Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

lsoinatel00416 — Mon, 11 May 2020 22:41:22 GMT

Hy,

I´ve configured a "default route" in my ASA 5505 (8.4.2) but it is not working. When I try to send a packet toward a internet (public address), for instance 172.217.30.14, the packet is dropped with the message below:

Inboud PDU:

1. The device looks up the destination IP address in the CEF table.

2. The CEF table does not have an entry for the destination IP address.

3. The device looks up the destination IP address in the routing table.

Outbound PDU:

1. The routing table finds a routing entry to the destination IP address.

2. The destination network can be reached via 172.217.30.14.

1. The next-hop IP address is not in the ARP table. The ARP process tries to send an ARP request for that IP address and drops this packet.

Why 172.217.30.14? My default gateway is 10.11.11.2, instead (my next hop). ASA does not send the packet to the default gateway, sends a ARP request (broadcast FFFFFF....) and the Gateway drops the packet.

The entire configuration:

ASA Version 8.4(2)

hostname ciscoasa

names

interface Ethernet0/0

switchport access vlan 249

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 49

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

no nameif

no security-level

no ip address

interface Vlan2

no nameif

no security-level

ip address dhcp

interface Vlan49

nameif OUTSIDE

security-level 0

ip address 10.11.11.1 255.255.255.252

interface Vlan249

no forward interface Vlan1

nameif INSIDE_CORP

security-level 70

ip address 10.1.249.1 255.255.255.0

object network in_corp

subnet 10.1.249.0 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 10.11.11.2 1

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended permit icmp any any unreachable

access-list outside_in extended deny ip any any

access-list 101 extended permit udp 10.1.249.0 255.255.255.0 host 10.1.20.12 eq domain

access-group outside_in in interface OUTSIDE

object network in_corp

nat (INSIDE_CORP,OUTSIDE) dynamic interface

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns

inspect http

inspect icmp

service-policy global_policy global

telnet timeout 5

ssh timeout 5

dhcpd option 3 ip 10.1.249.1

dhcpd address 10.1.249.2-10.1.249.32 INSIDE_CORP

dhcpd dns 10.1.20.12 interface INSIDE_CORP

dhcpd enable INSIDE_CORP

Best regards,

Leonardo

Re: Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

Martin L — Mon, 11 May 2020 22:50:12 GMT

please attach your PT file here; must be in zip format I think

Re: Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

lsoinatel00416 — Mon, 11 May 2020 23:27:11 GMT

Hi, attached the PT file.

Best;

Re: Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

lsoinatel00416 — Mon, 11 May 2020 23:46:05 GMT

Hi, attached the entire net (.pkt)

Take a look "ASA ASA-SP" - You can try ping "www.google.com" from notebook "Corporativo TI(DHCP)". When the packet get in the ASA-SP, it sends a broadcast ARP (I don´t know why) and dropped it.

Best,

Leonardo

topic Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2 in Network Security

Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

Re: Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

Re: Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

Re: Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2