Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard.  I am currently unable to access services on the outside of the ASA. 

The error: 'Failed to locate egress interface for UDP from inside'....  appears when ever my DNS server attempts a lookup. 

I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config. 

If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration. 

Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet.  I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access. 

Full config follows, screen shots attached, any help would be very gratefully received. 

 

Result of the command: "sh run"

: Saved
:
ASA Version 9.0(1)
!
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan5
 no nameif
 security-level 50
 ip address dhcp
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Server1
 host 192.168.10.10
object network GoogleDNS1
 host 8.8.8.8
 description Google DNS Server
object network GoogleDNS2
 host 8.8.4.4
 description Google DNS Server
object network 192.168.10.x
 subnet 192.168.10.0 255.255.255.0
object network InternetRouter
 host 192.168.1.1
object-group network DM_INLINE_NETWORK_1
 network-object object GoogleDNS1
 network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:(REMOVED)
: end

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Your default route statement

Your default route statement is incorrectly formed. You have:

route outside 0.0.0.0 255.255.255.255 192.168.1.1 1

and it should be:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

9 REPLIES
Hall of Fame Super Silver

Your default route statement

Your default route statement is incorrectly formed. You have:

route outside 0.0.0.0 255.255.255.255 192.168.1.1 1

and it should be:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

New Member

Hi Marvin,Thank you so much

Hi Marvin,

Thank you so much for your reply, I have changed the route as per your recommendation and applied the configuration, however I still get the same results with the packet trace.  (no-route) No route to host.

Any thoughts?

Thanks.

Hall of Fame Super Silver

You did delete the incorrect

You did delete the incorrect route, yes? If you didn't it's still in there.

Please provide the output of:

show run route

packet-tracer input inside udp 192.168.10.10 53 8.8.8.8 53

New Member

Yes, I did delete the

Yes, I did delete the incorrect route, and also applied the configuration.  Here is the output:

Result of the command: "show run route"
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
 
Result of the command: "packet-tracer input inside udp 192.168.10.10 53 8.8.8.8 53"
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Hall of Fame Super Silver

Hmm, the routing looks good

Hmm, the routing looks good now.

Can you verify that the outside interface (Ethernet0/0) is UP/UP:

"show interface Eth0/0"

New Member

Ah.  That switch port had

Ah.  That switch port had gone into error disable before my last test, I have changed the cable and the interfaces are now clean of errors. (Apologies)

I have now retested and its working! I have double checked and it looks like my issue was all down to that default gateway setting being incorrect. 

As you said, it should have read:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Thank you for all your help with this. I am really very grateful. 

Disregards my comment just

Disregards my comment just now then :)

Hall of Fame Super Silver

You're welcome. Funny how the

You're welcome. Funny how the simplest things can sometimes trip us up.

Thanks for the rating.

Just to want to be sure, can

Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet. 

Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.

I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

 

 

4163
Views
0
Helpful
9
Replies
CreatePlease login to create content