[ Pobierz całość w formacie PDF ]
.However, there are situations where dynamic routing configuration is necessary.Such a case wouldbe a large network in which the ASA firewall is located within the internal network campus or datacenter.In such a case, you will benefit from using a dynamic routing protocol on the ASA since youwill not have to configure tons of static routes, and also you will not run into the risk of revealingany hidden subnets to untrusted networks (since the ASA is located deep inside the campusnetwork).The following are some routing protocol best practices for the ASA:For small networks, use only static routes.Use a default static route pointing to the gatewayconnected to the outside interface (usually Internet), and also use static routes for internalnetworks which are more than one hop away (i.e not directly connected).Any network that is directly connected on an ASA interface DOES NOT need any static routeconfiguration since the ASA firewall already knows how to reach this network.If the ASA is connected on the perimeter of the network (i.e border between trusted anduntrusted networks), then configure a default route towards the outside untrusted zone,and then configure specific static routes towards the internal networks.92 If the ASA is located deep inside a large network campus with many internal networkroutes, then configure a dynamic routing protocol.STATING ROUTINGThere are three types of static routes:Directly Connected RouteNormal Static RouteDefault RouteDirectly Connected RouteThe Directly Connected Route is automatically created in the ASA routing table when you configurean IP address on an appliance interface.For example, if you configure the IP address192.168.1.10/24 on the inside interface of ASA, then a Directly Connected Route of 192.168.1.0255.255.255.0 will be automatically created.Normal Static Route and Default RouteFor configuring a Normal Static Route and Default Static Route refer to the diagram below.93 A static route configuration on the ASA is like telling the appliance the following:  To send a packetto the specified network, give it to this router gateway.Use the route command to enter either a static or default route.The command format is:ASA(config)# route [interface-name] [destination-network] [netmask] [gateway][interface-name]: This is the ASA interface from which the packet will exit.[destination-network] [netmask]: This is the destination network/mask we want to reach[gateway]: Next hop device that ASA will send the packet to.Let s see an example configuration below (refer to diagram above):ASA(config)# route outside 0.0 0.0 100.1.1.1 ßð Default RouteASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1 ßð Static Route.To reachnetwork 192.168.2.0 send the packets to 192.168.1.1For the default route (usually towards the Internet), you set both the destination-network andnetmask to 0.All traffic for which the ASA has no route in its routing table will be sent to100.1.1.1 (the gateway in the default route).To see what is included in the appliance s routing table, use the  show route command:ASA# show routeS 0.0 0.0 [1/0] via 100.1.1.1, outside ßð Default Static RouteC 192.168.1.0 255.255.255.0 is directly connected, inside ßð Connected RouteC 100.1.1.0 255.255.255.0 is directly connected, outside ßð Connected RouteS 192.168.2.0 255.255.255.0 [1/0] via 192.168.1.1, inside ßð Static RouteStatic Route TrackingWhen you configure a static route on the security appliance, the route remains permanently in therouting table.The only way for the static route to get removed from the routing table is when theassociated ASA interface goes physically down.In all other cases, such as for example when theremote default gateway goes down, the ASA will keep sending packets to its gateway router withoutknowing that it is actually down.From ASA version 7.2 and upwards, the Static Route Tracking feature was introduced.The ASAtracks the availability of static routes by sending ICMP echo request packets through the primarystatic route path and waits for replies.If the primary path is down, a secondary path is used.This94 feature is useful when you want to implement Dual-ISP redundancy, as we will see in the scenariobelow.In the network scenario above, interface Eth0/0 (outside) is connected to the Primary ISP andinterface Eth0/1 (backup) is connected to the Secondary ISP.Two default static routes will beconfigured (one for each ISP) which will use the  track feature.The primary ISP path will betracked using ICMP echo requests.If an echo reply is not received within a predefined period, thesecondary static route will be used.Note however that the scenario above is suitable only foroutbound communication (that is, from the inside network towards the Internet).Configuring Static Route Tracking1.Use the  sla monitor command to specify the monitoring protocol (e.g ICMP), the targetaddress to track (e.g ISP gateway router) and the tracking timers.2.Use the  sla monitor schedule command to schedule the monitoring process (usually themonitoring process is configured to run  forever but duration and start times areconfigurable).3.Define the primary static route to be tracked using the  route command with the  trackoption.4.Define the backup static route and set its metric higher than the primary static route.95 Let s see an example configuration below (related to the diagram shown above)ASA(config)# global (outside) 1 interfaceASA(config)# global (backup) 1 interfaceASA(config)# nat (inside) 1 0.0 0.0ASA(config)# sla monitor 100 ßð Define SLA_ID 100ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 100.1.1 [ Pobierz caÅ‚ość w formacie PDF ]
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • przylepto3.keep.pl