cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4689
Views
20
Helpful
7
Replies

ASA 9.9(1) NAT to single interface working, but NAT to BVI gives Routing Failed to Locate Next Hop Error

ScottyMac
Level 1
Level 1

 

Hi, I have a 5506-X that was running 9.6 with a simple setup that had a small external switch to bridge the inside, firepower, and our network together.
I upgraded to 9.9(1) and wanted to make use of the new BVI feature and eliminate the external switch.
I setup a BVI with our 192.168.1.0/24 network and then setup interfaces 2, 7, and 8 as part of the bridge group and hooked it all up.
Everything is working and communicating fine except for one thing: the NAT rule to RDP into our inside-server no longer works.


When I test the internal port (3389) from inside it shows listening but when i test the external port from outside (33320) it shows filtered.
When i test from outside, I get a log "Routing failed to locate next hop for TCP from outside:x.x.x.x/12345 to int.1:y.y.y.y/33320", it gives a packet dropped "No valid adjacency".
What's weird is that egress interface "int.1" is correct but the y.y.y.y/33320 is my outside IP and the external port when it should be the IP and port of my inside-server.
It's as if it's trying to send it back out the default route because it can't find the internal route.
Yet my ARP table shows the inside-server with the correct IP and MAC sitting there.

What's interesting is that when i use the packet trace, the Un-Nat matches the correct rule, and shows "NAT divert to egress interface int.1 Untranslate y.y.y.y/33320 to 192.168.1.20/3389" and that's exactly correct.

 

Frustrated,
Scott

 

:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(1)
!
hostname ciscoasa
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif int.1-2
security-level 100
!
interface GigabitEthernet1/3
bridge-group 99
nameif wifi.99-3
security-level 100
!
interface GigabitEthernet1/4
bridge-group 99
nameif wifi.99-4
security-level 100
!
interface GigabitEthernet1/5
bridge-group 99
nameif wifi.99-5
security-level 100
!
interface GigabitEthernet1/6
shutdown
nameif dmz.6
security-level 50
ip address 192.168.6.1 255.255.255.0
!
interface GigabitEthernet1/7
bridge-group 1
nameif int.1-7
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif int.1-8
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif int.1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI99
nameif wifi.99
security-level 100
ip address 192.168.99.1 255.255.255.0
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network public_ip
host y.y.y.y
object network inside-server
host 192.168.1.20
object service RDP-33320
service tcp destination eq 33320
object service RDP-3389
service tcp destination eq 3389

access-list outside_access_in_1 extended permit object RDP-3389 any object sc0tt-pc log emergencies

nat (outside,any) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in_1 in interface outside