12-07-2015 03:27 PM - edited 03-12-2019 12:00 AM
Hi
I am asking for the community wisdom on the following customer reported problem.
Given the following simplified topology (I neither has have detailed running-config on this...)
Outside -- default route
Inside -- some 10/8 networks, might have overlapping subnets with networks behind DMZ if!!
DMZ -- Many networks behind this if, in 10.x.x.x, but NOT routed on the ASA!
Customer wants _not_ to appear the 10.x.x.x/8 in ASA routing table towards DMZ, therefore configures PBR on specific inside sources to be transmitted in this direction. In the route-map they use "set ip next-hop".
Inside -> (PBR + sNAT) -> DMZ: works fine
DMZ -> staticNAT -> Inside: returning reply fails: "Routing failed to locate next hop for .."
The first case, sNAT is like accessing any outside:
nat (any,DMZ-networks) after-auto source dynamic any pat-pool pat-DMZ-range extended
Works fine.
The second (DMZ->Inside) case packets reaches inside host/rserver, but replies got routing failed. This case is rather like offering inside service for the public internet, hoping that the xlate enrty or the PBR redirects the reply package towards the DMZ where it came from, instead of default Outside.
We tried to enforce the return by identity sNAT:
nat (Inside,DMZ) source static REAL-INSIDE-ADDR GLOBAL-DMZ-ADDR destination static DMZ-10_x_x_x DMZ-10_x_x_x service SVC-GLOBAL SVC-LOCAL
on this last NAT entry we got the hitcount increasing, hen testing (initiating traffic) from the DMZ, but still getting the "Routing failed for" syslog.
Additional, probably relevant detail:
asa-1(config)# sh nat divert-table interface Inside
Divert Table
id=0x7ffc80e22240, domain=twice-nat section=1 ignore=no
type=static, hits=0, flags=0x9, protocol=6
src ip/id=10.a.b.c, mask=255.255.255.255, port=1111-1111
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0-0
input_ifc=Inside, output_ifc=DMZ id=0x7ffcbdf1a300, domain=auto-nat section=2 ignore=yes
(port 1111 is on local, real server, 10.0.0.0/8 is on inf DMZ, PBR should forward that)
This last statement, "ignore=yes" confusing:
Anyway, if there is a route lookup, PBR shoud direct the packet towards DMZ, if not, the existing xlate entry should force the returning packet to exit on the DMZ interface.
Both should forward reply packets towards the DMZ if.
Still geting the "routing failed" message.
Any advise experts?
thanks,
jonagy
12-09-2015 02:02 PM
might be the reason is this:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide