, the still cannot access to the because there is no route applied yet in the ASA. So we will setup a default gateway into the ASA to route the traffic from internal to external. The below command is to set the default route with the next hop of
LAB-ASA-03# sho run route
route untrust

Once we have applied the default route, the can iperf to As listed in the “show conn” output, we can ensure there is a TCP connection initial from to s port 5001.
Final result:
LAB-ASA-03# sho conn
2 in use, 10 most used

TCP untrust inside, idle 0:00:00, bytes 179232, flags UO

LAB-ASA-03# sho xlate
0 in use, 4 most used




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s