Re: ASA 5505 Static Routes issues

ciunetworks · ‎10-09-2010

I am having an issue with the asa 5505 and adding static routes. Whenever I add my static routes, the internet stops working. Can someone help with my config and what I am missing? Here is what I need it to do and attached is the current config.

ASA 5505 outside interface = 24.24.24.130/24 with default route of 24.24.24.129

DHCP of 10.10.10.100-199 uses PAT to access the internet

24.24.24.130 is on a site to site VPN and answers to VPN clients.

I need to add:

24.24.24.131 to map to 10.10.10.24

24.24.24.132 to map to 10.10.10.9

And I need to allow

www on 24.24.24.131

59002 on 24.24.24.132

I need more in the access list, but I have that done already.

Here is the static route I am entering that kills all internet traffic,

static (inside,outside) 24.248.96.131 10.10.10.24 netmask 255.255.255.255 25 0

static (inside,outside) 24.248.96.132 10.10.10.9 netmask 255.255.255.255 25 0

Jennifer Halim · ‎10-10-2010

Sorry, but can you please confirm if there is typo in your outside subnet?

You mentioned that ASA outside is 24.24.24.130/24, but the static NAT statements that you have configured is 24.248.96.131 and 24.248.96.132? I assume those are just typo.

And also when you say you are trying to add static routes, you mean static NAT, right? Not trying to correct you, but just trying to understand if we are on the same page.

Assuming that you are trying to map the following as advised:

24.24.24.131 to map to 10.10.10.24

24.24.24.132 to map to 10.10.10.9

Then the static NAT statement should be:

static (inside,outside) 24.24.24.131 10.10.10.24 netmask 255.255.255.255

static (inside,outside) 24.24.24.132 10.10.10.9 netmask 255.255.255.255

After the changes, please "clear xlate". When you say internet stops working, please check if internet is working from the following:

1) 10.10.10.24

2) 10.10.10.9

3) Any other ip address in the 10.10.10.0/24 subnet but the above 1) and 2)

4) Can the ASA ping 4.2.2.2?

ciunetworks · ‎10-10-2010

Jennifer.. Thanks for your reply.

yes the other IPA is just a type-o

I have added the static route back in and cleard the xlate,here is what is happening.

1) 10.10.10.24 - Internet is not working

2) 10.10.10.9 - internet is not working

3) 10.10.10.0/24 - all are working fine... I missed it the other day, but 10.10.10.24 is my internal DNS server. if he cannot get out, no one get dns resolution

4) Can the ASA ping 4.2.2.2? - ASA can ping 4.2.2.2 and the rest of the world just fine.

Do I need something in my access list to allow tcp traffic for 10.10.10.24? I do have www listed in my outside access list. but it seems that outgoing traffic is being blocked?

If I do a show xlate, it shows the Global statis routes and the PAT routes correctly.

Jennifer Halim · ‎10-10-2010

Great, thanks for the update.

If 3) and 4) works just fine, that means the public ip address for 10.10.10.24 and 10.10.10.9 are the ones which are not working (ie: 24.24.24.131 and 24.24.24.132 respectively).

Issues are most probably the arp cache for 24.24.24.131 and 24.24.24.132, most times on the router upstream to the ASA.

Please kindly confirm that 24.24.24.131 and 24.24.24.132 are unique IP Address that is not used by other devices. You might want to clear the arp cache on the upstream router, OR/ normally reloading the router will clear the arp cache.

ciunetworks · ‎10-10-2010

Jennifer, 131 and 132 are unique and work perfectly. I am trying to replace my PIX 515e. He has the same config on him and it works perfectly. When the PIX 515e is plugged in, 10.10.10.24 can browse the internet and has the exact same static route.

I am on a Fiber connection. My ISP has the router and just delievers a Ethernet connection, I caould try and call them to clear the arp cache. maybe it binds to the MAC of the PIX 515e?

Could it be something else I am missing? I have had the ASA plugged in now for an hour.

Jennifer Halim · ‎10-10-2010

Absolutely correct. The MAC Address for .131 and .132 might still bind to your PIX515E, hence clearing the arp cache normally clears the binding.

ciunetworks · ‎10-10-2010

I am calling the IPS now... but if I do a "sh route" shouldn't I see that static route listed?

Jennifer Halim · ‎10-10-2010

"show route" will not show you anything as they are in the same subnet as your ASA outside interface.

You would need to check the "show arp" output of your upstream router.

ciunetworks · ‎10-10-2010

I had the arp cache cleared and still no go??? I'm stumpped. and other Ideas?

Jennifer Halim · ‎10-10-2010

Which device did you clear the arp cache on?

Can you share the output of "show arp" from the ASA and I assume that you have no access to your ISP router?

ciunetworks · ‎10-10-2010

sh arp
        inside 10.10.10.25 0018.71e4.ff1d 0
        inside 10.10.10.22 0017.0853.37f0 1
        inside 10.10.10.24 001e.0b1f.66c8 41
        inside 10.10.10.110 0022.64be.12b6 48
        inside 10.10.10.100 0024.8121.6f90 56
        inside 10.10.10.20 0026.557e.bf14 70
        inside 10.10.10.111 0024.8121.3a10 82
        inside 10.10.10.105 0021.5abd.dfd3 421
        inside 10.10.10.88 0023.7d4c.b2b1 422
        inside 10.10.10.114 0024.8121.3999 425
        inside 10.10.10.31 0024.8121.6f90 434
        inside 10.10.10.112 0019.bb46.7491 436
        inside 10.10.10.26 000f.fe35.b9a4 455
        inside 10.10.10.81 0015.60a6.a0a8 455
        inside 10.10.10.92 0016.17e1.f11f 455
        inside 10.10.10.80 0015.60a3.4e90 457
        inside 10.10.10.70 001e.0b82.4a73 458
        inside 10.10.10.113 0023.7d4a.79a1 458
        outside 24.24.24.129 001f.9ed1.fdc0 457

I do not have access to the router, but can verify that 131 works perfectly on the PIX and that the arp cache was cleared.

Jennifer Halim · ‎10-10-2010

It works fine with the PIX hence the upstream router will still have MAC address of the PIX binded to .131 and .132. Until you clear the arp

on the upstream router itself, it will not work on the ASA.

Quick fix is to reload the ISP router as it would clear the arp table.

ciunetworks · ‎10-10-2010

Yeah... tired that... Went thru the whole clearing the arp cache on the router twice with my ISP...

But.. I did get it working. Very strange though. I even tried new Extenal IPA's that had never been used and nothing. So I deciede to go into the ASDM, which I usually hate.... I saw my static NAT rule. I clicked on it, clicked on edit. all looked good, so I hit apply and save. It worked!!! That server couls now see the internet and all my outside rules work. the IPA for 132 still did not, so I did the same and volla... I don't get it! The config looks the exact same. I will post it in a bit.

Thanks for all your help...

Jennifer Halim · ‎10-10-2010

Great to hear and thanks for the update. Let us know how it goes with .132.

ciunetworks · ‎10-11-2010

Well... the static route seems to be working, but I am having a problem. I can only recieve email on my server, I cannot send.

Any reason on the asa that would block my outbound smtp? Everything else is working perfectly.