Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4208
Views
20
Helpful
7
Replies

ASA 9.9(1) NAT to single interface working, but NAT to BVI gives Routing Failed to Locate Next Hop Error

Go to solution
ScottyMac
Level 1
Level 1

‎02-22-2018 10:51 AM - edited ‎02-21-2020 07:24 AM

 

Hi, I have a 5506-X that was running 9.6 with a simple setup that had a small external switch to bridge the inside, firepower, and our network together.
I upgraded to 9.9(1) and wanted to make use of the new BVI feature and eliminate the external switch.
I setup a BVI with our 192.168.1.0/24 network and then setup interfaces 2, 7, and 8 as part of the bridge group and hooked it all up.
Everything is working and communicating fine except for one thing: the NAT rule to RDP into our inside-server no longer works.


When I test the internal port (3389) from inside it shows listening but when i test the external port from outside (33320) it shows filtered.
When i test from outside, I get a log "Routing failed to locate next hop for TCP from outside:x.x.x.x/12345 to int.1:y.y.y.y/33320", it gives a packet dropped "No valid adjacency".
What's weird is that egress interface "int.1" is correct but the y.y.y.y/33320 is my outside IP and the external port when it should be the IP and port of my inside-server.
It's as if it's trying to send it back out the default route because it can't find the internal route.
Yet my ARP table shows the inside-server with the correct IP and MAC sitting there.

What's interesting is that when i use the packet trace, the Un-Nat matches the correct rule, and shows "NAT divert to egress interface int.1 Untranslate y.y.y.y/33320 to 192.168.1.20/3389" and that's exactly correct.

 

Frustrated,
Scott

 

:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(1)
!
hostname ciscoasa
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif int.1-2
security-level 100
!
interface GigabitEthernet1/3
bridge-group 99
nameif wifi.99-3
security-level 100
!
interface GigabitEthernet1/4
bridge-group 99
nameif wifi.99-4
security-level 100
!
interface GigabitEthernet1/5
bridge-group 99
nameif wifi.99-5
security-level 100
!
interface GigabitEthernet1/6
shutdown
nameif dmz.6
security-level 50
ip address 192.168.6.1 255.255.255.0
!
interface GigabitEthernet1/7
bridge-group 1
nameif int.1-7
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif int.1-8
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif int.1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI99
nameif wifi.99
security-level 100
ip address 192.168.99.1 255.255.255.0
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network public_ip
host y.y.y.y
object network inside-server
host 192.168.1.20
object service RDP-33320
service tcp destination eq 33320
object service RDP-3389
service tcp destination eq 3389

access-list outside_access_in_1 extended permit object RDP-3389 any object sc0tt-pc log emergencies

nat (outside,any) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in_1 in interface outside

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎02-22-2018 06:32 PM

HI

 

 Although everything looks strait, I ´d change this statement "nat (outside,any)" and I´d actually put the destination interface here instead any.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

7 Replies 7

Go to solution
Flavio Miranda
VIP
VIP

‎02-22-2018 06:32 PM

HI

 

 Although everything looks strait, I ´d change this statement "nat (outside,any)" and I´d actually put the destination interface here instead any.

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Go to solution
ScottyMac
Level 1
Level 1
In response to Flavio Miranda

‎02-24-2018 10:25 AM

thx! "nat (outside,any)" changed to a "nat (outside, inside_1)"
this was the key to the solution. turns out that even though you can have a few ports "bridged" you still have to repeat the nat rules specifically for each physical interface - both the inbound nat and outbound pat rules. imho one should be able to setup nat rules against just the bridge-group logical interface, as it is with any other logical interface. cisco should then internally span those rules to each physical interface that is part of the bridge group on their own behind the scenes.

Go to solution
stephensuley
Level 1
Level 1
In response to ScottyMac

‎03-22-2018 08:34 AM

I believe I am being impacted by this gap in functionality as well. 

 

Please Cisco fix this issue with the bvi and NAT statements. 

0 Helpful

Go to solution
M Mohammed
Level 1
Level 1

‎02-23-2018 02:15 AM - edited ‎02-27-2018 02:06 AM

 
0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6

‎03-23-2018 01:42 AM

I have a question/curiosity: what's the logic of using nameif for the physical interfaces part of one bridge group? 

My understanding is that all those interfaces part of bridge group act as L2 interfaces while nameif should be ON for any L3 interfaces where intervlan_routing and firewall_access is being used.

 

 

0 Helpful

Go to solution
ScottyMac
Level 1
Level 1
In response to Florin Barhala

‎03-24-2018 04:13 PM

They do, all interfaces that are part of a bridge group receive copies of all traffic on each of the interfaces including broadcasts.  BUT, when setting up NAT rules, they must be duplicated for each physical interface.  IMHO the physical interfaces that are part of a bridge group should not have nameifs and they should never be addressed directly in any rules of any kind - rather, only the bridge-group name should be used.  Consider that if you used only one physical interface, but then added a small switch to it like we've always had to - then you would not have to repeat the NAT rules.   This is a bug or over site imho. 

Go to solution
stephensuley
Level 1
Level 1
In response to ScottyMac

‎04-03-2018 06:39 AM

Hi Scott,

 

With respect the NAT statements I'm seeing the same behavior. However in addition to having to configure a series of NAT statements for each port, I'm also running into the behavior that wants the correct physical nameif and correct inside HOST IP combination ( I'm using DNATs) to be the first in the series of statements or it doesn't work. 

 

Just wondering if you are able to confirm that additional behavior as well?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card