Re: nat and route issue - Page 2

elite2010 · ‎12-15-2017

Hi,

I have the below topology

asa fw running in active standby mode

R1 and R2 are routers which is conneced to isp's
In R1 and R2 hsrp is running

R1

interface gi0/1
ip address 4.4.4.2 255.255.255.252 -connected to isp router 1

interface GigabitEthernet0/2
ip address 1.1.1.2 255.255.255.0 (connected to sw1 from switch to asa1 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!

router bgp 60000

network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20

R2

interface gi0/1
ip address 4.4.4.5 255.255.255.252 -connected to isp router 2

interface GigabitEthernet0/2
ip address 1.1.1.3 255.255.255.0 (connected to sw2 from switch to asa2 outside interface )

ip route 2.2.2.0 255.255.255.0 GigabitEthernet0/2
!

router bgp 60000

network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0
neighbor 4.4.4.4 remote-as 52578
neighbor 4.4.4.4 ttl-security hops 1
neighbor 4.4.4.4 timers 5 20 20

Asa outside interface ip

1.1.1.3 255.255.255.0

I did a static nat 2.2.2.100 to 192.168.2.10 ( Verified route from asa inside interface )

It did not work .

From R1 did a traceroute to 2.2.2.100 . Which shows a loop

Tracing the route to 2.2.2.100
VRF info: (vrf in name/id, vrf out name/id)
1 (1.1.1.3) 0 msec 0 msec 0 msec (R2 -gi0/1 whcih is connected to ASA 2 through sw2 )
2 4.4.4.6[AS XXXX] 4 msec 0 msec 4 msec (connection to ISP from R2 )
3 4.4.4.1 [AS XXXX] 0 msec 0 msec 0 msec (connection to ISP from R1 )
4 4.4.4.2 [AS XXXX] 0 msec 0 msec 4 msec (R1 -gi0/1 whcih is connected to ASA 1 through sw1 )
5 (1.1.1.3) 0 msec 0 msec 0 msec
6 4.4.4.6[AS XXXX] 4 msec 4 msec 0 msec
7 4.4.4.1 [AS XXXX] 4 msec 4 msec 0 msec
8 4.4.4.2 [AS XXXX] 4 msec 0 msec 4 msec

On the ROUTER R1 ,arp shows the 2.2.2.100's mac address can reach through R2'S gi0/1 . (2.2.2.100 mac address in the arp table is the iinterface GI0/1's mac address )

Itried to clear the arp table but no use

Thansks

Francesco Molino · ‎12-23-2017

Hi

I copy paste your exact config and I'm not able to do a traceroute on 2.2.2.100 because your acl outside is allowing only http and https:

R1#traceroute 2.2.2.100

Type escape sequence to abort.
Tracing the route to 2.2.2.100

1 * * *
2 * * *
3 * * *
4 *

ASA logs:

3|Dec 23 2017 23:52:01|106014: Deny inbound icmp src Outside:1.1.1.2 dst inside:192.168.2.10 (type 8, code 0)
3|Dec 23 2017 23:52:02|106014: Deny inbound icmp src Outside:1.1.1.2 dst inside:192.168.2.10 (type 8, code 0)

However, if for testing i modify the acl into a permit ip any any, everything is working:

R1#traceroute 2.2.2.100

Type escape sequence to abort.
Tracing the route to 2.2.2.100

1 2.2.2.100 8 msec 4 msec *

The following route on ASA isn't needed: route Outside 2.2.2.0 255.255.255.0 1.1.1.1 1

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question