Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
4
Replies

Static route problems

mehrzad.torki
Level 1
Level 1

‎03-13-2014 12:39 PM - edited ‎03-11-2019 08:56 PM

Hey All,

I have an ASA5510 w/ Security+ that's giving me issues with some static routes. The inside network is 192.168.1.0/24, the inside interface is 192.168.1.3. There is a second router in the network that exists at 192.168.1.180. I need any traffic destined for the subnet 192.168.20.0/24 to go to the 180 gateway. All machines use the asa(192.168.1.3) as their gateway. I have a few routes in the asa:

route inside 10.1.1.0 255.255.255.0 192.168.1.15 1
route inside 10.1.10.0 255.255.255.0 192.168.1.15 1
route inside 192.168.3.0 255.255.255.0 192.168.1.3 1
route inside 192.168.20.0 255.255.255.0 192.168.1.180 1

All machines are able to get on the internet, but none can reach the 20.x network. When I try to ping the 20.x network I get the following error in the logs of the ASA:
Deny inbound icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)

I know my routes are programmed into the 192.168.1.180 router correctly, becuase if i set a machine's gateway to be 1.180, i can ping and get to the 20.x network fine. But the ASA is preventing the routes from completing. Any ideas?

Labels:
Preview file
9 KB
0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎03-14-2014 01:20 AM

First off, are you able to reach your hosts on the 20.x network using different protocols, such as RDP, WWW, FTP....etc?

Could you run a packet-tracer, this will give us an idea of what setting on the ASA is dropping the traffic.

packet-tracer input inside tcp <source address> 12345 <destination address> 80 detail

 

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mehrzad.torki
Level 1
Level 1
In response to Marius Gunnerud

‎03-14-2014 07:42 AM

Marius & Rudy,
First off, thanks for your help!
No, I'm not able to reach my hosts using any protocols. I have a Fluke Etherscope which is running a webserver at 192.168.20.250, and i can't reach it. It seems like my traffic is making there, but unable to return, due to the ASA dropping the packets, although i may be wrong about that.
Rudy, yes that's correct. If use my router as the gateway, everything seems to work fine. When i use that ASA as my default gateway, i can't reach (or get return packets) from the 20.x network.
 Also, I guess that's correct about the ICMP-inspection policy, I never seem to be able to ping hosts on the internet.
 
Thanks Again,
Mehrzad
 
 
 
Result of the command: "packet-tracer input inside tcp 192.168.1.181 12345 192.168.20.253 80 detail"
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8c5d98, priority=1, domain=permit, deny=false
hits=2829692679, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
 
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 
  match ip inside 192.168.20.0 255.255.255.0 inside any
    static translation to 192.168.20.0
    translate_hits = 5, untranslate_hits = 1587
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.20.0/0 to 192.168.20.0/0 using netmask 255.255.255.0
 
Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8c6e60, priority=3, domain=permit, deny=false
hits=2513198, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8c84d0, priority=0, domain=inspect-ip-options, deny=true
hits=154410326, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 5
Type: NAT
Subtype: 
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 2383570, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaba45948, priority=1, domain=nat, deny=false
hits=2749385, user_data=0xaba45888, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mehrzad.torki

‎03-16-2014 10:02 AM

-

0 Helpful

Rudy Sanjoko
Level 4
Level 4

‎03-14-2014 02:32 AM

According to you, all machines in your inside network is not able to ping 20.x network when the ASA is the default gateway and works fine if you use the router as the default gateway. Just like Marius said, are you able to reach 20.x using different protocol? If yes and only ICMP that is not working, then it is high likely that your ICMP policy is the cause.

I see that you have a policy map configured for inspecting icmp, but it is applied on the outside interface. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card