topic According to you, all in Network Security

Static route problems

mehrzad.torki — Tue, 12 Mar 2019 03:56:29 GMT

Hey All,

I have an ASA5510 w/ Security+ that's giving me issues with some static routes. The inside network is 192.168.1.0/24, the inside interface is 192.168.1.3. There is a second router in the network that exists at 192.168.1.180. I need any traffic destined for the subnet 192.168.20.0/24 to go to the 180 gateway. All machines use the asa(192.168.1.3) as their gateway. I have a few routes in the asa:

route inside 10.1.1.0 255.255.255.0 192.168.1.15 1
route inside 10.1.10.0 255.255.255.0 192.168.1.15 1
route inside 192.168.3.0 255.255.255.0 192.168.1.3 1
route inside 192.168.20.0 255.255.255.0 192.168.1.180 1

All machines are able to get on the internet, but none can reach the 20.x network. When I try to ping the 20.x network I get the following error in the logs of the ASA:
Deny inbound icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)

I know my routes are programmed into the 192.168.1.180 router correctly, becuase if i set a machine's gateway to be 1.180, i can ping and get to the 20.x network fine. But the ASA is preventing the routes from completing. Any ideas?

First off, are you able to

Marius Gunnerud — Fri, 14 Mar 2014 08:20:45 GMT

First off, are you able to reach your hosts on the 20.x network using different protocols, such as RDP, WWW, FTP....etc?

Could you run a packet-tracer, this will give us an idea of what setting on the ASA is dropping the traffic.

packet-tracer input inside tcp <source address> 12345 <destination address> 80 detail

Please remember to rate and select a correct answer

According to you, all

Rudy Sanjoko — Fri, 14 Mar 2014 09:32:13 GMT

According to you, all machines in your inside network is not able to ping 20.x network when the ASA is the default gateway and works fine if you use the router as the default gateway. Just like Marius said, are you able to reach 20.x using different protocol? If yes and only ICMP that is not working, then it is high likely that your ICMP policy is the cause.

I see that you have a policy map configured for inspecting icmp, but it is applied on the outside interface.

Marius & Rudy,First off,

mehrzad.torki — Fri, 14 Mar 2014 14:42:08 GMT

Marius & Rudy,

First off, thanks for your help!

No, I'm not able to reach my hosts using any protocols. I have a Fluke Etherscope which is running a webserver at 192.168.20.250, and i can't reach it. It seems like my traffic is making there, but unable to return, due to the ASA dropping the packets, although i may be wrong about that.

Rudy, yes that's correct. If use my router as the gateway, everything seems to work fine. When i use that ASA as my default gateway, i can't reach (or get return packets) from the 20.x network.

Also, I guess that's correct about the ICMP-inspection policy, I never seem to be able to ping hosts on the internet.

Thanks Again,

Mehrzad

Result of the command: "packet-tracer input inside tcp 192.168.1.181 12345 192.168.20.253 80 detail"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8c5d98, priority=1, domain=permit, deny=false

hits=2829692679, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

match ip inside 192.168.20.0 255.255.255.0 inside any

static translation to 192.168.20.0

translate_hits = 5, untranslate_hits = 1587

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.20.0/0 to 192.168.20.0/0 using netmask 255.255.255.0

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8c6e60, priority=3, domain=permit, deny=false

hits=2513198, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8c84d0, priority=0, domain=inspect-ip-options, deny=true

hits=154410326, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 2383570, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xaba45948, priority=1, domain=nat, deny=false

hits=2749385, user_data=0xaba45888, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The problem is that when

Jon Marshall — Sun, 16 Mar 2014 17:02:45 GMT