Solved: Re: ASA5520 8.21 - IP addresses, routing issue? NAT issue?

don_ellet · ‎04-14-2011

ISP assigned us the following:

xxx.yyy.zzz.32/30 as the outside interface network.

This means .33 is the next hop, gateway, or default route.

This means .34 is the outside interface on the ASA.

xxx.yyy.zzz.64/26 as the ip address pool.

This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address pool.

xxx.yyy.zzz is identical in all cases.

Addresses .35 through .63 are owned by other parties and are not usable to us.

The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.

[ie. Route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.33]

After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask 255.255.255.255 and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.

6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80

How do I setup routing for this non contiguous address range?

Sorry, in advance, if my redactions cause any issues or my explanation of the issue is unclear.

Regards,

Don

jmunoz19 · ‎04-14-2011

Can the ASA reach the internal IP addresses? If they are not directly connected to the ASA's inside network, does the ASA have a route on the inside interface to get to these addresses? Otherwise, it'll want to go out the default route.

View solution in original post

jmunoz19 · ‎04-14-2011

I'm kind of confused as to what you are asking. Having a /30 between the ASA and the provider and then a different /26 network for static entries should not be a problem. It sounds like you are not setting up your static entry correctly. It should look like this:

static (inside,outside) xxx.yyy.zzz.65 [INTERNAL IP]

access-list ACLNAME extended permit tcp any host [INTERNAL IP] eq https

The fact that your /30 and /26 are different ranges does not matter.

don_ellet · ‎04-14-2011

Remember, all these /30 and /26 addresses are on the outside interface, with the /30 assigned to the interface and the /26 assigned via static NAT - not sure if that has any impact.

For NAT and ACLs, what I have is this:

access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.65 eq https

access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.66 eq smtp

access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.67 eq https

access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.68 eq www

static (Inside,Outside) xxx.yyy.zzz.65 [Object Name1] netmask 255.255.255.255

static (Inside,Outside) xxx.yyy.zzz.66 [Object Name2] netmask 255.255.255.255

static (Inside,Outside) xxx.yyy.zzz.67 [Object Name3] netmask 255.255.255.255

static (Inside,Outside) xxx.yyy.zzz.68 [Object Name4] netmask 255.255.255.255

jmunoz19 · ‎04-14-2011

Can the ASA reach the internal IP addresses? If they are not directly connected to the ASA's inside network, does the ASA have a route on the inside interface to get to these addresses? Otherwise, it'll want to go out the default route.

don_ellet · ‎04-18-2011

Part of the issue was that the website was in the DMZ and I had nothing setup to route to that location

I added a static route as suggested and it resolved the issue.

Thanks for the assistance!

Regards,

Don