Showing results for 
Search instead for 
Did you mean: 

ASA5505 - static route is not working


Hello everyone,

I've got two internal networks which belong to the inside vlan (or I guess it is) : and

The IP address of my ASA is and the router used to make the two networks talk has got two interfaces and

Thanks to the route command, the ASA should redirect the packets for to and it will manage to give them to the other network.

Here is my config :

: Saved


ASA Version 8.2(5)


hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


ftp mode passive

clock timezone GMT 1

access-list NONAT extended permit ip

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 10 set transform-set RA-TS

crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP

crypto map VPN-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh inside

ssh inside

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns interface inside

dhcpd update dns both override interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside /srv/tftp/cisco-rtr-01-config


username admin password 4RdDnLO1w29lihWc encrypted

username cld password zGOnThs6HPdAZhqs encrypted

tunnel-group synvpn type remote-access

tunnel-group synvpn general-attributes

address-pool VPNpool

tunnel-group synvpn ipsec-attributes

pre-shared-key *****



prompt hostname context

no call-home reporting anonymous


: end

I can ping the router through the IP address but not with the other one : Do you know why I can't talk to this network even if I defined a route ?

Thanks !


15 Replies 15

cadet alain

Hi John,

Can you provide the config of the router please.



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

It is a Debian machine with routing functinality activated and 2 interfaces, so it simply route

If I execute the command "tracert" from my laptop (IP :, I get a time out

If I try to ping it, I get also a time out.

I don't understand why the command "route inside 10.0.042 1" is not working, it's quite simple.

My laptop will talk to the ASA, packets will be forwarded to the router ( and its second interface will get them (

I need help please.


you're talking about  subnet but then talk about, is this a typo ?

Also for your laptop in subnet I suppose the default-gateway is the ASA which then sends out to the Linux router ?

So you enter the inside interface and go back the same interface to get to the linux box ?

Can you do this :

same-security-traffic  permit intra-interface  in global config



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alain,

My mistake, the IP address of the Linux router is

You are right, my laptop gets all the DHCP information from ASA so my default gateway is the ASA.

Yes I enter the inside interface and go bakc to it.

I tried to execute the command "same-security-traffic permit intra-interface" but unfortunately, it didn't change anything.

When I try to reach a web service with the IP address, Firefox tells methat the "connection has been reset".

When I do a ping to, I can see ping requests in Wireshark but no reply, and no error message.

if your network is like below

then you are having asymmetric routing and connection won't work when there is a firewall in the path. to verify it you could add a static route in your laptop with this command: route mask if asymmetric routing is the case then this command would bring your laptop's connection back to normal.

but as you said you can't get any reply while capturing in wireshark, then i think the problem is due to debian machine's ip forwarding. run below command and see if you can get 1 for result:

cat /proc/sys/net/ipv4/ip_forward

also try this from debian:

ping -I


Message was edited by: Thomas Fan

Thanks Thomas,

Yes my network is like your schema.

I've added the route on y machine and it is working. But I can't add static routes to every device on my network, I have to make it work through the ASA.

The ip_forward file contains 1 and all the ping commands are working.

Do you know what I could do please ? I don't understand why the firewall (the ASA ?) is making problem and why it is an asymmetric routing.

I would suggest to enable a unused port in firewall, assign it with ip address and plug debian machine's LAN cable into this port. this would make your firewall also acting as a router+firewall between network and network. If you have problem with this solution please let me know.

Thanks, I'll try your solution.

But I understand why packets would lose themselves, the default gw of the debian is the ASA, my laptop's default gw is the ASA, they can't go through an other router to come back. It's the only way.

Unfortunately I don't have the license which allow me to have a third vlan.

Is there any solution to solve the asymmetric routing problem please ?