Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11129
Views
0
Helpful
9
Replies

ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

Go to solution
robert404
Level 1
Level 1

‎04-14-2014 03:08 AM - edited ‎03-11-2019 09:04 PM

Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard.  I am currently unable to access services on the outside of the ASA. 

The error: 'Failed to locate egress interface for UDP from inside'....  appears when ever my DNS server attempts a lookup. 

I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config. 

If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration. 

Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet.  I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access. 

Full config follows, screen shots attached, any help would be very gratefully received. 

 

Result of the command: "sh run"

: Saved
:
ASA Version 9.0(1)
!
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan5
 no nameif
 security-level 50
 ip address dhcp
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Server1
 host 192.168.10.10
object network GoogleDNS1
 host 8.8.8.8
 description Google DNS Server
object network GoogleDNS2
 host 8.8.4.4
 description Google DNS Server
object network 192.168.10.x
 subnet 192.168.10.0 255.255.255.0
object network InternetRouter
 host 192.168.1.1
object-group network DM_INLINE_NETWORK_1
 network-object object GoogleDNS1
 network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:(REMOVED)
: end

Labels:
Preview file
23 KB
Preview file
30 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-14-2014 05:00 AM

Your default route statement is incorrectly formed. You have:

route outside 0.0.0.0 255.255.255.255 192.168.1.1 1

and it should be:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-14-2014 05:00 AM

Your default route statement is incorrectly formed. You have:

route outside 0.0.0.0 255.255.255.255 192.168.1.1 1

and it should be:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

0 Helpful

Go to solution
robert404
Level 1
Level 1
In response to Marvin Rhoads

‎04-14-2014 05:54 AM

Hi Marvin,

Thank you so much for your reply, I have changed the route as per your recommendation and applied the configuration, however I still get the same results with the packet trace.  (no-route) No route to host.

Any thoughts?

Thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to robert404

‎04-14-2014 06:15 AM

You did delete the incorrect route, yes? If you didn't it's still in there.

Please provide the output of:

show run route

packet-tracer input inside udp 192.168.10.10 53 8.8.8.8 53

0 Helpful

Go to solution
robert404
Level 1
Level 1
In response to Marvin Rhoads

‎04-14-2014 07:13 AM

Yes, I did delete the incorrect route, and also applied the configuration.  Here is the output:

Result of the command: "show run route"
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
 
Result of the command: "packet-tracer input inside udp 192.168.10.10 53 8.8.8.8 53"
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to robert404

‎04-14-2014 07:45 AM

Hmm, the routing looks good now.

Can you verify that the outside interface (Ethernet0/0) is UP/UP:

"show interface Eth0/0"

0 Helpful

Go to solution
robert404
Level 1
Level 1
In response to Marvin Rhoads

‎04-14-2014 08:40 AM

Ah.  That switch port had gone into error disable before my last test, I have changed the cable and the interfaces are now clean of errors. (Apologies)

I have now retested and its working! I have double checked and it looks like my issue was all down to that default gateway setting being incorrect. 

As you said, it should have read:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Thank you for all your help with this. I am really very grateful. 

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to robert404

‎04-14-2014 08:57 AM

Disregards my comment just now then :)

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to robert404

‎04-14-2014 08:59 AM

You're welcome. Funny how the simplest things can sometimes trip us up.

Thanks for the rating.

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to Marvin Rhoads

‎04-14-2014 08:56 AM

Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet. 

Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.

I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card