Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.10.0     255.255.255.0   inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any log debugging

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

   dynamic translation to pool 1 (1.2.3.0 [Interface PAT])

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

   dynamic translation to pool 1 (No matching global)

   translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 304505, packet dispatched to next module

Phase: 10

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 98.164.248.1 using egress ifc outside

adjacency Active

next-hop mac address 0014.f1e6.fa32 hits 30

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

thank you for your help jouni

Hi,

Can you share the "packet-tracer" command you used for that output?

The end result seems strange. It states that the "inside" interface is both the source and the destination. Yet it states in the above Phases that it does the route lookup for both the source and destination network and they define that source is "inside" and destination is "outside"

If the actual "packet-tracer" command doesnt tell me anything we probably would have to see the configurations on the firewall

- Jouni

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.05 01:38:04 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.0(2)
!
hostname RUDYASA
domain-name HOME

names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
             
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name HOME
object-group service Lorena_OUT tcp-udp
description Lorena_OUT
port-object eq 443
port-object eq 5000
port-object eq 5001
port-object eq 5050
<--- More --->
             
port-object eq 5100
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Home_out tcp-udp
description home_out
port-object eq 443
port-object eq domain
port-object eq www
object-group network IP_OUT
description IP_OUT
network-object host 10.10.10.111
access-list inside_access_in extended permit ip object-group IP_OUT any
access-list inside_access_in remark HOME defualt
access-list inside_access_in extended permit object-group TCPUDP any any object-group Home_out inactive
access-list inside_access_in extended permit ip any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
<--- More --->
             
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
no snmp-server location
no snmp-server contact
<--- More --->
             
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn RUDYASA
subject-name CN=RUDYASA
no client-types
crl configure

  quit
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
<--- More --->
             
no crypto isakmp nat-traversal

console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.10.3-10.10.10.20 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
<--- More --->
             
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global

prompt hostname context

: end

RUDYASA#   

Hi,

Can you also share us with the "packet-tracer" command you used to get the previous output?

Now that I look at the first posts output these seem very strange to me

in   1.2.3.0  255.255.255.255 identity

in   1.2.3.0    255.255.252.0   outside

out  0.0.0.0         0.0.0.0         via 1.2.3.0, outside

Does that 1.2.3.0 say anything to you? I dont see it referenced in any configuration. Also the "identity" section of the above output is strange. To me it seems to state that its directly on some ASA interface.

Seems you are using DHCP on the ASAs "outside" interface so you are getting both the IP address and the default route from the ISP. Have you booted the device?

Do you have access to download newer software for the ASA like 8.2(5) if this is somekind of bug. I didnt find anything resembling this yet.

I would have to say your configuration is very basic and should cause no problem.

The only special things related to routing in your configuration are the "outside" inteface DHCP related configurations and these

ip verify reverse-path interface inside

ip verify reverse-path interface outside

You can remove the above configurations for test purposes if you want to try.

- Jouni

sorry 1.2.3.0 is my public ip address hidden.... forgot to say that... it been a long day.. no i do not have access to download new software. been looking for work for 8 months......

Just a note that I edited my previous post with new information after it was posted.

- Jouni