Solved: Re: cisco asa route-lookup for 8.2

drlbaluyut · ‎01-11-2019

Hello

Sorry for my noob question, i have a config below from 8.2

access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.172.8.224 255.255.255.224

nat (inside) 0 access-list NO-NAT

FW# sh route | i 10.172.8.224
D 10.172.8.224 255.255.255.248 [90/3072] via 10.172.8.33, 798:37:40, inside
S 10.172.8.224 255.255.255.224 [1/0] via 203.9.248.21, outside

FW# packet-tracer input inside tcp 10.3.3.3 443 10.172.8.224 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.172.8.224 255.255.255.248 inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Based from the packet tracer, why does the ASA preferred the EIGRP route (exit interface is inside) instead of the static route (exit interface is outside)?

Rob Ingram · ‎01-11-2019

Hi,
The EIGRP route is more specific than the static route, a /29 versus a /27

If they both had the same netmark I'd imagine the static route would be preferred.
HTH

View solution in original post

Rob Ingram · ‎01-11-2019

Hi,
The EIGRP route is more specific than the static route, a /29 versus a /27

If they both had the same netmark I'd imagine the static route would be preferred.
HTH

drlbaluyut · ‎01-11-2019

Hi

Oh ok, i did not notice the more specific subnet mask. Thank you!