04-14-2011 12:14 PM - edited 03-11-2019 01:21 PM
ISP assigned us the following:
xxx.yyy.zzz.32/30 as the outside interface network.
This means .33 is the next hop, gateway, or default route.
This means .34 is the outside interface on the ASA.
xxx.yyy.zzz.64/26 as the ip address pool.
This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address pool.
xxx.yyy.zzz is identical in all cases.
Addresses .35 through .63 are owned by other parties and are not usable to us.
The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.
[ie. Route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.33]
After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask 255.255.255.255 and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.
6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80
How do I setup routing for this non contiguous address range?
Sorry, in advance, if my redactions cause any issues or my explanation of the issue is unclear.
Regards,
Don
Solved! Go to Solution.
04-14-2011 02:06 PM
Can the ASA reach the internal IP addresses? If they are not directly connected to the ASA's inside network, does the ASA have a route on the inside interface to get to these addresses? Otherwise, it'll want to go out the default route.
04-14-2011 12:47 PM
I'm kind of confused as to what you are asking. Having a /30 between the ASA and the provider and then a different /26 network for static entries should not be a problem. It sounds like you are not setting up your static entry correctly. It should look like this:
static (inside,outside) xxx.yyy.zzz.65 [INTERNAL IP]
access-list ACLNAME extended permit tcp any host [INTERNAL IP] eq https
The fact that your /30 and /26 are different ranges does not matter.
04-14-2011 01:00 PM
Remember, all these /30 and /26 addresses are on the outside interface, with the /30 assigned to the interface and the /26 assigned via static NAT - not sure if that has any impact.
For NAT and ACLs, what I have is this:
access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.65 eq https
access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.66 eq smtp
access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.67 eq https
access-list Outside_access_in extended permit tcp any host xxx.yyy.zzz.68 eq www
static (Inside,Outside) xxx.yyy.zzz.65 [Object Name1] netmask 255.255.255.255
static (Inside,Outside) xxx.yyy.zzz.66 [Object Name2] netmask 255.255.255.255
static (Inside,Outside) xxx.yyy.zzz.67 [Object Name3] netmask 255.255.255.255
static (Inside,Outside) xxx.yyy.zzz.68 [Object Name4] netmask 255.255.255.255
04-14-2011 02:06 PM
Can the ASA reach the internal IP addresses? If they are not directly connected to the ASA's inside network, does the ASA have a route on the inside interface to get to these addresses? Otherwise, it'll want to go out the default route.
04-18-2011 11:58 AM
Part of the issue was that the website was in the DMZ and I had nothing setup to route to that location
I added a static route as suggested and it resolved the issue.
Thanks for the assistance!
Regards,
Don
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide