Solved: Re: Asa 5505 Base static route

meadcity984 · ‎11-19-2010

I have an asa 5505 base model that I'm having problems with a static route. The inside network is 192.168.168.0/24 the inside interface is 192.168.168.1. There is a second gateway in the network that exists at 192.168.168.101. I need any traffic destined for the subnet 10.0.0.0/8 to go to the 101 gateway. All machines use the asa(192.168.168.1) as their gateway. I have 2 routes in the asa:

route outside 0.0.0.0 0.0.0.0 24.144.192.1 1

route inside 10.0.0.0 255.0.0.0 192.168.168.101 1

All machines are able to get on the internet, but none can reach the 10 network. When I try to ping the 10 network I get the following error:

Deny inbound icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)

I can however ping it from the asa itself. I tried adding the same-security-traffic permit intra-interface command to the config and still cannot ping from workstations but get a different error

portmap translation creation failed for icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)

I can't understand what I'm missing and am beginning to wonder if this is a base os restriction. I've attached my config

Thanks for any help.

Federico Coto Fajardo · ‎11-19-2010

Brian,

The 192.168.168.x will reach 10.0.0.x by reaching the ASA and reroute back via the inside interface correct?

Try adding this command:

static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

And see if it works.

Probably this one:

static (inside,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

Let us know.

Federico.

View solution in original post

Federico Coto Fajardo · ‎11-19-2010

Brian,

The 192.168.168.x will reach 10.0.0.x by reaching the ASA and reroute back via the inside interface correct?

Try adding this command:

static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

And see if it works.

Probably this one:

static (inside,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

Let us know.

Federico.

Deepak Sharma · ‎11-20-2010

Hi Brian,

Since you are running 8.2.1 there should have been an ICMP redirect by ASA and a route should be automatically injected on the client workstation for subnet 10.0.0.0 mask 255.0.0.0 GW 192.168.168.101. Sometimes a PC can ignore ICMP redirect packets because of firewall on PC or HIPS, in that case a packet will come to firewall and firewall will forward the packet to 192.168.1.68.101 and then reply will directly reach PC. This all should be fine till ICMP or UDP is used, however for TCP based traffic we need to have a TCP state bypass.

In your case, PC has default gateway set to firewall so first segment with SYN flag will reach firewall and firewall will forward it for 192.168.1681.101. However, a segment with SYN and ACK flags set will directly reach PC from 192.168.168.101 as it will have MAC address of host resolved via ARP; so next segment from PC with ACK flag set coming to ASA will be dropped as there was no SYN-ACk seen by ASA. More details of feature can be found at

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf

Are you using ICMP itself to test the behavior or some TCP traffic. Let us know if it still does not work as per suggesgtion from Federico and enabling TCP state bypass.

Regards,

-Deepak

meadcity984 · ‎11-22-2010

Adding both of the static NAT's took care of it. Thanks

goodwin-j · ‎11-29-2010

Federico

Can you show the static route commands using the new NAT method in 8.3.2

Thanks

Jess