cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36383
Views
0
Helpful
12
Replies

ASA-6-110003: Routing failed to locate next hop

edw
Level 1
Level 1

Hi,

I have a issue with our ASA firewall. I have a firewall which has inside, outside and DMZ interface. I have VPN clients that connect correctly and can acces the internal network. However for the profiles I have setup to connect via VPN to the DMZ network fails with the following messages.

ASA-6-110003: Routing failed to locate next hop

&

ASA-6-302014: Teardown TCP connection......No valid adjacency

I have connections to the DMZ which aren't VPN but are via the outside and internal interfaces with no problem.

The route table has a route to that network, and I have a nat in place - I am rather stumped by this.

Thanks

Ed

1 Accepted Solution

Accepted Solutions

Hello Ed,

Okay, Nat looks good but can you do the following for me please:

object network DMZ_subnet

subnet 10.1.213.0 255.255.255.0

object network VPN_Subnet

subnet x.x.x.x 255.255.x.x

nat (dmz-2,outside) source static DMZ_subnet DMZ_subnet destination static VPN_Subnet VPN_Subnet

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Ed,

What version are you running,

Can you share the Nat statement you have configured for that VPN

Can you share the route you have for that DMZ subnet you are tying to access (Unless directly connected)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Thanks for replying.

The NAT command is :

nat (dmz-2,outside) source static any any destination static VPN-Pool VPN-Pool

ver 8.4(3)

In terms of the route it is directly connected. The machine to be accessed are on a switch which is connected to the firewall.

Now I have two vlans going to this switch. Which have been setup as sub ethernets as such:

interface Ethernet0/3

nameif dmz

security-level 75

ip address 10.1.212.1 255.255.255.0

!

interface Ethernet0/3.2

vlan 2

nameif dmz-2

security-level 70

ip address 10.1.213.1 255.255.255.0

As stated, all traffic to machine on these two interfaces which are VPN are fine and working.

Thanks for any help.

Ed

edw
Level 1
Level 1

Bump ;)

Sent from Cisco Technical Support iPhone App

Hello Ed,

Okay, Nat looks good but can you do the following for me please:

object network DMZ_subnet

subnet 10.1.213.0 255.255.255.0

object network VPN_Subnet

subnet x.x.x.x 255.255.x.x

nat (dmz-2,outside) source static DMZ_subnet DMZ_subnet destination static VPN_Subnet VPN_Subnet

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Have tried this, however still no change. The access list for this VPN group is counting up when I try to make a connection if that is any help??

Thanks


Ed

Hello Ed,

Have you clear the xlate table already?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

edw
Level 1
Level 1

Hi

I believe I did this early this week. Does it need to be done after tweaking that rule each time?

Thanks

Ed

Sent from Cisco Technical Support iPhone App

Hello Ed,

Please do it and let me know

Also do packet-tracer input dmz-2 icmp 10.1.213.10 8 0  x.x.x.x

Where x.x.x.x is one of the ip addresses on the vpn pool

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Have done but will have to test tomorrow.

i also did the packet trace and the output is below.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz-2

input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks Again for your help.

Ed

Sure, let me know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

It's now working. However the fix was the order of the manual nat statements.

First I added the keyword route-lookup to the NAT statement. This worked, however my understanding is that keyword is not used in transparent mode. So then I thought I would move my source static any any NAT statement to the bottom of the list thus moving the the DMZ one up, also removing the keyword route-lookup. It kept working. So now we are running.

Thanks


Ed

Hello Ed,

Great to hear that

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: