Solved: Re: Help needed for default route for new vlan - Page 2

91da49851 · ‎01-05-2023

Hello all

I have a Cisco Firepower 1010 running ASA. I would like one of the physical ports Ethernet1/6 to be separated from other the other ports on my inside but it should have access to the internet. I will connect my Hikvision video monitoring and Huawei solar panel inverters to this port. I have created a vlan for this named HikvisionHuawei and set up DHCP and DNS for this. When I connect my laptop to port 6 I get assigned an ip address as expected, but I can not reach or ping any address. I get the error message

no route to host

I have tried defining a default route using the

route command

but I keep getting error messages when I try to use the

route command

route HikvisionHuawei 0 0 192.168.1.1
ERROR: Invalid next hop address 192.168.1.1, it matches our IP address

route HikvisionHuawei 0 0 212.130.193.38
ERROR: Invalid next hop address 212.130.193.38, it matches our IP address

I have attached a file with my configuration and various other

show commands

Please let me know what I'm missing in my setup.

Georg Pauwen · ‎01-05-2023

Hello,

it should stop after Phase 8, instead it goes to Phase 9 and finds the static default route. Can you try a

clear route all

, and if that does not help

wr mem

the config and reboot the ASA ?

91da49851 · ‎01-06-2023

Hi again

I tried the

clear route all

but got the same result: not able to connect.

I ran the

write mem

and restarted the appliance completely and then I tried connecting again. Still the same.

I'm sorry for having such a hard issue here.

packet-tracer input inside icmp 192.168.20.20 8 0 192.168.1.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.1 using egress ifc identity

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 4559, packet dispatched to next module

Phase: 9
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity

Phase: 10
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0000.0000.0000 hits 170 reference 2

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

MHM Cisco World · ‎01-05-2023

friend I run lab I will finish it tomorrow, I will update you.

91da49851 · ‎01-06-2023

Thank you very much.
I'm looking forward to hearing from you after testing in lab.

Georg Pauwen · ‎01-06-2023

Hello,

I think as of now you have tried all 'options'.

What if you remove this NAT statement (which is redundant anyway) ?

nat (HikvisionHuawei,outside) after-auto source dynamic any interface

91da49851 · ‎01-06-2023

Good suggestion. I ran

no nat (HikvisionHuawei,outside) after-auto source dynamic any interface

But still, not able to connect.

BTW Today, I installed the Cisco Packet Tracer app, and hoped that I could set up my network there. Unfortunately, it does not have any Firepower components in the toolbox.

91da49851 · ‎01-06-2023

I have solved it by adding an object. This is the commands I needed to add:

object network IOT
subnet 192.168.20.0 255.255.255.0
description IOT-NETWORK
nat (HikvisionHuawei,outside) dynamic interface
exit
interface vlan20
security-level 20
write mem

And it worked!!!!
I get the right IP address 192.168.20.100 when I connect and I can ping and connect to the internet, and not connect to any other network objects on my 'inside'.

Thanks Georg and MHN for your inspiration and time. I really appreciate your effort.

MHM Cisco World · ‎01-06-2023

You are so so welcome