ASA5505 -- inside interface routing

Unanswered Question

I have two networks behind my ASA 5505 inside interface -- is directly connected, but is connected via router. I added a route to in the ASA, and I can browse web sites and initiate PPTP sessions to an internet-connected PPTP server.

But if I try to get from to, my outbound packets get to (I did a packet capture), but my replies from to never get there and the ASA logs "regular translation creation failed for icmp src inside:192.168.1.x dst inside:".

I've tried a NAT exemption, but all that does is change the error to "no translation group found".

Is there any way to allow the ASA to route packets off its internal interface without translation?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jeff_groesbeck Tue, 07/29/2008 - 17:02
User Badges:

Hello. This sounds like a common problem that I see. It sounds like the router you are mentioning has an interface on the network, correct? Also, you have a route in the ASA to the network through the IP address of the router that is on the network. It sounds like the traffic from the 200.x net is getting to the router, the router has a directly connected interface to 1.x and sends the traffic out on the wire. The 1.x host then tries to respond, but doesn't have it's own route to the 200.x net so it send it to its default gateway (the ASA on the 1.x) net. The problem is, the ASA will not support ICMP redirect. ICMP redirect is what allows a host to 're-learn' the route to a subnet through another path. If the ASA were a router in this instance, it would send a 'redirect' to the 1.x host telling it that the 200.x host was actually reachable through the router and not the ASA. All subsequent traffic would go through the router. Since the ASA does not support this (security reasons), the host can't actually reach the 200.x subnet. The best way to fix this is to put a default route on the router that points to the ASA (Internet hosts, etc...) and point your 1.x hosts to the router as their default gateway. All Internet traffic will be ICMP redirected to the ASA and all 200.x traffic will go to the appropriate interface of the router. Anyway, if you have any other questions, please ask.

Thank you,


I thought about that, as well as the idea of just adding a static route to the network on the 3-4 hosts affected (very small network).

The former solution, making the inside router the default router, unfortunately won't work. I lied to simplify the situation -- the network is actually assigned to PPTP clients from another firewall, and the route to .200 is actually via this other firewall. Since this firewall is *also* connected to the internet, making it the default router effectively eliminates the ASA (also a solution itself, but not one I want).

I think there may be some other NAT issue. Attached is the packet-trace output.

jeff_groesbeck Wed, 07/30/2008 - 09:22
User Badges:

I looked into this some more. It looks like I was wrong and the ASA/PIX will allow this traffic after 7.2x something. Anyway, sorry about that. Just been stuck in how it 'used' to work. How did you do your NAT exemption?



olivier.jessel Thu, 07/31/2008 - 05:12
User Badges:

Have you tried to set the NAT acl like this :

global (inside) 1 interface

nat (inside) 1 access-list nat_for_internal_net

access-list nat_for_internal_net extended permit ip

route inside 192.168.1.x 1

where x is the IP of the router on this subnet

Be carefull to use an unused number for the global NAT... I wrote 1 but it's only an example.


This Discussion