cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29110
Views
0
Helpful
6
Replies

Gateway of last resort is not set

I have a tricky problem, hopefully someone can shed some light on it.

We routed our internal network traffic from one of our main layer 3 switches, to a new firewall, instead of the one it was using for a long time. All I did on the L3 switch was remove the old static route to the old firewall and add the new static route pointing to the new firewall as the default route. For example: (IP Addresses are examples)

no ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 0.0.0.0 0.0.0.0 10.10.10.2

Everything is working fine and everyone can get to the internet, no problems at all.

Here's the tricky part:

Later on, on the old firewall (ASA), I shut down the outside interface, there is nothing going through this firewall anymore since everything is being routed to the new firewall. As soon as I shut the interface down, I was getting reports of users in different locations not being able to reach the internet. I noticed that on one of our layer 3 switches when I did a "sh ip route" I saw the following:

"Gateway of last resort is not set"

"Then a list of all our internal network listed below here using O and O E2.."

So, internal routing was fine but anything outside of that, (internet) had no gateway.

As soon as I did a "no shut" on the ASA's outside interface and looked on one of the layer 3 switches the default gateway came back:

Gateway of last resort is 10.5.5.5 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 10.5.5.5, 00:00:21, Vlan5

"Then a list of all our internal network listed below here using O and O E2.."

 

On the ASA's outside interface is:

interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast

Also, on the ASA:

#sh run router

router ospf 1
router-id 10.10.50.1
network 10.0.0.0 255.0.0.0 area 0
area 0
log-adj-changes
default-information originate
!
router rip
network 10.0.0.0
passive-interface dmz
passive-interface outside

 

How is turning off the ASA's outside interface removing the default gateway from the layer 3 switches?

Thanks.

 

 

1 Accepted Solution

Accepted Solutions

Hello tolinrome,

the old ASA OSPF configuration has the following command:

 

router ospf 1

>>default-information originate

 

In your previous setup the old ASA was in charge to generate an OSPF default route that is injected in the OSPF domain and installed in all downstream = more internal switches.

When you shut the outside interface on the old ASA the local default route is removed and the old ASA will remove the LSA type 5 0.0.0.0/0.

So you have two options:

or you make the new firewall to take part in OSPF and to generate the default route like the old ASA did up to now

or you apply the default-information originate command in router ospf mode on the L3 switch directly connected to the new firewall.

 

Hope to help

Giuseppe

 

View solution in original post

6 Replies 6

omz
Collaborator
Collaborator

Hi 

Did you issue "sh ip route" after changing the static route?

Did it show the new gateway of last resort?