Hello,

Hieronymous Merkin · ‎10-30-2015

I setup a simple static route on a 5505 ASA. The internal network is a 172.16.1.0 /24 and I needed to route to another network 172.27.199.0 using 172.16.1.3 as the gateway. Simple enough?

router# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 109.178.148.169 to network 0.0.0.0

S 192.168.10.0 255.255.255.0 [1/0] via 172.16.1.3, inside
C 172.16.1.0 255.255.255.0 is directly connected, inside
S 172.27.199.0 255.255.255.0 [1/0] via 172.16.1.3, inside
S 10.1.1.0 255.255.255.0 [1/0] via 172.16.1.3, inside
C 108.178.148.168 255.255.255.248 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 108.178.148.169, outside
router#

the connection alwasy shows reset and the logs show DENY INBOUND UDP (HTTP or whatever we are trying to do). The route is on the trusted inside network, so what is denying the traffic? From a laptop on the 172.16.1.0 network with the static routes added to netstat, it works just fine?

Ganesh Hariharan · ‎10-31-2015

I setup a simple static route on a 5505 ASA.  The internal network is a 172.16.1.0 /24 and I needed to route to another network 172.27.199.0 using 172.16.1.3 as the gateway.   Simple enough? 
router# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 109.178.148.169 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 172.16.1.3, inside
C 172.16.1.0 255.255.255.0 is directly connected, inside
S 172.27.199.0 255.255.255.0 [1/0] via 172.16.1.3, inside
S 10.1.1.0 255.255.255.0 [1/0] via 172.16.1.3, inside
C 108.178.148.168 255.255.255.248 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 108.178.148.169, outside
router# 
the connection alwasy shows reset and the logs show DENY INBOUND UDP (HTTP or whatever we are trying to do).   The route is on the trusted inside network, so what is denying the traffic?  From a laptop on the 172.16.1.0 network with the static routes added to netstat, it works just fine?

Hi,

You shoudl have firewall ACL rule configured on ASA to allow communication between the destination and the source which is trying to connect.

If source is coming outside , Apply ACL in in bound direction of outside with specifcying source subnet or ip and destination subnet and allowed protcols.

Hope it Helps..

-GI

Rate Helpful Posts

Hieronymous Merkin · ‎11-03-2015

I understand what you are typing but not why? Both are internal trusted networks with the same security level. so why the access list? Traffice should by default flow between networks with the same security level, yes? Keep in mind the gateway is on the trusted inside network? Thanks for the input though!

Ganesh Hariharan · ‎11-04-2015

Hello,

Ok, So could you please tell me from where the source is orginating and towrds which destination ?

Note :- Same-security traffic permit command is to permite traffci with same secuirt level.

Hope it Helps

-GI

Rate Helpful Posts

ASA 5505 static route is blocked?