topic ASA 5505 initial build - Failed to locate egress interface (Please help :-) ) in Network Security

ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

robert404 — Tue, 12 Mar 2019 04:04:20 GMT

Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard. I am currently unable to access services on the outside of the ASA.

The error: 'Failed to locate egress interface for UDP from inside'.... appears when ever my DNS server attempts a lookup.

I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config.

If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration.

Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet. I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access.

Full config follows, screen shots attached, any help would be very gratefully received.

Result of the command: "sh run"

: Saved
:
ASA Version 9.0(1)
!
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
interface Vlan5
no nameif
security-level 50
ip address dhcp
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server1
host 192.168.10.10
object network GoogleDNS1
host 8.8.8.8
description Google DNS Server
object network GoogleDNS2
host 8.8.4.4
description Google DNS Server
object network 192.168.10.x
subnet 192.168.10.0 255.255.255.0
object network InternetRouter
host 192.168.1.1
object-group network DM_INLINE_NETWORK_1
network-object object GoogleDNS1
network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:(REMOVED)
: end

Your default route statement

Marvin Rhoads — Mon, 14 Apr 2014 12:00:23 GMT

Your default route statement is incorrectly formed. You have:

route outside 0.0.0.0 255.255.255.255 192.168.1.1 1

and it should be:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Hi Marvin,Thank you so much

robert404 — Mon, 14 Apr 2014 12:54:47 GMT

Hi Marvin,

Thank you so much for your reply, I have changed the route as per your recommendation and applied the configuration, however I still get the same results with the packet trace. (no-route) No route to host.

Any thoughts?

Thanks.

You did delete the incorrect

Marvin Rhoads — Mon, 14 Apr 2014 13:15:21 GMT

You did delete the incorrect route, yes? If you didn't it's still in there.

Please provide the output of:

show run route

packet-tracer input inside udp 192.168.10.10 53 8.8.8.8 53

Yes, I did delete the

robert404 — Mon, 14 Apr 2014 14:13:22 GMT

Yes, I did delete the incorrect route, and also applied the configuration. Here is the output:

Result of the command: "show run route"

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Result of the command: "packet-tracer input inside udp 192.168.10.10 53 8.8.8.8 53"

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (no-route) No route to host

Hmm, the routing looks good

Marvin Rhoads — Mon, 14 Apr 2014 14:45:25 GMT

Hmm, the routing looks good now.

Can you verify that the outside interface (Ethernet0/0) is UP/UP:

"show interface Eth0/0"

Ah. That switch port had

robert404 — Mon, 14 Apr 2014 15:40:20 GMT

Ah. That switch port had gone into error disable before my last test, I have changed the cable and the interfaces are now clean of errors. (Apologies)

I have now retested and its working! I have double checked and it looks like my issue was all down to that default gateway setting being incorrect.

As you said, it should have read:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Thank you for all your help with this. I am really very grateful.

Just to want to be sure, can

Rudy Sanjoko — Mon, 14 Apr 2014 15:56:58 GMT

Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet.

Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.

I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

Disregards my comment just

Rudy Sanjoko — Mon, 14 Apr 2014 15:57:52 GMT

Disregards my comment just now then 🙂

You're welcome. Funny how the

Marvin Rhoads — Mon, 14 Apr 2014 15:59:09 GMT

You're welcome. Funny how the simplest things can sometimes trip us up.

Thanks for the rating.