Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5365
Views
0
Helpful
2
Replies

Failed to locate egress interface for TCP from DMZ

itlklubos6
Level 1
Level 1

‎04-10-2013 06:29 PM - edited ‎03-11-2019 06:26 PM

Hi,

I have ASA 5505, in routed mode, basic license.

I run a web server in DMZ. I can reach Internet from DMZ. Also, the trafic from outside can reach the web server. However, if the web site is requested from within the DMZ, the request will fail, and the firewall log contains the following message:

Failed to locate egress interface for TCP from DMZ50: 30.30.30.10/49213 to 170.70.30.114/80

I don't have DNS, so the request must go to Internet, even the web site is hosted on the server in DMZ.

Here is sample of my config file:

---------------------------------------------

interface Vlan1

nameif inside

security-level 100

ip address 162.160.1.3 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 170.70.30.114 255.255.255.252

!

interface Vlan5

description Interface for myWeb, DMZ level 50

no forward interface Vlan1

nameif MyDMZ

security-level 50

ip address 30.30.30.1 255.255.255.0

!

dns server-group DefaultDNS

domain-name mydomain

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network myWeb

host 30.30.30.10

object-group network DMZ-DEFAULT-PAT-SOURCE

network-object 30.30.30.0 255.255.255.0

access-list OUTSIDE-IN extended permit tcp any object myWeb eq www

arp timeout sometimeout

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network myWeb

nat (MyDMZ,outside) static interface no-proxy-arp service tcp www www

!

nat (inside,outside) after-auto source dynamic any interface

nat (MyDMZ,outside) after-auto source dynamic DMZ-DEFAULT-PAT-SOURCE interface

access-group OUTSIDE-IN in interface outside

route outside 0.0.0.0 0.0.0.0 170.70.30.113 1

user-identity default-domain LOCAL

http server enable

http 162.160.1.0 255.255.255.0 inside

dhcpd address 162.160.1.7-162.160.1.134 inside

dhcpd enable inside

!

What can be the reason for requests, originated in DMZ, to fail, and how could it be fixed?

Thank you for help.

Labels:
0 Helpful
2 Replies 2

Akshay Dubey
Cisco Employee
Cisco Employee

‎04-10-2013 09:57 PM

Hi,

Try to use DNS doctoring:

object network myWeb

     nat (MyDMZ,outside) static interface dns no-proxy-arp

If both the client and the server are in the same subnet then it would work fine. Else if the traffic has to come to ASA and then go back to the MyDMZ interface then apply:

same-security-traffic permit intra-interface

Hope thsi helps.

-Akshay

0 Helpful

lilyzima1
Level 1
Level 1
In response to Akshay Dubey

‎08-10-2017 06:12 AM

Hi all,

I have the same problem but i've the following error only when I want to join the interface FW IP on ASA 5506 IOS version 9.5.3

basic configuration : no NAT no DHCP on my configuration and I used the static routes

when I ping the interface FW inteconnexion (10.29.10.6) it works

When I ping from the Fw I can reach all servers

When I try to reach the FW interface IPs I can see packets arriving to the FW but the it doesn't return I 've the following error

Failed to locate egress interface for ICMP from intranet:10.10.30.131/1 to 10.29.10.22/0

Please find below my configuration

interface GigabitEthernet1/1
 description TO_Core_Layer_Gi0/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1.300
 description Intranet
 vlan 10
 nameif intranet
 security-level 0
 ip address 10.29.10.6 255.255.255.248 
!
interface GigabitEthernet1/1.301
 description DMZ
 vlan 11
 nameif DMZ
 security-level 0
 ip address 10.29.10.22 255.255.255.248 
!

interface Management1/1
 management-only
 nameif mgmt
 security-level 100
 ip address 10.17.26.221 255.255.255.240 

route intranet 0.0.0.0 0.0.0.0 10.29.10.1 1
route mgmt 10.2.69.28 255.255.255.255 10.17.26.220 1
route mgmt 10.2.69.29 255.255.255.255 10.17.26.220 1


The core layer configuration

interface GigabitEthernet1/22
 description TO FW PORT gi1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,11
 switchport mode trunk
end

ip route 10.29.10.16 255.255.255.248 10.29.10.6

interface vlan 10
 ip address 10.29.10.3 255.255.255.248
 no ip unreachables
 no ip mroute-cache
 standby 1 ip 10.29.10.1
 standby 1 timers 1 3
 standby 1 preempt


I've the same configuration on the other equipement except the IP int vlan IP 10.29.10.2

Best regards


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card