Solved: asa 5510 - Routing failed (inside to dmz)

scalacisco · ‎07-31-2008

Hi All,

I'am facing somehing not very hard but i cannot figure out how to solve it !

The actual configuration let me access :

- From Inside to internet

- From Outside to DMZ (one web server)

But i cannot access my web server from the inside interface, i get the following error :

"Routing failed to locate next hop for TCP from inside:192.168.1.2/1224 to dmz:x.y.50.144/8080".

I get my main route from the DHCP server (ip address dhcp setroute). I don't know which static route but i guess, i have to add one in order solve it.

BTW, how do i check for my actual route with ASDM ?

Thanks for your kind help,

-sh run---------

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

domain-name asaname

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.30.30.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.7.88 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name hosting.scala.eu

access-list outside_access_in extended permit tcp any interface outside

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 200 interface

nat (inside) 200 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface 8080 10.30.30.30 8080 netmask 255.255.255.255

static (dmz,inside) 10.30.30.30 x.y.50.144 netmask 255.255.255.255

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.255 inside

http 192.168.7.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.7.89-192.168.7.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

: end

asdm image disk0:/asdm-602.bin

no asdm history enable

-------------

acomiskey · ‎07-31-2008

Is x.y.50.144 the public address of the webserver? If so, I would do something like this.

static (dmz,inside) x.y.50.144 10.30.30.30 netmask 255.255.255.255

Also, take the route out that you added.

View solution in original post

acomiskey · ‎07-31-2008

You need to add a route on the ASA to x.y.50.144.

route dmz x.y.50.144 255.255.255.255

scalacisco · ‎07-31-2008

So i added "route dmz x.y.50.144 255.255.255.255 10.30.30.1 1"

Works better, i mean, now, the message is more informal but i still cannot access web server, the only infomation i have is "Built outbound TCP connection 1978 for dmz:x.y.50.144/8080 (10.30.30.30/8080) to inside:192.168.1.2/1225 (192.168.1.2/1225)" then "Teardown TCP connection 1978 for dmz:x.y.50.144/8080 to inside:192.168.1.2/1225 duration 0:00:30 bytes 0 SYN Timeout".

The result of a show route give me that:

Gateway of last resort is v.w.50.254 to network 0.0.0.0

C x.y.50.0 255.255.255.0 is directly connected, outside

C 10.30.30.0 255.255.255.0 is directly connected, dmz

C 192.168.7.0 255.255.255.0 is directly connected, management

C 192.168.1.0 255.255.255.0 is directly connected, inside

d* 0.0.0.0 0.0.0.0 [1/0] via v.w.50.254, outside.

acomiskey · ‎07-31-2008

Is x.y.50.144 the public address of the webserver? If so, I would do something like this.

static (dmz,inside) x.y.50.144 10.30.30.30 netmask 255.255.255.255

Also, take the route out that you added.

scalacisco · ‎07-31-2008

Well ..... PEEEERFECT ! Yes, it is the web server public address. So i took out the route you gave me and added "static (dmz,inside) x.y.50.144 10.30.30.30 netmask 255.255.255.255 "

Thank you !

I have "static (dmz,inside) 10.30.30.30 x.y.50.144 netmask 255.255.255.255" in my conf, do i have to remove it ?

acomiskey · ‎07-31-2008

Glad it worked. I would remove the other static.

Please rate posts you found helpful.