ASDM 6.0 User Guide
Configuring Dynamic And Static Routing
Downloads: This chapterpdf (PDF - 477.0KB) The complete bookPDF (PDF - 28.5MB) | Feedback

Configuring Dynamic And Static Routing

Table Of Contents

Configuring Dynamic And Static Routing

Dynamic Routing

OSPF

Setup

Filtering

Interface

Redistribution

Static Neighbor

Summary Address

Virtual Link

RIP

Setup

Interface

Filter Rules

Redistribution

EIGRP

Configuring EIGRP

Field Information for the EIGRP Panes

Static Routes

Static Route Tracking

Configuring Static Route Tracking

Field Information for Static Routes

Static Routes

Add/Edit Static Route

Route Monitoring Options

ASR Group

Proxy ARPs


Configuring Dynamic And Static Routing


To configure static routes and dynamic routing protocols, go to Configuration > Device Setup > Routing area of the ASDM interface.

You can configure up to two OSPF, one EIGRP, and one RIP routing process on the security appliance at the same time. Dynamic routing is only available on security appliances in routed firewall mode; you cannot configure dynamic routing protocols on a security appliance in transparent firewall mode.

You can configure static routes on security appliances in either routed or transparent firewall mode. You can use the static route tracking feature to have the security appliance a backup static route if a primary static route becomes unavailable.

This section contains the following topics:

Dynamic Routing

Static Routes

ASR Group

Proxy ARPs

Dynamic Routing

This section contains the following topics:

OSPF

RIP

EIGRP

OSPF

OSPF is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements rather than routing table updates. Because only LSAs are exchanged instead of the entire routing tables, OSPF networks converge more quickly than RIP networks.

OSPF supports MD5 and clear text neighbor authentication. Authentication should be used with all routing protocols when possible because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information.

If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then you need to run two OSPF processes—one process for the public areas and one for the private areas.

A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).

An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR type 3 LSA filtering, you can have separate private and public areas with the security appliance acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.


Note Only type 3 LSAs can be filtered. If you configure the security appliance as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will get flooded to the entire AS including public areas.


If NAT is employed but OSPF is only running in public areas, then routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the security appliance. Also, you should not mix public and private networks on the same security appliance interface.

You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process running on the security appliance at the same time.

For more information about enabling and configuring OSPF, see the following:

Setup

Filtering

Interface

Redistribution

Static Neighbor

Summary Address

Virtual Link

Setup

The Setup pane lets you enable OSPF processes, configure OSPF areas and networks, and define OSPF route summarization.

For more information about configuring these areas, see the following:

Setup > Process Instances Tab

Setup > Area/Networks Tab

Setup > Route Summarization Tab

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Setup > Process Instances Tab

You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.

Fields

OSPF Process 1 and 2 areas—Each area contains the settings for a specific OSPF process.

Enable this OSPF Process—Check the check box to enable an OSPF process. Uncheck this check box to remove the OSPF process.

OSPF Process ID—Enter a unique numeric identifier for the OSPF process. This process ID is used internal and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535.

Advanced—Opens the Edit OSPF Process Advanced Properties dialog box, where you can configure the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings. See Edit OSPF Process Advanced Properties for more information.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit OSPF Process Advanced Properties

You can edit process-specific settings, such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings, in the Edit OSPF Process Advanced Properties dialog box.

Fields

OSPF Process—Displays the OSPF process you are configuring. You cannot change this value.

Router ID—To used a fixed router ID, enter a router ID in IP address format in the Router ID field. If you leave this value blank, the highest-level IP address on the security appliance is used as the router ID.

Ignore LSA MOSPF—Check this check box to suppress the sending of system log messages when the security appliance receives type 6 (MOSPF) LSA packets. This setting is unchecked by default.

RFC 1583 Compatible—Check this check box to calculate summary route costs per RFC 1583. Uncheck this check box to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically.This setting is selected by default.

Adjacency Changes—Contains settings that define the adjacency changes that cause system log messages to be sent.

Log Adjacency Changes—Check this check box to cause the security appliance to send a system log message whenever an OSPF neighbor goes up or down. This setting is selected by default.

Log Adjacency Changes Detail—Check this check box to cause the security appliance to send a system log message whenever any state change occurs, not just when a neighbor goes up or down. This setting is unchecked by default.

Administrative Route Distances—Contains the settings for the administrative distances of routes based on the route type.

Inter Area—Sets the administrative distance for all routes from one area to another. Valid values range from 1 to 255. The default value is 100.

Intra Area—Sets the administrative distance for all routes within an area. Valid values range from 1 to 255. The default value is 100.

External—Sets the administrative distance for all routes from other routing domains that are learned through redistribution. Valid values range from 1 to 255. The default value is 100.

Timers—Contains the settings used to configure LSA pacing and SPF calculation timers.

SPF Delay Time—Specifies the time between when OSPF receives a topology change and when the SPF calculation starts. Valid values range from 0 to 65535. The default value is 5.

SPF Hold Time—Specifies the hold time between consecutive SPF calculations.Valid values range from 1 to 65534. The default value is 10.

LSA Group Pacing—Specifies the interval at which LSAs are collected into a group and refreshed, checksummed, or aged. Valid values range from 10 to 1800. The default value is 240.

Default Information Originate—Contains the settings used by an ASBR to generate a default external route into an OSPF routing domain.

Enable Default Information Originate—Check this check box to enable the generation of the default route into the OSPF routing domain.

Always advertise the default route—Check this check box to always advertise the default route. This option is unchecked by default.

Metric Value—Specifies the OSPF default metric. Valid values range from 0 to 16777214. The default value is 1.

Metric Type—Specifies the external link type associated with the default route advertised into the OSPF routing domain. Valid values are 1 or 2, indicating a Type 1 or a Type 2 external route. The default value is 2.

Route Map—(Optional) The name of the route map to apply. The routing process generates the default route if the route map is satisfied.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Setup > Area/Networks Tab

The Area/Networks tab displays the areas, and the networks they contain, for each OSPF process on the security appliance.

Fields

Area/Networks—Displays information about the areas and the area networks configured for each OSPF process. Double-clicking a row in the table opens the Add/Edit OSPF Area dialog box for the selected area.

OSPF Process—Displays the OSPF process the area applies to.

Area ID—Displays the area ID.

Area Type—Displays the area type. The area type is one of the following values: Normal, Stub, NSSA.

Networks—Displays the area networks.

Authentication—Displays the type of authentication set for the area. The authentication type is one of the following values: None, Password, MD5.

Options—Displays any options set for the area type.

Cost—Displays the default cost for the area.

Add—Opens the Add/Edit OSPF Area dialog box. Use this button to add a new area configuration.

Edit—Opens the Add/Edit OSPF Area dialog box. Use this button to change the parameters of the selected area.

Delete—Removes the selected area from the configuration.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit OSPF Area

You define area parameters, the networks contained by the area, and the OSPF process associated with the area in the Add/Edit OSPF Area dialog box.

Fields

OSPF Process—When adding a new area, choose the OSPF process ID for the OSPF process for which the area is being. If there is only one OSPF process enabled on the security appliance, then that process is selected by default. When editing an existing area, you cannot change the OSPF process ID.

Area ID—When adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295. You cannot change the area ID when editing an existing area.

Area Type—Contains the settings for the type of area being configured.

Normal—Choose this option to make the area a standard OSPF area. This option is selected by default when you first create an area.

Stub—Choosing this option makes the area a stub area. Stub areas do not have any routers or areas beyond it. Stub areas prevent AS External LSAs (type 5 LSAs) from being flooded into the stub area. When you create a stub area, you have the option of preventing summary LSAs (type 3 and 4) from being flooded into the area by unchecking the Summary check box.

Summary—When the area being defined is a stub area, unchecking this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas.

NSSA—Choose this option to make the area a not-so-stubby area. NSSAs accept type 7 LSAs. When you create a NSSA, you have the option of preventing summary LSAs from being flooded into the area by unchecking the Summary check box. You can also disable route redistribution by unchecking the Redistribute check box and enabling Default Information Originate.

Redistribute—Uncheck this check box to prevent routes from being imported into the NSSA. This check box is selected by default.

Summary—When the area being defined is a NSSA, unchecking this check box prevents LSAs from being sent into the stub area. This check box is selected by default for NSSAs.

Default Information Originate—Check this check box to generate a type 7 default into the NSSA. This check box is unchecked by default.

Metric Value—Specifies the OSPF metric value for the default route. Valid values range from 0 to 16777214. The default value is 1.

Metric Type—The OSPF metric type for the default route. The choices are 1 (type 1) or 2 (type 2). The default value is 2.

Area Networks—Contains the settings for defining an OSPF area.

Enter IP Address and Mask—Contains the settings used to define the networks in the area.

IP Address—Enter the IP address of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only use 0.0.0.0 in one area.

Netmask—Choose the network mask for the IP address or host to be added to the area. If adding a host, choose the 255.255.255.255 mask.

Add—Adds the network defined in the Enter IP Address and Mask area to the area. The added network appears in the Area Networks table.

Delete—Deletes the selected network from the Area Networks table.

Area Networks—Displays the networks defined for the area.

IP Address—Displays the IP address of the network.

Netmask—Displays the network mask for the network.

Authentication—Contains the settings for OSPF area authentication.

None—Choose this option to disable OSPF area authentication. This is the default setting.

Password—Choose this option to use a clear text password for area authentication. This option is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication.

Default Cost—Specify a default cost for the area. Valid values range from 0 to 65535. The default value is 1.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Setup > Route Summarization Tab

In OSPF, an ABR will advertise networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the ABR to advertise a summary route that covers all the individual networks within the area that fall into the specified range. To define summary address for external routes being redistributed into an OSPF area, see Summary Address.

Fields

Route Summarization—Displays information about route summaries defined on the security appliance. Double-clicking a row in the table opens the Add/Edit Route Summarization dialog box for the selected route summary.

OSPF Process—Displays the OSPF process ID for the OSPF process associated with the route summary.

Area ID—Displays the area associated with the route summary.

IP Address—Displays the summary address.

Network Mask—Displays the summary mask.

Advertise—Displays "yes" when the route summaries are advertised when they match the address/mask pair or "no" when route summaries are suppressed when they match the address/mask pair.

Add—Opens the Add/Edit Route Summarization dialog box. Use this button to define a new route summarization.

Edit—Opens the Add/Edit Route Summarization dialog box. Use this button to change the parameters of the selected route summarization.

Delete—Removes the selected route summarization from the configuration.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Route Summarization

Use the Add Route Summarization dialog box to add a new entry to the Route Summarization table. Use the Edit Route Summarization dialog box to change an existing entry.

Fields

OSPF Process—Choose the OSPF process the route summary applies to. You cannot change this value when editing an existing route summary entry.

Area ID—Choose the area ID the route summary applies to. You cannot change this value when editing an existing route summary entry.

IP Address—Enter the network address for the routes being summarized.

Network Mask—Choose one of the common network masks from the list or type the mask in the field.

Advertise—Check this check box to set the address range status to "advertise". This causes type 3 summary LSAs to be generated. Uncheck this check box to suppress the type 3 summary LSA for the specified networks. This check box is checked by default.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Filtering

The Filtering pane displays the ABR type 3 LSA filters that have been configured for each OSPF process.

ABR type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.

Benefits

OSPF ABR type 3 LSA filtering improves your control of route distribution between OSPF areas.

Restrictions

Only type 3 LSAs that originate from an ABR are filtered.

Fields

The Filtering table displays the following information. Double-clicking a table entry opens the Add/Edit Filtering Entry dialog box for the selected entry.

OSPF Process—Displays the OSPF process associated with the filter entry.

Area ID—Displays the ID of the area associated with the filter entry.

Filtered Network—Displays the network address being filtered.

Traffic Direction—Displays "Inbound" if the filter entry applies to LSAs coming in to an OSPF area or Outbound if it applies to LSAs coming out of an OSPF area.

Sequence #—Displays the sequence number for the filter entry. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action—Displays "Permit" if LSAs matching the filter are allowed or "Deny" if LSAs matching the filter are denied.

Lower Range—Displays the minimum prefix length to be matched.

Upper Range—Displays the maximum prefix length to be matched.

You can perform the following actions on entries in the Filtering table:

Add—Opens the Add/Edit Filtering Entry dialog box for adding a new entry to the Filter table.

Edit—Opens the Add/Edit Filtering Entry dialog box for modifying the selected filter.

Delete—Removes the selected filter from the Filter table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Filtering Entry

The Add/Edit Filtering Entry dialog box lets you add new filters to the Filter table or to modify an existing filter. Some of the filter information cannot be changed when you edit an existing filter.

Fields

OSPF Process—Choose the OSPF process associated with the filter entry. If you are editing an existing filter entry, you cannot modify this setting.

Area ID—Choose the ID of the area associated with the filter entry. If you are editing an existing filter entry, you cannot modify this setting.

Filtered Network—Enter the address and mask of the network being filtered using CIDR notation (a.b.c.d/m).

Traffic Direction—Choose the traffic direction being filtered. Choose "Inbound" to filter LSAs coming into an OSPF area or "Outbound" to filter LSAs coming out of an OSPF area. If you are editing an existing filter entry, you cannot modify this setting.

Sequence #—Enter a sequence number for the filter. Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action—Choose "Permit" to allow the LSA traffic or "Deny" to block the LSA traffic.

Optional—Contains the optional settings for the filter.

Lower Range—Specify the minimum prefix length to be matched. The value of this setting must be greater than the length of the network mask entered in the Filtered Network field and less than or equal to the value, if present, entered in the Upper Range field.

Upper Range—Enter the maximum prefix length to be matched. The value of this setting must be greater than or equal to the value, if present, entered in the Lower Range field, or, if the Lower Range field is left blank, greater than the length of the network mask length entered in the Filtered Network field.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Interface

The Interface pane lets you configure interface-specific OSPF routing properties, such as OSPF message authentication and properties. For more information about configuring these properties, see the following:

Interface > Authentication Tab

Interface > Properties Tab

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Interface > Authentication Tab

The Authentication tab displays the OSPF authentication information for the security appliance interfaces.

Fields

Authentication Properties—Displays the authentication information for the security appliance interfaces. Double-clicking a row in the table opens the Edit OSPF Interface Properties dialog box for the selected interface.

Interface—Displays the interface name.

Authentication Type—Displays the type of OSPF authentication enabled on the interface. The authentication type can be one of the following values:

None—OSPF authentication is disabled.

Password—Clear text password authentication is enabled.

MD5—MD5 authentication is enabled.

Area—The authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.

Edit—Opens the Edit OSPF Interface Properties dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit OSPF Interface Authentication

The Edit OSPF Interface Authentication dialog box lets you configure the OSPF authentication type and parameters for the selected interface.

Fields

Interface—Displays the name of the interface for which authentication is being configured. You cannot edit this field.

Authentication—Contains the OSPF authentication options.

None—Choose this option to disable OSPF authentication.

Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication (recommended).

Area—(Default) Choose this option to use the authentication type specified for the area (see Add/Edit OSPF Area for information about configuring area authentication). Area authentication is disabled by default. So, unless you have previously specified an area authentication type, interfaces set to area authentication have authentication disabled until you configure area authentication.

Authentication Password—Contains the settings for entering the password when password authentication is enabled.

Enter Password—Enter a text string of up to 8 characters.

Re-enter Password—Reenter the password.

MD5 IDs and Keys—Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.

Enter MD5 ID and Key—Contains the settings for entering MD5 key information.

Key ID—Enter a numerical key identifier. Valid values range from 1 to 255.

Key—An alphanumeric character string of up to 16 bytes.

Add—Adds the specified MD5 key to the MD5 ID and Key table.

Delete—Removes the selected MD5 key and ID from the MD5 ID and Key table.

MD5 ID and Key—Displays the configured MD5 keys and key IDs.

Key ID—Displays the key ID for the selected key.

Key—Displays the key for the selected key ID.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Interface > Properties Tab

The Properties tab displays the OSPF properties defined for each interface in a table format.

Fields

OSPF Interface Properties—Displays interface-specific OSPF properties. Double-clicking a row in the table opens the Edit OSPF Interface Properties dialog box for the selected interface.

Interface—Displays the name of the interface that the OSPF configuration applies to.

Broadcast—Displays "No" if the interface is set to non-broadcast (point-to-point). Displays "Yes" if the interface is set to broadcast. "Yes" is the default setting for Ethernet interfaces.

Cost—Displays the cost of sending a packet through the interface.

Priority—Displays the OSPF priority assigned to the interface.

MTU Ignore—Displays "No" if MTU mismatch detection is enabled. Displays "Yes" if the MTU mismatch detection is disabled.

Database Filter—Displays "Yes" if outgoing LSAs are filtered during synchronization and flooding. Displays "No" if filtering is not enabled.

Edit—Opens the Edit OSPF Interface Properties dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit OSPF Interface Properties

Fields

Interface—Displays the name of the interface for which you are configuring OSPF properties. You cannot edit this field.

Broadcast—Check this check box to specify that the interface is a broadcast interface. This check box is selected by default for Ethernet interfaces. Uncheck this check box to designate the interface as a point-to-point, non-broadcast interface. Specifying an interface as point-to-point, non-broadcast lets you transmit OSPF routes over VPN tunnels.

When an interface is configured as point-to-point, non-broadcast, the following restrictions apply:

You can define only one neighbor for the interface.

You need to manually configure the neighbor (see Static Neighbor).

You need to define a static route pointing to the crypto endpoint (see Static Routes).

If OSPF over the tunnel is running on the interface, regular OSPF with an upstream router cannot be run on the same interface.

You should bind the crypto-map to the interface before specifying the OSPF neighbor to ensure that the OSPF updates are passed through the VPN tunnel. If you bind the crypto-map to the interface after specifying the OSPF neighbor, use the clear local-host all command to clear OSPF connections so the OSPF adjacencies can be established over the VPN tunnel.

Cost—Specify the cost of sending a packet through the interface. The default value is 10.

Priority—Specify the OSPF router priority. When two routers connect to a network, both attempt to become the designated router. The devices with the higher router priority becomes the designated router. If there is a tie, the router with the higher router ID becomes the designated router.

Valid values for this setting range from 0 to 255.The default value is 1. Entering 0 for this setting makes the router ineligible to become the designated router or backup designated router. This setting does not apply to interfaces that are configured as point-to-point non-broadcast interfaces.

MTU Ignore—OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange DBD packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.

Database Filter—Check this check box to filter outgoing LSA interface during synchronization and flooding. By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. In a fully meshed topology, this can waste bandwidth and lead to excessive link and CPU usage. Checking this check box prevents flooding OSPF LSA on the selected interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit OSPF Interface Advanced Properties

The Edit OSPF Interface Advanced Properties dialog box lets you change the values for the OSPF hello interval, retransmit interval, transmit delay, and dead interval. Typically, you only need to change these values from the defaults if you are experiencing OSPF problems on your network.

Fields

Hello Interval—Specifies the interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Retransmit Interval—Specifies the time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Transmit Delay—Specifies the estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Dead Interval—Specifies the interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Redistribution

The Redistribution pane displays the rules for redistributing routes from one routing process into an OSPF routing process.

Fields

The Redistribution table displays the following information. Double-clicking a table entry opens the Add/Edit OSPF Redistribution Entry dialog box for the selected entry.

OSPF Process—Displays the OSPF process associated with the route redistribution entry.

Protocol—Displays the source protocol the routes are being redistributed from. Valid entries are the following:

Static—Static routes are redistributed into the OSPF routing process.

Connected—The route was established automatically by virtue of having IP enabled on the interface. These routes are redistributed into the OSPF routing process as external to the AS.

OSPF—Routes from another OSPF routing process are being redistributed into the OSPF routing process.

EIGRP—Routes are redistributed from the EIGRP routing process into the OSPF routing process.

RIP—Routes are redistributed from the RIP routing process into the OSPF routing process.

Match—Displays the conditions used for redistributing routes from one OSPF routing process to another.

Subnets—Displays "Yes" if subnetted routes are redistributed. Does not display anything if only routes that are not subnetted are redistributed.

Metric Value—Displays the metric that is used for the route. This column is blank for redistribution entries if the default metric is used.

Metric Type—Displays "1" if the metric is a Type 1 external route, "2" if the metric is Type 2 external route.

Tag Value—A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Route Map—Displays the name of the route map to apply to the redistribution entry.

You can perform the following actions on the Redistribution table entries:

Add—Opens the Add/Edit OSPF Redistribution Entry dialog box for adding a new redistribution entry.

Edit—Opens the Add/Edit OSPF Redistribution Entry dialog box for modifying the selected redistribution entry.

Delete—Removes the selected redistribution entry from the Redistribution table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit OSPF Redistribution Entry

The Add/Edit OSPF Redistribution Entry dialog box lets you add a new redistribution rule to or edit an existing redistribution rule in the Redistribution table. Some of the redistribution rule information cannot be changed when you are editing an existing redistribution rule.

Fields

OSPF Process—Choose the OSPF process associated with the route redistribution entry. If you are editing an existing redistribution rule, you cannot change this setting.

Protocol—Choose the source protocol the routes are being redistributed from. You can choose one of the following options:

Static—Redistribute static routes into the OSPF routing process.

Connected—Redistribute connected routes (routes established automatically by virtue of having IP enabled on the interface) into the OSPF routing process. Connected routes are redistributed as external to the AS.

OSPF—Redistribute routes from another OSPF routing process. Choose the OSPF process ID from the list.

RIP—Redistribute routes from the RIP routing process.

EIGRP—Redistribute routes from the EIGRP routing process. Choose the autonomous system number of the EIGRP routing process from the list.

Match—Displays the conditions used for redistributing routes from another OSPF routing process into the selected OSPF routing process. These options are not available when redistributing static, connected, RIP, or EIGRP routes. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions:

Internal—The route is internal to a specific AS.

External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 1 external routes.

External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 external routes.

NSSA External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

NSSA External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

Metric Value—Specify the metric value for the routes being redistributed. Valid values range from 1 to 16777214. When redistributing from one OSPF process to another OSPF process on the same device, the metric will be carried through from one process to the other if no metric value is specified. When redistributing other processes to an OSPF process, the default metric is 20 when no metric value is specified.

Metric Type—Choose "1" if the metric is a Type 1 external route, "2" if the metric is a Type 2 external route.

Tag Value—The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Use Subnets—Check this check box to enable the redistribution of subnetted routes. Uncheck this check box to cause only routes that are not subnetted to be redistributed.

Route Map—Enter the name of the route map to apply to the redistribution entry.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Static Neighbor

The Static Neighbor pane displays manually defined neighbors; it does not display discovered neighbors.

You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Static Neighbor table.

Fields

Static Neighbor—Displays information for the static neighbors defined for each OSPF process. Double-clicking a row in the table opens the Add/Edit OSPF Neighbor Entry dialog box.

OSPF Process—Displays the OSPF process associated with the static neighbor.

Neighbor—Displays the IP address of the static neighbor.

Interface—Displays the interface associated with the static neighbor.

Add—Opens the Add/Edit OSPF Neighbor Entry dialog box. Use this button to define a new static neighbor.

Edit—Opens the Add/Edit OSPF Neighbor Entry dialog box. Use this button to change the settings for a static neighbor.

Delete—Removes the selected entry from the Static Neighbor table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit OSPF Neighbor Entry

The Add/Edit OSPF Neighbor Entry dialog box lets you define a new static neighbor or change information for an existing static neighbor.

You must define a static neighbor for each point-to-point, non-broadcast interface.

Restrictions

You cannot define the same static neighbor for two different OSPF processes.

You need to define a static route for each static neighbor (see Static Routes).

Fields

OSPF Process—Choose the OSPF process associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value.

Neighbor—Enter the IP address of the static neighbor.

Interface—Choose the interface associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Summary Address

The Summary Address pane displays information about the summary addresses configured for each OSPF routing process.

Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table.

Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.

Fields

The following information appears in the Summary Address table. Double-clicking an entry in the table opens the Add/Edit OSPF Summary Address Entry dialog box for the selected entry.

OSPF Process—Displays the OSPF process associated with the summary address.

IP Address—Displays the IP address of the summary address.

Netmask—Displays the network mask of the summary address.

Advertise—Displays "Yes" if the summary routes are advertised. Displays "No" if the summary route is not advertised.

Tag—Displays a 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs.

You can perform the following actions on the entries in the Summary Address table:

Add—Opens the Add/Edit OSPF Summary Address Entry dialog box for adding new summary address entries.

Edit—Opens the Add/Edit OSPF Summary Address Entry dialog box for editing the selected entry.

Delete—Removes the selected summary address entry from the Summary Address table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit OSPF Summary Address Entry

The Add/Edit OSPF Summary Address Entry dialog box lets you add new entries to or modify existing entries in the Summary Address table. Some of the summary address information cannot be changed when editing an existing entry.

Fields

OSPF Process—Choose the OSPF process associated with the summary address. You cannot change this information when editing an existing entry.

IP Address—Enter the IP address of the summary address. You cannot change this information when editing an existing entry.

Netmask—Enter the network mask for the summary address, or choose the network mask from the list of common masks. You cannot change this information when editing an existing entry.

Advertise—Check this check box to advertise the summary route. Uncheck this check box to suppress routes that fall under the summary address. By default this check box is checked.

Tag—(Optional) The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Virtual Link

If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.

Fields

The Virtual Link table displays the following information. Doubling-clicking an entry in the table opens the Add/Edit Virtual Link dialog box for the selected entry.

OSPF Process—Displays the OSPF process associated with the virtual link.

Area ID—Displays the ID of the transit area.

Peer Router ID—Displays the router ID of the virtual link neighbor.

Authentication—Displays the type of authentication used by the virtual link:

None—No authentication is used.

Password—Clear text password authentication is used.

MD5—MD5 authentication is used.

You can perform the following actions on the entries in the Virtual Link table:

Add—Opens the Add/Edit Virtual Link dialog box for adding a new entry to the Virtual Link table.

Edit—Opens the Add/Edit Virtual Link dialog box for the selected entry.

Delete—Removes the selected entry from the Virtual Link table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Virtual Link

The Add/Edit Virtual Link dialog box lets you define new virtual links or change the properties of existing virtual links.

Fields

OSPF Process—Choose the OSPF process associated with the virtual link. If you are editing an existing virtual link, you cannot change this value.

Area ID—Choose the area shared by the neighbor OSPF devices. The selected area cannot be an NSSA or a Stub area. If you are editing an existing virtual link, you cannot change this value.

Peer Router ID—Enter the router ID of the virtual link neighbor. If you are editing an existing virtual link, you cannot change this value.

Advanced—Opens the Advanced OSPF Virtual Link Properties dialog box. You can configure the OSPF properties for the virtual link in this area. These properties include authentication and packet interval settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Advanced OSPF Virtual Link Properties

The Advanced OSPF Virtual Link Properties dialog box lets you configure OSPF authentication and packet intervals.

Fields

Authentication—Contains the OSPF authentication options.

None—Choose this option to disable OSPF authentication.

Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication (recommended).

Authentication Password—Contains the settings for entering the password when password authentication is enabled.

Enter Password—Enter a text string of up to 8 characters.

Re-enter Password—Reenter the password.

MD5 IDs and Keys—Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.

Enter MD5 ID and Key—Contains the settings for entering MD5 key information.

Key ID—Enter a numerical key identifier. Valid values range from 1 to 255.

Key—An alphanumeric character string of up to 16 bytes.

Add—Adds the specified MD5 key to the MD5 ID and Key table.

Delete—Removes the selected MD5 key and ID from the MD5 ID and Key table.

MD5 ID and Key—Displays the configured MD5 keys and key IDs.

Key ID—Displays the key ID for the selected key.

Key—Displays the key for the selected key ID.

Intervals—Contains the settings for modifying packet interval timing.

Hello Interval—Specifies the interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Retransmit Interval—Specifies the time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Transmit Delay—Specifies the estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Dead Interval—Specifies the interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


RIP

RIP is a distance-vector routing protocol that uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcasts with neighboring devices to dynamically learn about and advertise routes.

The security appliance support both RIP version 1 and RIP version 2. RIP version 1 does not send the subnet mask with the routing update. RIP version 2 sends the subnet mask with the routing update and supports variable-length subnet masks. Additionally, RIP version 2 supports neighbor authentication when routing updates are exchanged. This authentication ensures that the security appliance receives reliable routing information from a trusted source.

Limitations

RIP has the following limitations:

The security appliance cannot pass RIP updates between interfaces.

RIP Version 1 does not support variable-length subnet masks.

RIP has a maximum hop count of 15. A route with a hop count greater than 15 is considered unreachable.

RIP convergence is relatively slow compared to other routing protocols.

You can only enable a single RIP process on the security appliance.

RIP Version 2 Notes

The following information applies to RIP Version 2 only:

If using neighbor authentication, the authentication key and key ID must be the same on all neighbor devices that provide RIP version 2 updates to the interface.

With RIP version 2, the security appliance transmits and receives default route updates using the multicast address 224.0.0.9. In passive mode, it receives route updates at that address.

When RIP version 2 is configured on an interface, the multicast address 224.0.0.9 is registered on that interface. When a RIP version 2 configuration is removed from an interface, that multicast address is unregistered.

Setup

Use the Setup pane to enable RIP on the security appliance and to configure global RIP protocol parameters. You can only enable a single RIP process on the security appliance.

Fields

Enable RIP Routing—Check this check box to enable RIP routing on the security appliance. When you enable RIP, it is enabled on all interfaces. Checking this check box also enables the other fields on this pane. Uncheck this check box to disable RIP routing on the security appliance.

Enable Auto-summarization—Clear this check box to disable automatic route summarization. Check this check box to reenable automatic route summarization. RIP Version 1 always uses automatic summarization. You cannot disable automatic summarization for RIP Version 1. If you are using RIP Version 2, you can turn off automatic summarization by unchecking this check box. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised.

Enable RIP version—Check this check box to specify the version of RIP used by the security appliance. If this check box is cleared, then the security appliance sends RIP Version 1 updates and accepts RIP Version 1 & Version 2 updates. This setting can be overridden on a per-interface basis in the Interface pane.

Version 1—Specifies that the security appliance only sends and receives RIP Version 1 updates. Any version 2 updates received are dropped.

Version 2—Specifies that the security appliance only sends and receives RIP Version 2 updates. Any version 1 updates received are dropped.

Enable default information originate—Check this check box to generate a default route into the RIP routing process. You can configure a route map that must be satisfied before the default route can be generated.

Route-map—Enter the name of the route map to apply. The routing process generates the default route if the route map is satisfied.

IP Network to Add—Defines a network for the RIP routing process. The network number specified must not contain any subnet information. There is no limit to the number of network you can add to the security appliance configuration. RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP updates.

Add—Click this button to add the specified network to the list of networks.

Delete—Click this button to removed the selected network from the list of networks.

Configure interfaces as passive globally—Check this check box to set all interfaces on the security appliance to passive RIP mode. The security appliance listens for RIP routing broadcasts on all interfaces and uses that information to populate the routing tables but do not broadcast routing updates. To set specific interfaces to passive RIP, use the Passive Interfaces table.

Passive Interfaces table—Lists the configured interfaces on the security appliance. Check the check box in the Passive column for those interfaces you want to operate in passive mode. The other interfaces will still send and receive RIP broadcasts.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Interface

The Interface pane allows you to configure interface-specific RIP settings, such as the version of RIP the interface sends and receives and the authentication method, if any, used for the RIP broadcasts.

Fields

Interface table—Each row displays the interface-specific RIP settings for an interface. Double-clicking a row for that entry opens the Edit RIP Interface Entry dialog box for that interface.

Edit—Opens the Edit RIP Interface Entry dialog box for the interface selected in the Interface table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit RIP Interface Entry

The Edit RIP Interface Entry dialog box allows you to configure the interface-specific RIP settings.

Fields

Override Global Send Version—Check this check box to specify the RIP version sent by the interface. You can select the following options:

Version 1

Version 2

Version 1 & 2

Unchecking this check box restores the global setting.

Override Global Receive Version—Check this check box to specify the RIP version accepted by the interface. If a RIP updated from an unsupported version of RIP is received by the interface, it is dropped. You can select the following options:

Version 1

Version 2

Version 1 & 2

Unchecking this check box restores the global setting.

Enable Authentication—Check this check box to enable RIP authentication. Uncheck this check box to disable RIP broadcast authentication.

Key—The key used by the authentication method. Can contain up to 16 characters.

Key ID—The key ID. Valid values are from 0 to 255.

Authentication Mode—You can select the following authentication modes:

MD5—Uses MD5 for RIP message authentication.

Text—Uses cleartext for RIP message authentication (not recommended).

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Filter Rules

Filter rules allow you to filter the network received in RIP routing updates or sent in RIP routing updates. Each filter rule consists of one or more network rules.

Fields

Filter Rules table—Displays the configured RIP filter rules.

Add—Clicking this button opens the Add/Edit Filter Rule dialog box. The new filter rule is added to the bottom of the list.

Edit—Clicking this button opens the Add/Edit Filter Rule dialog box for the selected filter rule.

Delete—Clicking this button deletes the selected filter rule.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Filter Rule

Use the Add/Edit Filter Rule pane to create filter rules. You can create filter rules that apply to all interfaces or that apply to a specific interface.

Fields

Direction—Select one of the following directions for the filter to act upon:

In—Filters networks on incoming RIP updates.

Out—Filters networks from outgoing RIP updates.

Interface—You can select a specific interface for the filter rule, or you can select the All Interfaces option to apply the filter to all interfaces.

Action—(Display only) Displays Permit if the specified network is not filtered from incoming or outgoing RIP advertisements. Displays Deny if the specified network is to be filtered from incoming or outgoing RIP advertisements.

IP Address—(Display only) Displays the IP address of the network being filtered.

Netmask—(Display only) Displays the network mask applied to the IP address.

Insert—Click this button to add a network rule above the selected rule in the list. Clicking this button opens the Network Rule dialog box.

Edit—Click this button to edit the selected rule. Clicking this button opens the Network Rule dialog box.

Add—Click this button to add a network rule below the selected rule in the list. Clicking this button opens the Network Rule dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Network Rule

The Network Rule pane allows you to configure permit and deny rules for specific networks in a filter rule.

Fields

Action—Select Permit to allow the specified network to be advertised in RIP updates or accepted into the RIP routing process. Select Deny to prevent the specified network from being advertised in RIP updates or accepted into the RIP routing process.

IP Address—Type IP address of the network being permitted or denied.

Netmask—Specify the network mask applied to the network IP address. You can type a network mask into this field or select one of the common masks from the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Redistribution

The Redistribution pane displays the routes that are being redistributed from other routing processes into the RIP routing process.

Fields

Protocol—(Display only) Displays the routing protocol being redistributed into the RIP routing process:

Static—Static routes.

Connected—Directly connected networks.

OSPF—Networks discovered by the specified OSPF routing process.

EIGRP—Networks discovered by the specified EIGRP routing process.

Metric—The RIP metric being applied to the redistributed routes.

Match—(Display only) Displays the type of OSPF routes being redistributed into the RIP routing process. If the Match column is blank for an OSPF redistribution rule, Internal, External 1, and External 2 routes are redistributed into the RIP routing process.

Route Map—(Display only) Displays the name of the route map, if any, being applied to the redistribution. Route maps are used to specify with greater detail which routes from the specified routing process are redistributed into RIP.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Route Redistribution

Use the Add Route Redistribution dialog box to add a new redistribution rule. Use the Edit Route Redistribution dialog box to change an existing rule.

Fields

Protocol—Choose the routing protocol to redistribute into the RIP routing process:

Static—Static routes.

Connected—Directly connected networks.

OSPF and OSPF ID—Routes discovered by the OSPF routing process. If you choose OSPF, you must also enter the OSPF process ID. Additionally, you can select the specific types of OSPF routes to redistribute from the Match area.

EIGRP and EIGRP ID—Routes discovered by the EIGRP routing process. If you choose EIGRP, you must also specify the autonomous system number of the EIGRP routing process in the EIGRP ID field.

Route Map—Specifies the name of a route map that must be satisfied before the route can be redistributed into the RIP routing process.

Configure Metric Type—Check this check box to specify a metric for the redistributed routes. If not specified, the routes are assigned a metric of 0.

Transparent—Choose this option to cause the current route metric to be used.

Value—Choose this to assign a specific metric value. You can enter a value from 0 to 16.

Match—If you are redistributing OSPF routes into the RIP routing process, you can choose specific types of OSPF routes to redistribute by checking the check box next to the route type. If you do not check any route types, Internal, External 1, and External 2 routes are redistributed by default.

Internal—Routes internal to the AS are redistributed.

External 1—Type 1 routes external to the AS are redistributed.

External 2—Type 2 routes external to the AS are redistributed.

NSSA External 1—Type 1 routes external to an NSSA are redistributed.

NSSA External 2—Type 2 routes external to an NSSA are redistributed.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


EIGRP

EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes.

You can enable only one EIGRP routing process on the security appliance.

This section contains the following information:

Configuring EIGRP

Field Information for the EIGRP Panes

For information about monitoring dynamically discovered EIGRP neighbors, see Monitoring EIGRP Neighbors, page 41-7.

Configuring EIGRP

To configure EIGRP routing on the Security Appliance, perform the following steps:


Step 1 Go to the Configuration > Device Setup > Routing > EIGRP area of the ASDM interface.

Step 2 Enable the EIGRP routing process on the Setup > Process Instances tab. See Process Instances for more information.

Step 3 (Optional) Configure the EIGRP routing process parameters. Click Advanced on the Setup > Process Instances tab.

You can configure the EIGRP routing process as a stub routing process, disable automatic route summarization, define the default metrics for redistributed routes, change the administrative distances for internal and external EIGRP routes, configure a static router ID, and enable or disable the logging of adjacency changes. See Edit EIGRP Process Advanced Properties for more information.

Step 4 Define the networks and interfaces that will participate in EIGRP routing on the Setup > Networks tab. See Networks for more information.

Directly-connected and static networks that fall within the defined networks are advertised by the security appliance. Additionally, only interfaces with an IP address that fall within the defined networks participate in the EIGRP routing process.

If you have an interface that you do not want to participate in EIGRP routing, but that is attached to a network that you want advertised, configure a network entry on the Setup > Networks tab that covers the network the interface is attached to, and then configure that interface as a passive interface to prevent the interface from sending or receiving EIGRP updates. Interfaces configured as passive do not send or receive EIGRP updates. See Passive Interfaces for more information.

Step 5 (Optional) Define route filters on the Filter Rules pane. Route filtering provides more control over the routes that are allowed to be sent or received in EIGRP updates. See Filter Rules for more information.

Step 6 (Optional) Define route redistribution on the Redistribution pane.

You can redistribute routes discovered by RIP and OSPF into the EIGRP routing process. You can also redistribute static and connected routes into the EIGRP routing process. You do not need to redistribute static or connected routes if they fall within the range of a network configured on the Setup > Networks tab. See Redistribution for more information.

Step 7 (Optional) Define static EIGRP neighbors on the Static Neighbor pane.

EIGRP hello packets are sent as multicast packets. If an EIGRP neighbor is located across a nonbroadcast network, such as a tunnel, you must manually define that neighbor. When you manually define an EIGRP neighbor, hello packets are sent to that neighbor as unicast messages. See Static Neighbor for more information.

Step 8 (Optional) Define summary addresses on the Summary Address pane.

You need to manually define summary addresses if you want to create summary addresses that do not occur at a network number boundary or if you want to use summary addresses on a security appliance with automatic route summarization disabled. See Summary Address for more information about defining summary addresses. See Edit EIGRP Process Advanced Properties for information about enabling and disabling automatic route summarization.

Step 9 (Optional) Define interface-specific EIGRP parameters on the Interfaces pane. These parameters include EIGRP message authentication, hold time, hello interval, delay metric, and the use of split-horizon. See Interface for more information.

Step 10 (Optional) Control the sending and receiving of default route information in EIGRP updates on the Default Information pane. By default, default routes are sent and accepted. See Default Information for more information.


Field Information for the EIGRP Panes

This section contains the following topics:

Setup

Filter Rules

Interface

Redistribution

Static Neighbor

Summary Address

Default Information

Setup

Enable and EIGRP process and configure the basic setting for that process on the Setup pane. The Setup pane contains the following tabs:

Process Instances

Networks

Passive Interfaces

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Process Instances

The Process Instances tab lets you enable an EIGRP routing process.

Fields

Enable this EIGRP Process—Check this check box to enable an EIGRP routing process. You can only enable one EIGRP routing process on the device. You must enter an autonomous system number for the routing process in the EIGRP Process field before you can save your change.

EIGRP Process—Enter the autonomous system number for the EIGRP process. The autonomous system number can be from 1 to 65535.

Advanced—Click this button to configure the EIGRP process settings, such as the router ID, default metrics, stub routing settings, neighbor change and warning logging, and the administrative distances for the EIGRP routes.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit EIGRP Process Advanced Properties

The Edit EIGRP Process Advanced Properties dialog box lets you configure the router ID, default metrics, stub routing settings, neighbor change and warning logging, and the administrative distances of the EIGRP routes for the EIGRP routing process.

Fields

EIGRP—Display only. Displays the autonomous system number for the EIGRP routing process.

Router Id—Enter an IP address to be used as the Router ID for the security appliance in the EIGRP routing process. The router ID is used to identify the originating router for external routes. The IP address does not have to an address configured on the security appliance, however it must be unique within the routing domain. If not specified, the highest-level IP address on the security appliance is used as the router ID.

Auto-Summary—Check to enable automatic route summarization. Clear to disable automatic route summarization. This setting is enabled by default.

Default Metrics—The default metrics are applied to routes redistributed into the EIGRP routing process. If not specified, you must specify the metrics when you configure the redistribution (see Redistribution).

Bandwidth—The minimum bandwidth of the route in kilobytes per second. Valid values are from 1 to 4294967295.

Loading—The effective bandwidth of the route expressed as a number from 1 to 255 (255 is 100 percent loading).

Reliability—The likelihood of successful packet transmission expressed as a number from 0 through 255. The value 255 means 100 percent reliability; 0 means no reliability.

Delay—The route delay in tens of microseconds. Valid values are 1 to 4294967295.

MTU—The smallest allowed value for the maximum transmission unit, expressed in bytes. Valid values are from 1 to 65535.

Stub—The stub area contains the setting for creating an EIGRP stub routing process. A stub routing process does not maintain a full topology table. At a minimum, stub routing needs a default route to a distribution router, which makes the routing decisions.

Stub Receive only—Configures the EIGRP stub routing process to receive route information from the neighbor routers but does not send route information to the neighbors. If this option is selected, you cannot select any of the other stub routing options.

Stub Connected—Advertises connected routes.

Stub Static—Advertises static routes.

Stub Redistributed—Advertises redistributed routes.

Stub Summary—Advertises summary routes.

Adjacency Changes—Lets you configure the logging of neighbor warning and change messages. Logging for both is enabled by default.

Log Neighbor Changes—Check to enable or uncheck to disable the logging of neighbor adjacency changes.

Log Neighbor Warnings—Check to enable or uncheck to disable the logging of neighbor adjacency changes. Enter the time interval (in seconds) between repeated neighbor warning messages. Valid values are from 1 to 65535. Repeated warnings are not logged if they occur during this interval.

Administrative Distance—Lets you configure the administrative distances for internal and external EIGRP routes.

Internal Distance—Administrative distance for EIGRP internal routes. Internal routes are those that are learned from another entity within the same autonomous system. Valid values are from 1 to 255. The default value is 90.

External Distance—Administrative distance for EIGRP external routes. External routes are those for which the best path is learned from a neighbor external to the autonomous system. Valid values are from 1 to 255. The default value is 170.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Networks 

The Network tab lets you specify the networks used by the EIGRP routing process. For an interface to participate in EIGRP routing, it must fall within the range of addresses defined by the network entries. For directly connected and static networks to be advertised, they must also fall within the range of the network entries.

The Network table displays the networks configure for the EIGRP routing process. Each row of the table displays the network address and associated mask configure for the specified EIGRP routing process. To add or change a network, do one of the following:

To add a new network entry, click Add. The Add EIGRP Network dialog box appears.

To remove a network entry, select the entry in the table and click Delete.

To change a network entry, you must first remove the entry and then add a new one. You cannot edit existing entries.

Fields

The Add EIGRP Network Entry dialog box fields:

EIGRP AS—Displays the autonomous system number of the EIGRP routing process.

IP Address—Enter the IP address of the networks to participate in the EIGRP routing process.

Network Mask—Select or enter a network mask to apply to the IP address.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Passive Interfaces 

The Passive Interface tab lets you configure one or more interfaces as passive interfaces. In EIGRP, a passive interface does not send or receive routing updates.

The Passive Interface table lists each interface configured as a passive interface. To configure whether an interface participates in EIGRP routing, do one of the following:

To specify all interfaces as passive, check the Suppress routing updates on all interfaces check box. Even if an interface is not shown in the Passive Interface table, it will be configured as passive when this check box is selected.

To add a passive interface entry, click Add. The Add EIGRP Passive Interface dialog box appears. You can select the interface you want to make passive in the dialog box.

To remove a passive interface, select the interface in the table and click Delete.

Fields

Passive Interface pane fields:

EIGRP Process—The autonomous system number of the EIGRP routing process.

Suppress routing updates on all interfaces—Check this check box to set all interfaces to passive. Clear this check box to allow all interfaces to send and receive EIGRP updates. Note that the interfaces must also have an associated network entry to participate in EIGRP routing.

Passive Interfaces table—Displays the interface configured as passive.

Interface—Displays the name of the interface.

EIGRP Process—Displays the autonomous system number of the EIGRP process.

Passive—Displays "true" to indicate that the interface is operating in passive mode.

Add Passive Interface dialog box fields:

EIGRP AS—The autonomous system number of the EIGRP routing process.

Interface—Select the interface from the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Configuring EIGRP

Filter Rules

The Filter Rules pane displays the route filtering rules configured for the EIGRP routing process. Filter rules let you control which routes are accepted or advertised by the EIGRP routing process.

Each row of the Filter Rule table describes a filter rule for a specific interface or routing protocol. For example, a filter rule with a direction of "in" on the outside interface would apply filtering to any EIGRP updates received on the outside interface. A filter rule with a direction of "out" with OSPF 10 specified as the routing protocol would apply the filter rules to routes redistributed into the EIGRP routing process in outbound EIGRP updates.

To configure filter rules, do one of the following:

To add a filter rule, click Add. The Add Filter Rules dialog box appears.

To edit a filter rule, select the filter rule in the table and click Edit. You can also double-click a filter rule to edit the rule. The Edit Filter Rules dialog box appears.

To remove a filter rule, select the filter rule in the table and click Delete.

Fields

The Add/Edit EIGRP Filter Rule Dialog box fields:

EIGRP—The autonomous system number of the EIGRP routing process.

Direction—Select "in" for rules that filter routes from incoming EIGRP routing updates. Select "out" to filter routes from EIGRP routing updates sent by the security appliance.

Routing process—(For outgoing filters only) Specifies the type of route being filtered. You can filter routes redistributed from static, connected, RIP, and OSPF routing processes. Filters that specify a routing process filter those routes from updates sent on all interfaces.

Id—The OSPF process ID.

Interface—The interface the filter applies to.

Add—Opens the Network Rule dialog box.

Edit—Opens the Network Rule dialog box for the selected network rule.

Add/Edit Network Rule dialog box lets you define an access list for the filter rule. The dialog box contains the following fields:

Action—Select Permit to allow the specified network to be advertised. Select Deny to prevent the specified network from being advertised.

IP Address—Type IP address of the network being permitted or denied. To permit or deny all addresses, use the IP address 0.0.0.0 with a network mask of 0.0.0.0.

Netmask—Specify the network mask applied to the network IP address. You can type a network mask into this field or select one of the common masks from the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Configuring EIGRP

Interface 

The Interface pane displays the EIGRP interface configurations. The Interface Parameters table displays all of the interfaces on the security appliance and lets you modify the following settings on a per-interface basis:

Authentication key and mode.

The EIGRP hello interval and hold time.

The interface delay metric used in EIGRP metric calculations.

The use of split-horizon on the interface.

To configure the EIGRP parameters for an interface, double-click an interface entry or select the entry and click Edit. The Edit EIGRP Interface Entry dialog box appears.

Fields

The Edit EIGRP Interface Entry dialog box fields:

Interface—Display only. Displays the interface being modified.

AS—The EIGRP autonomous system number.

Hello Interval—Enter the interval between EIGRP hello packets sent on an interface. Valid values are from 1 to 65535 seconds. The default value is 5 seconds.

Hold Time—Specifies the hold time, in seconds. Valid values are from 1 to 65535 seconds. The default value is 15 seconds.

Split Horizon—Check this check box to enable split horizon on the interface. Uncheck the check box to disable split horizon. Split horizon is enabled by default.

Delay—Enter the delay value in this field. The delay time is in tens of microseconds. Valid values are from 1 to 16777215.

Enable MD5 Authentication—Check this check box to enable MD5 authentication of EIGRP process messages.

Key—Key to authenticate EIGRP updates. The key can contain up to 16 characters.

Key ID—Key identification value; valid values range from 1 to 255.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Configuring EIGRP

Redistribution 

The Redistribution pane displays the rules for redistributing routes from other routing protocols into the EIGRP routing process. Each row of the Redistribution pane table contains a route redistribution entry.

To add or modify route redistribution into the EIGRP routing process, do one of the following:

To add a new redistribution rule, click Add. The Add EIGRP Redistribution Entry dialog box opens.

To edit an existing EIGRP static neighbor, select the address in the table and click Edit. You can also double-click an entry in the table to edit that entry. The Edit EIGRP Redistribution Entry dialog box opens.

Fields

The Add/Edit EIGRP Redistribution Entry dialog box fields:

AS—Displays the autonomous system number of the EIGRP routing process to which the entry applies.

Static—Redistributes static routes into the EIGRP routing process. Static routes that fall within the scope of a network statement are automatically redistributed into EIGRP; you do not need to define a redistribution rule for them.

Connected—Redistributes connected routes into the EIGRP routing process. Connected routes that fall within the scope of a network statement are automatically redistributed into EIGRP; you do not need to define a redistribution rule for them.

RIP—Redistributes routes discovered by the RIP routing process into EIGRP.

Optional Metrics—Defines the metrics used for the redistributed route. You do not need to define these values if you already defined the default metrics in the Edit EIGRP Process Advanced Properties dialog box (see Edit EIGRP Process Advanced Properties for information about setting the default metrics).

Bandwidth—EIGRP bandwidth metric in Kilobits per second. Valid values are from 1 to 4294967295.

Delay—EIGRP delay metric, in 10 microsecond units. Valid values are from 0 to 4294967295.

Reliability—EIGRP reliability metric. Valid values are from 0 to 255, where 255 indicates 100% reliability.

Loading—EIGRP effective bandwidth (loading) metric. Valid values are from 1 to 255, where 255 indicates 100% loaded.

MTU—The MTU of the path. Valid values are from 1 to 65535.

Route Map—To further define which routes are redistributed into the EIGRP routing process, enter the name of a route map.

Optional OSPF Redistribution—these options let you further specify which OSPF routes are redistributed into the EIGRP routing process.

Match Internal—Match routes internal to the specified OSPF process.

Match External 1—Match type 1 routes external to the specified OSPF process.

Match External 2—Match type 2 routes external to the specified OSPF process.

Match NSSA-External 1—Match type 1 routes external to the specified OSPF NSSA.

Match NSSA-External 2—Match type 2 routes external to the specified OSPF NSSA.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Configuring EIGRP

Static Neighbor 

The Static Neighbor pane displays the statically-defined EIGRP neighbors. An EIGRP neighbor sends EIGRP routing information to and receives EIGRP routing information from the security appliance. Normally, neighbors are dynamically discovered through the neighbor discovery process. However, on point-to-point, non-broadcast networks, you must statically define the neighbors.

Each row of the Static Neighbor table displays the EIGRP autonomous system number for the neighbor, the neighbor IP address, and the interface through which the neighbor is available.

To configure a static neighbor, so one of the following:

To add a new EIGRP static neighbor, click Add. The Add EIGRP Neighbor Entry dialog box opens.

To edit an existing EIGRP static neighbor, select the address in the table and click Edit. You can also double-click an entry in the table to edit that entry. The Edit EIGRP Neighbor Entry dialog box opens.

Fields

The Add/Edit EIGRP Neighbor Entry dialog box fields:

EIGRP AS—The autonomous system number for the EIGRP process the neighbor is being configured for.

Interface Name—Select the interface through which the neighbor is available from the list.

Neighbor IP Address—Enter the IP address of the neighbor.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Configuring EIGRP

Summary Address

The Summary Address pane displays a table of the statically-defined EIGRP summary addresses. By default, EIGRP summarizes subnet routes to the network level. You can create statically-defined EIGRP summary addresses to the subnet level from the Summary Address pane.

To create or modify a summary address, do one of the following:

To add a new EIGRP summary address, click Add. The Add Summary Address dialog box opens.

To edit an existing EIGRP summary address, select the address in the table and click Edit. You can also double-click an entry in the table to edit that entry. The Edit Summary Address dialog box opens.

Fields

The Add/Edit EIGRP Summary Address Entry dialog box contains the following fields. These fields are also shown in the Summary Address table.

EIGRP AS—Select the autonomous system number of the EIGRP routing process the summary address applies to.

Interface—The interface the summary address is advertised from.

IP Address—Enter the IP address of the summary route.

Netmask—Select or enter the network mask to apply to the IP address.

Administrative Distance—Enter the administrative distance for the route. If left blank, the route has the default administrative distance of 5.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Configuring EIGRP

Default Information 

The Default Information pane displays a table of rules for controlling the sending and receiving of default route information in EIGRP updates. You can have one "in" and one "out" rule for each EIGRP routing process (only one process is currently supported).

By default, default routes are sent and accepted. To restrict or disable the sending and receiving of default route information, perform the following steps:


Step 1 Open the Configuration > Device Setup > Routing > EIGRP > Default Information pane.

Step 2 Do one of the following:

To create a new entry, click Add.

To edit an entry, double-click the entry in the table or select an entry in the table an click Edit.

The Add or Edit Default Information dialog box opens for that entry. The EIGRP autonomous system number is automatically selected in the EIGRP field.

Step 3 Set the direction for the rule in the Direction field:

in—the rule filters default route information from incoming EIGRP updates.

out—the rule filters default route information from outgoing EIGRP updates.

You can have one "in" rule and one "out" rule for each EIGRP process.

Step 4 Add network rules to the network rule table. The network rules define which networks are allowed and which are not when receiving or sending default route information. Repeat the following steps for each network rule you are adding to the default information filter rule.

a. Click Add to add a network rule. Double-click an existing network rule to edit the rule.

b. In the Action field, select Permit to allow the network or Deny to block the network.

c. Enter the IP address and network mask of the network being permitted or denied by the rule in the IP Address and Network Mask fields.

To deny all default route information from being accepted or sent, use 0.0.0.0 as the network address and select 0.0.0.0 as the network mask.

d. Click OK to add the specified network rule to the default information filter rule.

Step 5 Click OK to accept the default information filter rule.


Fields

Add/Edit Default Information dialog box:

EIGRP—Select the autonomous system number of the EIGRP routing process the default information filter applies to.

Direction—Select "in" to filter default route information from incoming route updates. Select "out" to filter default route information from outgoing route updates.

Add—Add a network rule to the default information filter rule.

Edit—Modify an existing network rule.

Network Rule dialog box. The network rules appear in the Filter Rules column of the Default Information filter rule table.

Action—Select Permit to allow the specified network to be advertised. Select Deny to prevent the specified network from being advertised.

IP Address—Type IP address of the network being permitted or denied. To permit or deny all addresses, use the IP address 0.0.0.0 with a network mask of 0.0.0.0.

Netmask—Specify the network mask applied to the network IP address. You can type a network mask into this field or select one of the common masks from the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

Configuring EIGRP

Static Routes

Multiple context mode does not support dynamic routing, so you must define static routes for any networks to which the security appliance is not directly connected.

In transparent firewall mode, for traffic that originates on the security appliance and is destined for a non-directly connected network, you need to configure either a default route or static routes so the security appliance knows out of which interface to send traffic. Traffic that originates on the security appliance might include communications to a syslog server, Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes.

The simplest option is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is on the outside interface, the default route cannot direct traffic to any inside networks that are not directly connected to the security appliance.

You can also use static route in conjunction with dynamic routing protocols to provide a floating static route that is used when the dynamically discovered route goes down. If you create a static route with an administrative distance greater than the administrative distance of the dynamic routing protocol, then a route to the specified destination discovered by the routing protocol takes precedence over the static route. The static route is used only if the dynamically discovered route is removed from the routing table.

Static routes remain in the routing table even if the specified gateway becomes unavailable (see Static Route Tracking, for the exception to this). If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the associated interface on the security appliance goes down. They are reinstated when the interface comes back up.

You can define up to three equal cost routes to the same destination per interface. ECMP is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses.

The default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.

You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.

If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you will receive an error message.

You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all encrypted traffic that arrives on the security appliance and that cannot be routed using learned or static routes is sent to this route. Otherwise, if the traffic is not encrypted, the standard default route entry is used. You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.

For more information about viewing and configuring static and default routes with ASDM, see Field Information for Static Routes.

Static Route Tracking

It is not always possible to use dynamic routing protocols on the security appliance, such as when the security appliance is in multiple context mode or transparent mode. In these cases, you must use static routes.

One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway goes down. They are only removed from the routing table if the associated interface on the security appliance goes down.

The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable.

The security appliance does this by associating a static route with a monitoring target that you define. It monitors the target using ICMP echo requests. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route.

When selecting a monitoring target, you need to make sure that it can respond to ICMP echo requests. The target can be any network object that responds to ICMP echo requests. Consider choosing:

the ISP gateway (for dual ISP support) address

the next hop gateway address (if you are concerned about the availability of the gateway)

a server, such as a AAA server, that the security appliance needs to communicate with

a persistent network object on the destination network (a desktop or notebook computer that may be shut down at night is not a good choice)

For more information about configuring static route tracking, see Configuring Static Route Tracking. To monitor the static route tracking process, see interface connection, page 40-9.

Configuring Static Route Tracking

This procedure provides an overview of configuring static route tracking. For specific information about the various fields used to configure this feature, see Field Information for Static Routes.

To configure tracking for a static route, perform the following steps:


Step 1 Choose a target of interest. Make sure the target responds to echo requests.

Step 2 Open the Static Routes page. Go to Configuration > Routing > Static Routes.

Step 3 Click Add to configure a static route that is to be used based on the availability of your selected target of interest. You must enter the Interface, IP Address, Mask, Gateway, and Metric for this route. See Add/Edit Static Route, for more information about these fields.

Step 4 Choose Tracked in the Options area for this route.

Step 5 Configure the tracking properties. You must enter a unique Track ID, a unique SLA ID, and the IP address of your target of interest. See Add/Edit Static Route, for more information about these fields.

Step 6 (Optional) To configure the monitoring properties, click Monitoring Options in the Add Static Route dialog box. See Route Monitoring Options, for more information about the monitoring properties.

Step 7 Click OK to save your changes.

The monitoring process begins as soon as you save the tracked route.

Step 8 Create a secondary route. The secondary route is a static route to the same destination as the tracked route, but through a different interface or gateway. You must assign this route a higher administrative distance (metric) than your tracked route.


Field Information for Static Routes

For information about a specific pane, see the following topics:

Static Routes

Add/Edit Static Route

Route Monitoring Options

Static Routes

The Static Route pane lets you create static routes that will access networks connected to a router on any interface. To enter a default route, set the IP address and mask to 0.0.0.0, or the shortened form of 0.

If an IP address from one security appliance interface is used as the gateway IP address, the security appliance will ARP the designated IP address in the packet instead of ARPing the gateway IP address.

Leave the Metric at the default of 1 unless you are sure of the number of hops to the gateway router.

Fields

The Static Route pane shows the Static Route table:

Interface—(Display only) Lists the internal or external network interface name enabled in Interfaces.

IP Address—(Display only) Lists the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0.

Netmask—(Display only) Lists the network mask address that applies to the IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.

Gateway IP—(Display only) Lists the IP address of the gateway router, which is the next hop address for this route.

Metric—(Display only) Lists the administrative distance of the route. The default is 1 if a metric is not specified.

Options—(Display only) Displays any options specified for the static route.

None—No options are specified for the static route.

Tunneled—Specifies route as the default tunnel gateway for VPN traffic. Used only for default route. You can only configure one tunneled route per device. The tunneled option is not supported under transparent mode.

Tracked—Specifies that the route is tracked. The tracking object ID and the address of the tracking target are also displayed. The tracked option is only supported in single, routed mode.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Static Route

Use the Add/Edit Static Route dialog box to configure the static route properties. This dialog box is available from both the Static Routes screen in the Startup Wizard and the Configuration > Routing > Static Route pane.

Fields

Interface Name—Select the egress interface for the route.

IP Address—Specifies the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0.

Mask—Specifies the network mask address that applies to the IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.

Gateway IP—Specifies the IP address of the gateway router, which is the next hop address for this router.

Metric—Lets you specify the administrative distance of the route. The default is 1 if a metric is not specified.

The following options are available for static routes. You can select only one of these options for a static route. By default, no option (None) is selected.

None—No options are specified for the static route.

Tunneled—Used only for default route. Only one default tunneled gateway is allowed per security appliance. Tunneled option is not supported under transparent mode.

Tracked—Select this option to specify that the route is tracked. Specifying this option starts the route tracking process.

Track ID—A unique identifier for the route tracking process.

Track IP Address/DNS Name—Enter the IP address or hostname of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available off of that interface.


Note Route tracking is only available in single, routed mode.


SLA ID—A unique identifier for the SLA monitoring process.

Monitor Options—Click this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Route Monitoring Options

Use the Route Monitoring Options dialog box to change the tracking object monitoring properties.

Fields

Frequency—Enter how often, in seconds, the security appliance should test for the presence of the tracking target. The default value is 60 seconds. Valid values are from 1 to 604800 seconds.

Threshold—Enter the amount of time, in milliseconds, that indicates an over-threshold event. This value cannot be more than the timeout value.

Timeout—Enter the amount of time, in milliseconds, the route monitoring operation should wait for a response from the request packets. The default value is 5000 milliseconds. Valid values are from 0 to 604800000 milliseconds.

Data Size—Enter the size of data payload to use in the echo request packets. The default value is 28. Valid values are from 0 to 16384.


Note This setting specifies the size of the payload only; it does not specify the size of the entire packet.


ToS—Enter a value for the type of service byte in the IP header of the echo request. The default value is 0. Valid values are from 0 to 255.

Number of Packets—The number of echo requests to send for each test. The default value is 1. Valid values are from 1 to 100.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ASR Group

Use the ASR Group screen to assign asynchronous routing group ID numbers to interfaces.

In some situations, return traffic for a session may be routed through a different interface than it originated from. In failover configurations, return traffic for a connection that originated on one unit may return through the peer unit. This most commonly occurs when two interfaces on a single security appliance, or two security appliances in a failover pair, are connected to different service providers and the outbound connection does not use a NAT address. By default, the security appliance drops the return traffic because there is no connection information for the traffic.

You can prevent the return traffic from being dropped using an ASR Group on interfaces where this is likely to occur. When an interface configured with an ASR Group receives a packet for which it has no session information, it checks the session information for the other interfaces that are in the same group.

If it does not find a match, the packet is dropped. If it finds a match, then one of the following actions occurs:

If the incoming traffic originated on a peer unit in a failover configuration, some or all of the layer 2 header is rewritten and the packet is redirected to the other unit. This redirection continues as long as the session is active.

If the incoming traffic originated on a different interface on the same unit, some or all of the layer 2 header is rewritten and the packet is reinjected into the stream.

Prerequisites

You must enable Stateful Failover for session information to be passed from the standby failover group to the active failover group.

Fields

The ASR Group table displays the following information for each interface on the security appliance:

Interface—Displays the name of the interface on the security appliance.

ASR Group ID—Displays the number of the ASR Group the interface belongs to. If the interface has not been assigned an ASR Group number, this column displays "-- None --". Valid values are from 1 to 32.

To assign an ASR Group number to an interface, click the ASR Group ID cell in the row of the desired interface. A list of valid ASR Group number appears. Select the desired ASR Group number from the list. You can assign a maximum of 8 interfaces to a single ASR Group. If other contexts have interfaces assigned to an ASR Group, those interface count against the total of 8, even for the context currently being configured.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Proxy ARPs

In rare circumstances, you might want to disable proxy ARP for global addresses.

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses.

Fields

Interface—Lists the interface names.

Proxy ARP Enabled—Shows whether proxy ARP is enabled or disabled for NAT global addresses, Yes or No.

Enable—Enables proxy ARP for the selected interface. By default, proxy ARP is enabled for all interfaces.

Disable—Disables proxy ARP for the selected interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System