Solved: Re: Cannot route inside traffic to the outside on ASA

marianodaniel · ‎06-10-2025

show inter ip br
Interface                  IP-Address      OK? Method Status                Protocol
Virtual0                   127.1.0.1       YES unset  up                    up  
GigabitEthernet1/1         192.168.0.100   YES DHCP   up                    up  
GigabitEthernet1/2         10.10.10.1      YES unset  up                    up  
GigabitEthernet1/3         10.10.10.1      YES unset  down                  down
GigabitEthernet1/4         10.10.10.1      YES unset  down                  down
GigabitEthernet1/5         10.10.10.1      YES unset  down                  down
GigabitEthernet1/6         10.10.10.1      YES unset  down                  down
GigabitEthernet1/7         10.10.10.1      YES unset  down                  down
GigabitEthernet1/8         unassigned      YES DHCP   down                  down
Internal-Control1/1        127.0.1.1       YES unset  up                    up  
Internal-Data1/1           unassigned      YES unset  up                    down
Internal-Data1/2           unassigned      YES unset  up                    up  
Internal-Data1/3           unassigned      YES unset  up                    up  
Internal-Data1/4           169.254.1.1     YES unset  up                    up  
Management1/1              unassigned      YES unset  down                  down
BVI1                       10.10.10.1      YES CONFIG up                    up

# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms

# show route   

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside
S        0.0.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside
C        10.10.10.0 255.255.255.240 is directly connected, inside
L        10.10.10.1 255.255.255.255 is directly connected, inside
C        192.168.0.0 255.255.255.0 is directly connected, outside
L        192.168.0.100 255.255.255.255 is directly connected, outside

I don't understand why hosts in 10.10.10.0/28 are unable to reach the internet through the outside interface. What am I doing wrong?

David Ruess · ‎06-11-2025

As myself and @Richard Burts mentioned a config of the FW and router would be helpful as well. You can upload text files if needed. Richard may be on to something with the 10.10.10.0/28 space not being NAT'd out the outside IP.

-David

View solution in original post

David Ruess · ‎06-17-2025

Is there anything in the logs indicating a failure such as a DENY statement?

View solution in original post

David Ruess · ‎06-10-2025

Hello,

Does the outside network know how to get back to the FW for the 10.10.10.0/28 network? Can you provide a diagram and configuration for both your FW and router?

-David

marianodaniel · ‎06-10-2025

Hello @David Ruess ! I tried configuring a static route back, but I'm unable to do so:

ciscoasa(config)# route outside 10.10.10.0 255.255.255.240 10.10.10.1
ERROR: Cannot add route, connected route exists

ciscoasa(config)# route outside 0 255.255.255.240 10.10.10.1         
ERROR: Invalid next hop address 10.10.10.1, it matches our IP address

Diagram is very simple: ISP router --> Cisco ASA --> Hosts

Outside interface is in 192.168.0.0/24 for the ISP router and the inside interface is in 10.10.10.0/28 for the hosts.

Richard Burts · ‎06-11-2025

We do not have much information to work with. Based on the very little information that we have it might possibly be a routing issue. But my best guess at this point is that it might be that NAT is not working (perhaps not configured) for the inside addresses.

Can you provide some details of the ASA config?

HTH

Rick

marianodaniel · ‎06-16-2025

Hello Rick & @David Ruess ! Here's my running config:

no call-home reporting anonymous
Cryptochecksum:1a585d89c4d04eec58cae77943c2d5d3
: end
ciscoasa(config)# show running-config 
: Saved

: 
: Serial Number: JAD22090AL9
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2) 
!
hostname ciscoasa
enable password ********* pbkdf2
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.240 
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network any_1
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network any_1
 nat (inside_1,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside_3
http 192.168.0.0 255.255.255.0 inside_7
http 192.168.0.0 255.255.255.0 inside_6
http 192.168.0.0 255.255.255.0 inside_1
http 192.168.0.0 255.255.255.0 inside_2
http 192.168.0.0 255.255.255.0 inside_5
http 192.168.0.0 255.255.255.0 inside_4
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username mariano password******** pbkdf2 privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:1a585d89c4d04eec58cae77943c2d5d3
: end

marianodaniel · ‎06-16-2025

For example, if I try to ping out from a VM behind 10.10.10.1 (ASA) :

# ip route show
default via 10.10.10.1 dev eth0 proto dhcp 
10.10.10.0/28 dev eth0 proto kernel scope link src 10.10.10.3 
 # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms

David Ruess · ‎06-17-2025

Is there anything in the logs indicating a failure such as a DENY statement?

marianodaniel · ‎06-17-2025

Yessir! That was it. I hadn't whitelisted ICMP in the outside interface. Thank you!!

PS: Do you know how to run debug level logging on the CLI? I only managed to get it working on ADSM.

Thanks again!

David Ruess · ‎06-17-2025

Unfortunately, I don't. I usually use the ASDM console for log parsing. Glad your issue is fixed.

David Ruess · ‎06-11-2025

As myself and @Richard Burts mentioned a config of the FW and router would be helpful as well. You can upload text files if needed. Richard may be on to something with the 10.10.10.0/28 space not being NAT'd out the outside IP.

-David

kirank10 · ‎06-11-2025

hi ,
Common Cause: NAT is Missing
When internal hosts try to access the internet via a private IP, you must perform source NAT (PAT) on the router/firewall so that the source IP appears to be the public IP