Solved: Help needed for default route for new vlan

91da49851 · ‎01-05-2023

Hello all

I have a Cisco Firepower 1010 running ASA. I would like one of the physical ports Ethernet1/6 to be separated from other the other ports on my inside but it should have access to the internet. I will connect my Hikvision video monitoring and Huawei solar panel inverters to this port. I have created a vlan for this named HikvisionHuawei and set up DHCP and DNS for this. When I connect my laptop to port 6 I get assigned an ip address as expected, but I can not reach or ping any address. I get the error message

no route to host

I have tried defining a default route using the

route command

but I keep getting error messages when I try to use the

route command

route HikvisionHuawei 0 0 192.168.1.1
ERROR: Invalid next hop address 192.168.1.1, it matches our IP address

route HikvisionHuawei 0 0 212.130.193.38
ERROR: Invalid next hop address 212.130.193.38, it matches our IP address

I have attached a file with my configuration and various other

show commands

Please let me know what I'm missing in my setup.

91da49851 · ‎01-06-2023

I have solved it by adding an object. This is the commands I needed to add:

object network IOT
subnet 192.168.20.0 255.255.255.0
description IOT-NETWORK
nat (HikvisionHuawei,outside) dynamic interface
exit
interface vlan20
security-level 20
write mem

And it worked!!!!
I get the right IP address 192.168.20.100 when I connect and I can ping and connect to the internet, and not connect to any other network objects on my 'inside'.

Thanks Georg and MHN for your inspiration and time. I really appreciate your effort.

View solution in original post

Georg Pauwen · ‎01-05-2023

Hello,

since you have

ip address dhcp setroute

configured on the outside interface, you don't really have to set another route. If you do a

show route

you should see the default route, which is automatically generated.

I think the problem is related to your global policy map.

Try and add icmp:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect ip-options 
inspect netbios 
inspect rsh 
inspect rtsp 
inspect skinny 
inspect esmtp 
inspect sqlnet 
inspect sunrpc 
inspect tftp 
inspect sip 
inspect xdmcp

--> inspect icmp

91da49851 · ‎01-05-2023

Thank you for the suggestion. I have enabled icmp inspection now by executing these commands

# policy-map global_policy
# class inspection_default
# inspect icmp

Unfortunately, I still can't connect to anything when I attach my laptop to port 6 on the router.
I get assigned an

ip 192.168.20.20

and I can

ping 192.168.20.1

but that is all. Nothing else.
I can't do any nslookup so, maybe my dns setting does'nt work either

When I do a ping like

ping 192.168.1.1 I get ping: sendto: No route to host

Georg Pauwen · ‎01-05-2023

Hello,

odd. What is the output of:

show route

from the ASA ? Also, what OS is the laptop running ? If it is a Windows machine, make sure the firewall/defender are not blocking ICMP.

91da49851 · ‎01-05-2023

Oh thanks for getting back this fast.

show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 212.130.193.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 212.130.193.1, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
C 192.168.20.0 255.255.255.0 is directly connected, HikvisionHuawei
L 192.168.20.1 255.255.255.255 is directly connected, HikvisionHuawei
C 212.130.193.0 255.255.255.0 is directly connected, outside
L 212.130.193.38 255.255.255.255 is directly connected, outside

I'm using a Mac as laptop. When I'm connected to some of the other ports on the inside, I can ping everything as usual.

Georg Pauwen · ‎01-05-2023

Try and set the security level of the HikvisionHuawei to 100...

91da49851 · ‎01-05-2023

Thanks again.

I have changed it to 100 running these commands

interface vlan20 
security-level 100
no shut
exit

Unfortunately, I still get the same result. Unable to ping or connect to the internet using that port 6.

mlund · ‎01-05-2023

Hi

I'm not an asa/firewall expert so I haven't digged into that section. But I noticed that the interface et1/6 is down, and that's the reason for 192.168.20.0 network doesn't appear in the routing table. You don't have to configure any routing for this interface, it will be automatic inserted in the routing table as soon as the interface comes up.

/Mikael

91da49851 · ‎01-05-2023

Thank you for you quick reply.

When I did the

show run

command I did not have anything connected to port 6 (as it is not working). When I connect my laptop to it, it says up.

MHM Cisco World · ‎01-05-2023

Friend one by one,
the ASA can bypass the DNS request from one interface to other and this need
1- apply acl to interface permit the dns request to pass
2- config NAT (optional) if needed
OR
the asa is work as DNS proxy,
this mean that you send to DHCP client the IP address of DNS server which is interface IP and then the ASA when receive the DNS request to modify and send it to DNS server this need
1- config the DNS IP as inteface in ddhcp
2- config lookup in interface that point to DNS server

here which case you use ?

91da49851 · ‎01-05-2023

Thank you for your reply.

I'm not sure I fully understand the two scenarios, but let me try to describe how I intend DNS to work in my network:

The devices connected to the trusted network (named inside) should use my private DNS server having ip 192.168.1.89 (it is a Raspberry Pi running pi-hole) and secondary DNS will be 1.1.1.1.

The devices connected to the "HikvisionHuawei" vlan associated with port 6 on the router should use the public available DNS servers 1.1.1.1/1.0.0.1 as DNS as I don't want them to be able to connect to my private DNS server.

MHM Cisco World · ‎01-05-2023

I get request I will check your config send to you the correct steps
but I want to ask,
are router have route to public DNS server 1.1.1.1 ?

91da49851 · ‎01-05-2023

From the internal/trusted network, I can connect to any website and ping 1.1.1.1. Everything works.

From the vlan HikvisionHuawei on physical port 6, I can't connect to anything or even ping anything (except 192.168.20.1).

When I try I get

sendto: No route to host

Georg Pauwen · ‎01-05-2023

Hello,

do a packet tracer and post the output:

packet-tracer input inside icmp 192.168.20.100 8 0 192.168.1.1

This is assuming that your laptop has been assigned the first available DHCP address, 192.168.20.100, if it is different, change it accordingly.

Also, add the below:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any HikvisionHuawei
icmp permit any echo HikvisionHuawei
icmp permit any echo-reply HikvisionHuawei

91da49851 · ‎01-05-2023

Thank you Georg.

I ran the config changes one by one. I get assigned ip 192.168.20.20 when connecting the cable directly to the port 6. (And I did expect to be assigned 192.168.20.100 as you wrote).

I then ran the packet tracer

packet-tracer input inside icmp 192.168.20.20 8 0 192.168.1.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.1 using egress ifc identity

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 2250062, packet dispatched to next module

Phase: 9
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity

Phase: 10
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0000.0000.0000 hits 75620 reference 2

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow