Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1040
Views
0
Helpful
6
Replies

Static routes are not working

Go to solution
Eduardo Guerra
Level 1
Level 1

‎01-30-2014 11:50 AM - edited ‎03-11-2019 08:38 PM

I have an ASA5510 that is connected to Internet by interface named Outside, also is connected to LAN by Interface Inside and also is connected to a router by interface Outside1. This router has 3 connected interfaces within the subnet 172.1.x.0 that connects to branch offices. I cannot pass any kind of traffic between Lan and subnet 172.1.x.0 (Traffic suppoused not to have NAT). Here's the configuration

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.162 255.255.255.248

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host X.X.X.163 eq smtp

access-list 100 extended permit udp any host X.X.X.163 eq domain

access-list 100 extended permit tcp any host X.X.X.163 eq https

access-list 100 extended permit tcp any host X.X.X.163 eq www

access-list 100 extended permit tcp any host X.X.X.163 eq 3000

access-list 100 extended permit tcp any host X.X.X.163 eq 1000

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

icmp permit 172.16.32.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) X.X.X.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 X.X.X.161 20

route Inside 172.1.1.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a8a0d1c3ab10209f6b7071cc6f6b415f

: end

Can somebody help?. Want Diagram?

Eduardo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-30-2014 12:02 PM

Hi,

Am I correct to assume that traffic from "inside" to "outside1" needs to go without NAT?

If so then the reason for connectivity problem might be the Dynamic PAT configuration. This is a very common problem with the older 8.2 (and below) software levels.

Essentially what happens is that your traffic from "inside" will match that interfaces "nat" command and will try to find a matching "global" for the destination interface which is determined by the routing table.

In your setup this would seem to make sense as you have no "global" towards that interface. You also dont have any Static Identity NAT configuration to avoid matching to the "nat" command.

You could therefore try Static Identity NAT or NAT0 configuration for the traffic from "inside" to "outside1"

For example

static (Outside1,Inside) 172.1.x.0 172.1.x.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.y.0 172.1.y.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.z.0 172.1.z.0 netmask 255.255.255.0

Or perhaps (if you configure this dont configure the above Static Identity NAT)

access-list INSIDE-NAT0 remark NAT0 for traffic

access-list INSIDE-NAT0 permit ip 172.1.x.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 172.1.y.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 172.1.z.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Also, notice that you dont have any "route" commands pointing towards these networks to the "Outside1" interface. You will need to add the needed "route" commands.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-30-2014 12:02 PM

Hi,

Am I correct to assume that traffic from "inside" to "outside1" needs to go without NAT?

If so then the reason for connectivity problem might be the Dynamic PAT configuration. This is a very common problem with the older 8.2 (and below) software levels.

Essentially what happens is that your traffic from "inside" will match that interfaces "nat" command and will try to find a matching "global" for the destination interface which is determined by the routing table.

In your setup this would seem to make sense as you have no "global" towards that interface. You also dont have any Static Identity NAT configuration to avoid matching to the "nat" command.

You could therefore try Static Identity NAT or NAT0 configuration for the traffic from "inside" to "outside1"

For example

static (Outside1,Inside) 172.1.x.0 172.1.x.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.y.0 172.1.y.0 netmask 255.255.255.0

static (Outside1,Inside) 172.1.z.0 172.1.z.0 netmask 255.255.255.0

Or perhaps (if you configure this dont configure the above Static Identity NAT)

access-list INSIDE-NAT0 remark NAT0 for traffic

access-list INSIDE-NAT0 permit ip 172.1.x.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 172.1.y.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 172.1.z.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Also, notice that you dont have any "route" commands pointing towards these networks to the "Outside1" interface. You will need to add the needed "route" commands.

- Jouni

0 Helpful

Go to solution
Eduardo Guerra
Level 1
Level 1
In response to Jouni Forss

‎01-30-2014 12:19 PM

Dear Jouni, with the solution you are give lines below, can LAN connected to Inside connect Internet by Outside also?. I mean i will not lost connectivity to the internet?

Eduardo

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eduardo Guerra

‎01-30-2014 12:23 PM

Hi,

Neither of the above configurations (only one of the options needed, Identity NAT or the NAT0) should affect any traffic heading to your "outside" interface.

If the 3 networks 172.1.x.0/24 are located behind "outside1" then it affects only them.

You would also need the routes for the 172.1.x.0/24 networks towards the "outside1"

The default route you have in place for "outside" should still forward Internet traffic like usual.

- Jouni

0 Helpful

Go to solution
Eduardo Guerra
Level 1
Level 1
In response to Jouni Forss

‎01-30-2014 01:33 PM

Dear Jouni, I tried doing access-list, here's the conf, but still dropping. I tried doing a packet tracer (At the end of this Q is the result)

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.162 255.255.255.248

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host X.X.X.163 eq smtp

access-list 100 extended permit udp any host X.X.X.163 eq domain

access-list 100 extended permit tcp any host X.X.X.163 eq https

access-list 100 extended permit tcp any host X.X.X.163 eq www

access-list 100 extended permit tcp any host X.X.X.163 eq 3000

access-list 100 extended permit tcp any host X.X.X.163 eq 1000

access-list INSIDE-NAT0 remark NAT0 for traffic

access-list INSIDE-NAT0 extended permit ip 192.168.0.0 255.255.255.0 172.1.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.0.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

icmp permit 192.168.0.0 255.255.255.0 Inside

icmp permit 172.16.32.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside1) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 0 access-list INSIDE-NAT0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) X.X.X.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 X.X.X.161 20

route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c37b6a1bd46b2df0fa432e98c8dc6998

: end

Packet Tracer:

packet-tracer input Outside1 tcp 172.1.1.5 9823 192.168.0.2 80 detail

Result:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f4878, priority=1, domain=permit, deny=false

        hits=259385, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

  match ip Inside 192.168.0.0 255.255.255.0 Outside1 any

    static translation to 192.168.0.0

    translate_hits = 78, untranslate_hits = 31840

Additional Information:

NAT divert to egress interface Inside

Untranslate 192.168.0.0/0 to 192.168.0.0/0 using netmask 255.255.255.0

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f50e0, priority=2, domain=permit, deny=false

        hits=31856, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f7088, priority=0, domain=permit-ip-option, deny=true

        hits=230918, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab942728, priority=6, domain=nat-exempt-reverse, deny=false

        hits=1, user_data=0xa76aa6c0, cs_id=0x0, use_real_addr, flags=0x0, proto

col=0

        src ip=172.1.1.0, mask=255.255.255.0, port=0

        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (Outside1) 101 0.0.0.0 0.0.0.0

  match ip Outside1 any Inside any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab4b62c0, priority=1, domain=nat, deny=false

        hits=1, user_data=0xab9403c8, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside1

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I am doing something else wrong?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Eduardo Guerra

‎01-30-2014 01:45 PM

Hi,

Seems I might have looked the situation a bit wrong.

I think you actually need the Static Identity NAT configuration that I mentioned in the earlier post and you should remove the NAT0 configuration.

Can you test with the "static" command that I suggested. With that there should be no NAT drop to my understanding. Your tested traffic is now matching a NAT for its destination address but seems that it also looks for a source address translation, though seems the NAT0 doesnt apply in this situation.

- Jouni

0 Helpful

Go to solution
Eduardo Guerra
Level 1
Level 1
In response to Jouni Forss

‎01-30-2014 02:07 PM

Yes Jouni,you are right, after i posted last Q, i tried identity nat and was correct answer. Thanks a lot. I have another small q related to identity NAT.

Let's suppouse 172.1.x.0 are about 50 networks (X = from1 to 50), Do I have to configure Static Identity NAT for each one? or is there any way to group those networks in one pool?

Thanks a lot

Eduardo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card