cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1062
Views
0
Helpful
3
Replies
lsoinatel00416
Beginner

Default gateway not working ASA 5505 8.4.2 - Packet Tracer 7.2.2

Hy,

I´ve configured a "default route" in my ASA 5505 (8.4.2) but it is not working. When I try to send a packet toward a internet (public address), for instance 172.217.30.14, the packet is dropped with the message below: 

Inboud PDU:

1. The device looks up the destination IP address in the CEF table.

2. The CEF table does not have an entry for the destination IP address.

3. The device looks up the destination IP address in the routing table.

Outbound PDU:

1. The routing table finds a routing entry to the destination IP address.

2. The destination network can be reached via 172.217.30.14.

1. The next-hop IP address is not in the ARP table. The ARP process tries to send an ARP request for that IP address and drops this packet.

Why 172.217.30.14? My default gateway is 10.11.11.2, instead (my next hop). ASA does not send the packet to the default gateway, sends a ARP request (broadcast FFFFFF....) and the Gateway drops the packet.

The entire configuration:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 249

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 49

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

no nameif

no security-level

ip address dhcp

!

interface Vlan49

nameif OUTSIDE

security-level 0

ip address 10.11.11.1 255.255.255.252

!

interface Vlan249

no forward interface Vlan1

nameif INSIDE_CORP

security-level 70

ip address 10.1.249.1 255.255.255.0

!

object network in_corp

subnet 10.1.249.0 255.255.255.0

!

route OUTSIDE 0.0.0.0 0.0.0.0 10.11.11.2 1

!

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended permit icmp any any unreachable

access-list outside_in extended deny ip any any

access-list 101 extended permit udp 10.1.249.0 255.255.255.0 host 10.1.20.12 eq domain

 

access-group outside_in in interface OUTSIDE

object network in_corp

nat (INSIDE_CORP,OUTSIDE) dynamic interface

 

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns

inspect http

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

dhcpd option 3 ip 10.1.249.1

 

dhcpd address 10.1.249.2-10.1.249.32 INSIDE_CORP

dhcpd dns 10.1.20.12 interface INSIDE_CORP

dhcpd enable INSIDE_CORP

!

Best regards,

Leonardo

3 REPLIES 3
Martin L
VIP Advocate


please attach your PT file here; must be in zip format I think

Hi, attached the PT file.

 

Best;

Hi, attached the entire net (.pkt)

Take a look "ASA ASA-SP" - You can try ping "www.google.com" from notebook "Corporativo TI(DHCP)". When the packet get in the ASA-SP, it sends a broadcast ARP (I don´t know why) and dropped it.

 

Best,

Leonardo