Basic IP Routing on ASA

ciscoasa(config)# dhcprelay server ip-address interface
The DHCP server is ip-address, connected to the ASA interface named interface
Repeat above for more then one dhcp server

Enable the DHCP relay agent on the ASA interface that faces the clients:
ciscoasa(config)# dhcprelay enable interface

dhcprelay setroute command to override the default router address and replace it with the IP address of the ASA interface that faces the clients “dhcprelay setroute interface”

As an example, a DHCP server is at, located on the ASA’s dmz interface. The clients are connected to the inside interface of the ASA
ciscoasa(config)# dhcprelay server dmz
ciscoasa(config)# dhcpreley enable inside
ciscoasa(config)# dhcprelay setroute inside

Note: You do not have to configure any specific rules or security policies to permit the DHCP packets to pass through any of the ASA interfaces.

DHCP server
Enable the DHCP server on an ASA interface that faces the clients:
ciscoasa(config)# dhcpd enable interface
Create an address pool for clients on an interface:
ciscoasa(config)# dhcpd address ip1[-ip2] interface
Configure DHCP options for clients
ciscoasa(config)# dhcpd option code {ascii string | ip ip_address | hex hex_string}
ciscoasa(config)# dhcpd dns dns1 [dns2]
ciscoasa(config)# dhcpd wins wins1 [wins2]
ciscoasa(config)# dhcpd domain domain_name

By default, each DHCP lease is sent with a lease time of 3600 seconds, or 1 hour
ciscoasa(config)# dhcpd lease lease_length

ASA is configured as a DHCP server for clients on its inside interface.
The inside interface has IP address
The clients to be assigned an address from the pool through
ciscoasa(config)# dhcpd enable inside
ciscoasa(config)# dhcpd address inside
ciscoasa(config)# dhcpd dns
ciscoasa(config)# dhcpd wins
ciscoasa(config)# dhcpd domain

show dhcpd state
show dhcpd binding all

Static Routing
The IP subnet defined by ip_address and netmask can be reached by forwarding packets out the ASA interface named interface
ciscoasa(config)# route interface_name ip_address mask gateway_ip [distance]

Inside interface configured with subnet can be found through gateway located on the inside interface.
ciscoasa(config)# route inside

Default route
ciscoasa(config)# route outside

If there are 2 default/static routes ASA with load balance
You can monitor a route conditional by monitoring an ip address
Step 1. Define an SLA monitor process and an arbitrary process number:
ciscoasa(config)# sla monitor sla-id
Step 2. Define the reachability test:
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho target interface interface-name
Step 3. Tune optional test parameters.
Parameter                               Command Syntax                   Default
Test frequency                             frequency seconds                        60 sec
Number of ping                           packets num-packets number   1 ICMP request packet
Size of ping packet                      request-data-size bytes               28-byte payload
Type of service                             tos number                                    0
Test timeout interval                  timeout milliseconds                   5000 ms (5 sec)
Test threshold                              threshold milliseconds               5000 ms

Step 4. Schedule the SLA monitor test to run.
ciscoasa(config)# sla monitor sla-id life forever now

ciscoasa(config)# sla monitor schedule sla-id [life {forever | seconds}] [start-time
{hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds]

Step 5. Enable reachability tracking.
To use the SLA monitor, you must identify the test as a trackable object:
ciscoasa(config)# track track-id rtr sla-id reachability

Step 6. Apply tracking to a static route:
ciscoasa(config)# route if_name ip_address netmask gateway_ip [distance] track track-id
If the target is not reachable (ICMP echo replies are not received as expected),
the static route will remain in the running configuration, but will have a higher distance value
and be less desirable than other identical routes in the routing table

Step 7. Define a backup static route:
ciscoasa(config)# route if_name ip_address netmask gateway_ip distance
You should define a backup route that will be preferred whenever the tracked static route becomes inactive.
The backup and tracked static routes should be identical except for their distance values

ciscoasa(config)# sla monitor 1
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho interface outside
ciscoasa(config-sla-monitor-echo)# exit
ciscoasa(config-sla-monitor)# exit
ciscoasa(config)# sla monitor schedule 1 life forever now
ciscoasa(config)# track 1 rtr 1 reachability
ciscoasa(config)# route 1 track 1 !has an Admin distance of 1
ciscoasa(config)# route 100 !has an Admin distance of 100

show track
show sla monitor configuration

RIP v2
Enable RIPv2:
ciscoasa(config)# router rip
ciscoasa(config-router)# version 2

By default, automatic route summarization is enabled. To disable it
ciscoasa(config-router)# no auto-summary
If the ASA has a default route and you would like it to be advertised to other RIPv2 routers
ciscoasa(config-router)# default-information originate
Identify directly connected networks to advertise:
ciscoasa(config-router)# network ip-address
Identify any passive interfaces.
If there are ASA interfaces where routing information should be received but not transmitted, “passive interfaces”
ciscoasa(config-router)# passive-interface {default | interface}

You can filter RIPv2 routing information that is sent or received on an ASA
interface by applying a distribute list. A distribute list uses a standard
IP access list to identify specific routes; routes matching a permit statement
are allowed to be used, whereas routes matching a deny statement are
filtered out. Inbound or outbound direction, allowing routes to be filtered as they are received or transmitted
ciscoasa(config)# access-list acl-id standard {permit | deny} ip-address mask
ciscoasa(config-router)# distribute-list acl-id {in | out} interface interface

RIPv2 authentication is configured on a per-interface basis
ciscoasa(config-if)# rip authentication mode {text | md5}
ciscoasa(config-if)# rip authentication key key-string key_id id

ciscoasa(config)# access-list ripfilter standard permit
ciscoasa(config)# router rip
ciscoasa(config-router)# version 2
ciscoasa(config-router)# no auto-summary
ciscoasa(config-router)# default-information originate
ciscoasa(config-router)# network
ciscoasa(config-router)# distribute-list ripfilter in interface inside
ciscoasa(config-router)# exit
ciscoasa(config)# interface ethernet0/1
ciscoasa(config-if)# rip authentication mode md5
ciscoasa(config-if)# rip authentication key myb1gs3cr3t key_id 1

All EIGRP messages, are sent as multicast packets to address, using IP protocol 88

Enable an EIGRP process:
ciscoasa(config)# router eigrp as-num
Associate a network with the EIGRP process:
ciscoasa(config-router)# network ip-addr [mask]
interface subnet to be advertised, but you don’t want the interface to participate in EIGRP routing exchanges
ciscoasa(config-router)# passive-interface interface

By default, EIGRP will automatically summarize subnet routes into classful network routes when they are advertised.
ciscoasa(config-router)# no auto-summary

Redistribute routing information from other sources.
To redistribute routes that were learned by RIP, that are statically defined, or that are directly connected
ciscoasa(config-router)# redistribute {rip | static | connected} [metric bandwidth delay reliability load mtu] [route-map map_name]
To redistribute routes learned from OSPF
ciscoasa(config-router)# redistribute ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric bandwidth delay reliability load mtu] [route-map map_name]

If the ASA has a single connection to the outside world through a neighboring router, it can become an EIGRP stub router.
it can receive routes (usually a default route) from its neighbor, but will advertise only specific routes of its own.
ciscoasa(config-router)# eigrp stub {receive-only | [connected] [redistributed] [static] [summary]}
receive-only: will receive updates but will not advertise anything
connected: routes that are directly connected
redistributed: routes that the ASA has redistributed into its EIGRP process
static: static routes defined on the ASA

Secure EIGRP updates with neighbor authentication
ciscoasa(config)# interface interface
ciscoasa(config-if)# authentication mode eigrp as-num md5
ciscoasa(config-if)# authentication key eigrp as-num key-string key-id key-id

Ethernet0/0 interface facing the outside
Ethernet0/1 faces the inside
Single path to the outside world, it can become an EIGRP stub router.
There is no need for the outside interface to participate in routing updates
ciscoasa(config)# router eigrp 1
ciscoasa(config-router)# network
ciscoasa(config-router)# network
ciscoasa(config-router)# eigrp stub
ciscoasa(config-router)# passive-interface ethernet0/0
ciscoasa(config-router)# exit
ciscoasa(config)# route outside 1
ciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# authentication mode eigrp 1 md5
ciscoasa(config-if)# authentication key eigrp 1 myb1gs3cr3t key-id 1
ciscoasa(config-if)# exit
ciscoasa# show eigrp neighbors
ciscoasa# show eigrp topology

Define an OSPF process:
ciscoasa(config)# router ospf pid
By default, OSPF uses the highest IP address as the router ID. You can override that by using the following command:
ciscoasa(config-router)# router-id ip_address
An ASA can advertise a default route as an external route by using the following command:
ciscoasa(config-router)# default-information originate [always] [metric value] [metric-type {1 | 2}] [route-map name]

The prefix list is given a text string name. You can repeat this command to add
more conditions to the list. By default, prefix list entries are automatically
numbered in increments of 5, beginning with sequence number 5. Routes are
evaluated against the prefix list entries in sequence, starting with the lowest
defined sequence number.

Optionally, configure route filtering.
ciscoasa(config)# prefix-list list_name [seq seq_number] {permit | deny} prefix/len [ge min_value] [le max_value]
The prefix list is given a text string name.
Routes are evaluated against the prefix list entries in sequence, starting with the lowest defined sequence number
A prefix list entry can either permit or deny the advertisement of matching routes in type 3 LSAs
A prefix list entry matches an IP route address against the prefix (a valid IP network address) and len (the number of leftmost bits in the address) values.
The ge (greater than or equal to a number of bits) and le (less than or equal to a number of bits) keywords can also be used to define a range of the number of prefix bits to match
to permit advertisements of routes with a prefix of,
but having any mask length between 16 and 24 bits, you could use the following command:
ciscoasa(config)# prefix-list LIST permit ge 16 le 24
Apply the prefix list to filter LSAs into or out of an area:
ciscoasa(config-router)# area area_id filter-list prefix list_name [in | out]
You can apply the prefix list for LSAs going in or out of the area area_id.
You can stop the advertisements from leaving a private area by applying the prefix list to the private area_id in the out direction.

Redistribute routes from another source
Redistributes routes from any other source into OSPF, it automatically becomes an ASBR by definition.
Use a route map to control which routes are redistributed into OSPF
ciscoasa(config)# route-map map_tag [permit | deny] [seq_num]
Define one or more matching conditions with the match command. If you configure multiple match statements, all of them must be met
For each match in a route map, you can configure one or more attributes to be set by using the set commands
To redistribute routes from another source into the OSPF process:
ciscoasa(config-router)# redistribute {static | connected | rip | eigrp as_num} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]

ciscoasa(config)# interface ethernet0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address
ciscoasa(config-if)# ospf authentication message-digest
ciscoasa(config-if)# ospf message-digest-key 1 md5 myoutsidekey
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address
ciscoasa(config-if)# ospf authentication message-digest
ciscoasa(config-if)# ospf message-digest-key 1 md5 myinsidekey
ciscoasa(config-if)# exit
ciscoasa(config)# prefix-list InsideFilter 10 deny
ciscoasa(config)# prefix-list InsideFilter 20 permit
ciscoasa(config)# prefix-list InsideFilter 30 permit
ciscoasa(config)# router ospf 1
ciscoasa(config-router)# network area 0
ciscoasa(config-router)# network area 4
ciscoasa(config-router)# area 0 filter-list prefix InsideFilter out
ciscoasa(config-router)# exit

Ref: CCNP Security FIREWALL 642-617 Official Cert Guide Chapter 4

About Alexis Katsavras

Working as Freelance Cisco Unified Communications Consultant in the UK.