12-15-2017 11:12 AM - edited 02-21-2020 06:57 AM
Hi,
I have the below topology
asa fw running in active standby mode
R1 and R2 are routers which is conneced to isp's
In R1 and R2 hsrp is running
R1
interface gi0/1
ip address 4.4.4.2 255.255.255.252 -connected to isp router 1
interface GigabitEthernet0/2
ip address 1.1.1.2 255.255.255.0 (connected to sw1 from switch to asa1 outside interface )
ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!
router bgp 60000
network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20
R2
interface gi0/1
ip address 4.4.4.5 255.255.255.252 -connected to isp router 2
interface GigabitEthernet0/2
ip address 1.1.1.3 255.255.255.0 (connected to sw2 from switch to asa2 outside interface )
ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!
router bgp 60000
network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20
Asa outside interface ip
1.1.1.3 255.255.255.0
I did a static nat 2.2.2.100 to 192.168.2.10 ( Verified route from asa inside interface )
It did not work .
From R1 did a traceroute to 2.2.2.100 . Which shows a loop
Tracing the route to 2.2.2.100
VRF info: (vrf in name/id, vrf out name/id)
1 (1.1.1.3) 0 msec 0 msec 0 msec (R2 -gi0/1 whcih is connected to ASA 2 through sw2 )
2 4.4.4.6[AS XXXX] 4 msec 0 msec 4 msec (connection to ISP from R2 )
3 4.4.4.1 [AS XXXX] 0 msec 0 msec 0 msec (connection to ISP from R1 )
4 4.4.4.2 [AS XXXX] 0 msec 0 msec 4 msec (R1 -gi0/1 whcih is connected to ASA 1 through sw1 )
5 (1.1.1.3) 0 msec 0 msec 0 msec
6 4.4.4.6[AS XXXX] 4 msec 4 msec 0 msec
7 4.4.4.1 [AS XXXX] 4 msec 4 msec 0 msec
8 4.4.4.2 [AS XXXX] 4 msec 0 msec 4 msec
On the ROUTER R1 ,arp shows the 2.2.2.100's mac address can reach through R2'S gi0/1 . (2.2.2.100 mac address in the arp table is the iinterface GI0/1's mac address )
Itried to clear the arp table but no use
Thansks
12-23-2017 04:05 PM
Hi
I copy paste your exact config and I'm not able to do a traceroute on 2.2.2.100 because your acl outside is allowing only http and https:
R1#traceroute 2.2.2.100
Type escape sequence to abort.
Tracing the route to 2.2.2.100
1 * * *
2 * * *
3 * * *
4 *
ASA logs:
3|Dec 23 2017 23:52:01|106014: Deny inbound icmp src Outside:1.1.1.2 dst inside:192.168.2.10 (type 8, code 0)
3|Dec 23 2017 23:52:02|106014: Deny inbound icmp src Outside:1.1.1.2 dst inside:192.168.2.10 (type 8, code 0)
However, if for testing i modify the acl into a permit ip any any, everything is working:
R1#traceroute 2.2.2.100
Type escape sequence to abort.
Tracing the route to 2.2.2.100
1 2.2.2.100 8 msec 4 msec *
The following route on ASA isn't needed: route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide