Asa Route Map

A route map syntax is comprised of roughly 3 separate Cisco commands based on the accomplishing route map and type of process which calling it. When configuring the route map, follow the 5 step configuration process. Based on the application of the route map, additional configuration can also be needed, including with PBR or BGP communities. Technology: Network Security Area: Firewalls Vendor: Cisco Software: 8.X, 9.X Platform: Cisco ASA Sometimes you need to define the interface on ASA as that the IP address will be given from DHCP server.But you may ask how to set routing on ASA if you don’t know the next hop IP address?

Connecting to a Cisco ASA

This article describes how to connect and configure a single Cisco ASA firewall with firmware version 9.8.1 or later to connect to Pureport via a Route Based BGP VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.


Prerequisites

Before connecting to a Cisco ASA, you must have a Pureport Route-Based BGP VPN Connection using IKEv2. See 'Connecting to a Site VPN - Route-Based with BGP' for details.


Asa Route Map Definition

You must also gather the following information:

  • The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Gateway Pre-shared Key
  • Secondary Gateway Pre-shared Key
  • Primary Gateway BGP password
  • Secondary Gateway BGP Password
  • The Primary Gateway Customer VTI IP in CIDR format.
  • The Primary Gateway Pureport VTI IP
  • The Secondary Gateway Customer VTI IP in CIDR format.
  • The Secondary Gateway Pureport VTI IP
  • Pureport ASN
  • Customer ASN


You can find this information in your Site IPSec VPN connections, as shown here:



Example Configuration

This example builds an HA IPSEC VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Cisco support portal.


Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.


  1. Create a Pureport compatible IKE Crypto Policythat supports Pureport's crypto set:

    crypto ikev2 enable 'outside'

    group-policy Pureport internal

    group-policy Pureport attributes

    vpn-tunnel-protocol ikev2

    crypto isakmp identity address

    crypto ikev2 policy 200

    group 14

    encryption aes-192 aes-256 aes

    integrity sha256 sha384 sha512

    prf sha384 sha256 sha512

    exit



  2. Create the Primary Tunnel Group and Pre-shared Key:

    tunnel-group <Pureport Primary Gateway IP> type ipsec-l2l

    tunnel-group <Pureport Primary Gateway IP> general-attributes

    default-group-policy Pureport

    tunnel-group <Pureport Primary Gateway IP> ipsec-attributes

    ikev2 local-authentication pre-shared-key <Primary pre-shared key>

    ikev2 remote-authentication pre-shared-key <Primary pre-shared key>

    isakmp keepalive threshold 10 retry 2


  3. Create the IPSec transform set that defines encryption, authentication, and IPSec mode parameters:

    crypto ipsec ikev2 ipsec-proposal Pureport

    protocol esp encryption aes-192 aes aes-256

    protocol esp integrity sha-512 sha-256 sha-384

    crypto ipsec profile PureportProfile

    set ikev2 ipsec-proposal Pureport

    set pfs group14

    exit


  4. Configure Tunnel #1 interface:

    interface Tunnel1

    nameif Tunnel-int-pureport-0

    ip address 169.254.1.1 255.255.255.252

    tunnel source interface 'outside'

    tunnel destination <Pureport Primary Gateway IP>

    tunnel mode ipsec ipv4

    tunnel protection ipsec profile PureportProfile

    no shutdown

    exit



  5. Create a route-map to be applied to your primary connection

    route-map PRIMARY permit 10

    set metric 100


Asa Route Map Colorado

  1. Configure BGP on Tunnel #1, applying the route-maps we created above:

    router bgp <Customer ASN>

    bgp log-neighbor-changes

    bgp bestpath compare-routerid

    bgp graceful-restart

    address-family ipv4 unicast

    neighbor <Primary Pureport VTI IP> remote-as <Pureport ASN>

    neighbor <Primary Pureport VTI IP> timers 10 30 30

    neighbor <Primary Pureport VTI IP> password <BGP Primary password>

    neighbor <Primary Pureport VTI IP> activate

    neighbor <Primary Pureport VTI IP> next-hop-self

    no neighbor <Primary Pureport VTI IP> default-originate

    neighbor <Primary Pureport VTI IP> route-map PRIMARY out

    network <Your local network> mask <Your network subnet mask>

    no auto-summary

    no synchronization

    exit-address-family



  2. Create the Secondary Tunnel Group and Pre-shared Key:

    tunnel-group <Pureport Secondary Gateway IP> type ipsec-l2l

    tunnel-group <Pureport Secondary Gateway IP> general-attributes

    default-group-policy Pureport

    tunnel-group <Pureport Secondary Gateway IP> ipsec-attributes

    ikev2 local-authentication pre-shared-key <Secondary pre-shared key>

    ikev2 remote-authentication pre-shared-key <Secondary pre-shared key>

    isakmp keepalive threshold 10 retry 2




  3. If you didn't do this in Step 3, create an IPSec transform set that defines encryption, authentication, and IPSec mode parameters for Tunnel#2:

    crypto ipsec ikev2 ipsec-proposal Pureport

    protocol esp encryption aes-192 aes aes-256

    protocol esp integrity sha-512 sha-256 sha-384

    crypto ipsec profile PureportProfile

    set ikev2 ipsec-proposal Pureport

    set pfs group14

    exit




  4. Configure Tunnel #2 interface:

    interface Tunnel2

    nameif Tunnel-int-pureport-1

    ip address 169.254.2.1 255.255.255.252

    tunnel source interface 'outside'

    tunnel destination <Secondary Pureport Gateway IP>

    tunnel mode ipsec ipv4

    tunnel protection ipsec profile PureportProfile

    no shutdown

    exit



  5. Because the Cisco ASA is not capable of automatically failing over VTI tunnels, we will use the route-map functionality to prefer the Primary VTI. Return traffic is also preferred down the Primary VTI by pre-pending the local Customer ASN to the Secondary VTI AS path, creating a longer (less preferred) AS path and setting the route metric to a less preferred value. This is done both inbound and outbound BGP.

    route-map BACKUP permit 10

    set metric 200

    set as-path prepend last-as 1


  6. Configure BGP on Tunnel #2:

    router bgp 65000

    bgp log-neighbor-changes

    bgp bestpath compare-routerid

    bgp graceful-restart

    address-family ipv4 unicast

    neighbor <Secondary Pureport VTI IP> remote-as <Pureport ASN>

    neighbor <Secondary Pureport VTI IP> timers 10 30 30

    neighbor <Secondary Pureport VTI IP> password <BGP Secondary password>

    neighbor <Secondary Pureport VTI IP> activate

    neighbor <Secondary Pureport VTI IP> next-hop-self

    no neighbor <Secondary Pureport VTI IP> default-originate

    neighbor <Secondary Pureport VTI IP> route-map BACKUP out

    network <Your local network> mask <Your network subnet mask>

    no auto-summary

    no synchronization

    exit-address-family





Testing IPSEC VPN Tunnel Connectivity

When using BGP, the routing table will automatically update if one of the tunnels disconnect.


  1. To verify BGP peering is established, check the route table from or via the CLI with this command:
    show route bgp

    The system displays the current BGP routes in the ASA route table. Note that the Primary VTI is preferred.
  2. To see all BGP routes, use:
    show bgp

  3. To confirm that your tunnels have successfully established connection to your Pureport Gateways, from a system in your local network, ping the Primary Pureport VTI IP address. A successful ping will transmit all packets with no losses.
    For example, in the previous sample, the Pureport VTI IPs are:
    • 169.254.1.2
    • 169.254.2.2

    To ping the the Primary Gateway Pureport VTI, use:
    ping 169.254.1.2

The route maps are like the duct tape for a network. It is not important because it can be used to mend or fix something broken, however, it can be applied to the numerous situation to overtake many issues. It is not the prettiest solutions, but it will be very effective. This route maps are like the 'Then ... IF...' statements of various programming languages. 'If' the specific condition is true and 'then' will do something. The route maps enable to define routing policy which will considered before the router will examine the forwarding table and therefore it can define the routing policy which takes the precedence over the various route processes. Let us see the concepts of the route maps and how powerful it is.


Route maps:

One of the main purpose of the route map in the Cisco router is the customize traffic management beyond the routing tables boundaries. The route maps are mostly used when distributing the routes into the RIP, EIGRP or OSPF routing process. It is also used while generating the default route into the OSPF routing process. The route map also defines which of the routes from a specified routing protocol that are allowed to be redistributed into a target routing process. The route maps have so many features with widely known ACL. The common traits for both are as follows:


They are generic mechanism. The match interpretation and criteria matches are dictated by applying it. Then the same route maps applied to the various tasks may be interpreted differently.


They are the ordered sequence of the individual statements, everyone has the deny or permit result. The evaluation of the route or ACL comprises of the list scan, in the predetermined order as well as an evaluation of a criteria of each matching statement. The list scan will abort when the first statement match is available and the action associated with a statement match is performed.


There are few differences between the ACL and route maps are as follows:


The route maps are very flexible than the ACL and it can verify the routes based on the criteria that ACL will not verify.


The result from an evaluation process of the access list is the no or yes answer. The ACL will either deny or permit the input data. When applied to redistribution, the ACL determines if the specific route can or cannot be redistributed. The typical route map is not only permitted the redistributed route and also modify the information which are associated with the route, when they are redistributed into the other protocol.


Each ACL will end with the implicit deny statements, by means of design convention and there is no same convention for the route maps. If the route map end is reached when matching attempts, then the results depend upon the certain route map application. Since, the route maps which are applied to the redistribution will behave the similar way like ACL and if the path does not match any of the clauses in the route map, then route redistribution is denied, if a route map contained the deny statement at an end.


The route map frequently uses the ACL as the matching criteria.


Given below is the route map logic:

Route
Cisco asa route-map nat

In the nutshell, the route maps will work in the below manner:


This process is whether it is the redistribution process, some other process or policy routing such as NAT- network address translation will call the route map by the text based name. Then the route maps, in turns have the match statements or conditions, that are usually, but it is not always, the extended list or access list. The BGP may match on ASN- autonomous system number or any different attributes. In case, the route maps function during the redistribution as follows:


The below one demonstrates how the route map is applied during the redistribution:


The route map is mainly used to control as well as tag the route from EIGRP when it is redistributed into the OSPF. While processing the OSPF redistribution, the route map titles as set_tag is called there. A route map comprises of 3 parts. The 1st part calls the ACL- access control list 10, that will permit the 172.16.32x network and set the tag of 10. Then the 2nd part calls the ACL 11, that in turns matches the 172.16.1.x IP address. If the match occurs, then the metric can be set in such a way that the route is redistributed. Then it turns into the OSPF type route 1 and finally the tag has to be set to 11. Then the final or 3 rd part of a route map cannot call the ACL, hence all the routes are matched as well as the condition of the set will be applied. In this case, the routers are setting the tag in 300 and you can set the tag to help the network document or else use the tags to find routes which you like to perform or filter some other action.


The route maps have some common characteristics such as;


  • The route maps are executed from the lowest sequence of number to the highest sequence. You can modify or edit the maps with the help of sequence number.
  • You can use the route maps to deny or permit the information is true by match statements.
  • If the match is found in the route map instance, the execution of the other further route map will stop.
  • If the route map is applied in the policy routing environments, the packets which don't meet a match criteria are forwarded based on a routing table.
  • If the multiple match statements within the single instance of route map is called, then all the match statements should match for a route map instances to obtain the true result.
  • As with the ACL, an implicit denies are included at the route map policy end.
  • If it is not a corresponding ACL to match statements in an instance of the route map, then the entire routes are matched. Then set statement, in result, apples to whole routes.
  • In case, there is no match statement in the instance of the route map, the whole packets and routes are matched. Then the set statement can apply to all the packets or routes.
  • You can use the route maps to create the policies based on the packet size, IP address, application, end system ID and protocol.

Route map configuration:

A route map syntax is comprised of roughly 3 separate Cisco commands based on the accomplishing route map and type of process which calling it. When configuring the route map, follow the 5 step configuration process. Based on the application of the route map, additional configuration can also be needed, including with PBR or BGP communities.


Step 1:

Configure any AS_Path, ACL or any match criteria which the route map can be used in a match command. It should be the first, so that you will not call an empty AS_PATH list or ACL.


Step 2:

Configure a route map instance. It is established with a command of route-map name permit deny sequence number. Assure to leave the room between the sequence numbers for the future modifications or updates. A route map instance along with a lower sequence numbers are executed first.


Step 3:

This step defines a match criteria as well as configure the statements of match which can be used in the single instance of the route map. In case, the absence of the match commands, the entire routes or packets are matched here.


Step 4:

It is the optional step. It defines a set criteria as well as configures set statements which are used in the single instance of the route map. You can also do with a route map configuration set command.


Step 5:

RouteRoute

Again, it is the optional step. Configure any AS_PATH, ACL or any match criteria which a route map can use the match command.


Step 6:

Apply a route map, based on the application of the route map, it may be applied in so many ways. Some more common application, such as route redistribution, BGP and PBR.


In the above configuration, 3 primary commands are used to configure the route maps such as a route map command, set commands and match commands.


Route map commands:

Here the complete route map syntax is:


Here, the route_map_name is also called as the map tag. It is the text-based route map name. In that the name is logically grouped and unique as well as defined all the route map policies. It is the name which is used to call a route map during the process and redistribution. The deny and permit keywords are always optional and a default keyword is permit. If a route map is called from the redistribution process, then the keywords are set to permit and a match criteria are met for a route map, a route is redistributed. If a keyword is set to deny, in same criteria, then a route might be denied. Suppose a route map is called from the policy routing statement, then match criteria is met for route map as well as a keywords are set to permit, then the packets might be policy routed. If a deny keyword is used, hen the packets are forwarded based on the normal route processes.


The sequence number implies in which order that the statement of the route map has to be executed. While the route maps are called, then a route map with a lower sequence number will execute first. Suppose, the match is not available in a route map with a lower sequence number, a route map with a next higher sequence numbers are executed. Again, this process will repeat automatically until the match is identified or no more route map statement exists. If the match is caught, then the execution for the individual route or packet stops and a next route or packet starts the process with a route map statements with a lower sequence number. There, the default sequence number is 10.


In short, it is the process called the route map by the text based name.


Cisco Asa Route Map Asdm

Match commands:

A route map has specific match statements or conditions. It is usually an extended access list or access list. This command also enables you to define the route map criteria. You can also match commands to call the ACL to compare the routes. The match statement can also match the route type, packet length or route tag. In the IP networks, the command enables to match the routes which have the network address matching 1 or more in the prefix list or specific ACL. Use the standard, expanded or extended range ACL. Then the next hop keyword will enable to match the routes which has the next hop addresses matching 1 or more in an ACL. It is most primarily used in the BGP.


Set commands:

Here, the match statements are followed by the set statements. Suppose, the match statement turns the true result or output, then the set statements are executed. These set commands are mostly executed after the successful match being made in a route map instance. This set command may be omitted in some cases, because it is only optional command. The set commands are divided into 2 categories such as routing protocols, or redistribution - certain set commands, policy routing certain set commands, and BGP- certain set commands. If the route maps are used on the redistribution, or simply to filter the networks, it is not necessary to use the set command until you like to tag or influence the route further.


The route map is the one which helps in defining the routing policy which will be considered before a router examines the forwarding table. However, it is considered as the perfect solution for the problem, it offers the effective solution which can be applied to different situations to solve the various problems. The configuration of the route maps and its valuable 3 commands are explained in detail. The concepts and characteristic of the route maps give you the idea about the route maps.