Olá,
Eu configurei uma "rota padrão" no meu ASA 5505 (8.4.2), mas não está funcionando corretamente. Quando tento enviar um pacote para Internet (endereço público), por exemplo 172.217.30.14, o pacote é descartado com a mensagem abaixo:
Inboud PDU:
1. The device looks up the destination IP address in the CEF table.
2. The CEF table does not have an entry for the destination IP address.
3. The device looks up the destination IP address in the routing table.
Outbound PDU:
1. The routing table finds a routing entry to the destination IP address.
2. The destination network can be reached via 172.217.30.14.
1. The next-hop IP address is not in the ARP table. The ARP process tries to send an ARP request for that IP address and drops this packet.
Por que 172.217.30.14? Meu gateway padrão é 10.11.11.2 (meu próximo salto). O ASA não envia o pacote ao gateway padrão, envia uma solicitação ARP (broadcast FFFFFF ....) para o Gateway que descarta o pacote por se tratar de uma msg broadcast não direcionado a ele.
The entire configuration:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 249
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 49
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
no nameif
no security-level
ip address dhcp
!
interface Vlan49
nameif OUTSIDE
security-level 0
ip address 10.11.11.1 255.255.255.252
!
interface Vlan249
no forward interface Vlan1
nameif INSIDE_CORP
security-level 70
ip address 10.1.249.1 255.255.255.0
!
object network in_corp
subnet 10.1.249.0 255.255.255.0
!
route OUTSIDE 0.0.0.0 0.0.0.0 10.11.11.2 1
!
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended deny ip any any
access-list 101 extended permit udp 10.1.249.0 255.255.255.0 host 10.1.20.12 eq domain
access-group outside_in in interface OUTSIDE
object network in_corp
nat (INSIDE_CORP,OUTSIDE) dynamic interface
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns
inspect http
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
dhcpd option 3 ip 10.1.249.1
dhcpd address 10.1.249.2-10.1.249.32 INSIDE_CORP
dhcpd dns 10.1.20.12 interface INSIDE_CORP
dhcpd enable INSIDE_CORP
!
Best regards,
Leonardo