Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard.  I am currently unable to access services on the outside of the ASA. 

The error: 'Failed to locate egress interface for UDP from inside'....  appears when ever my DNS server attempts a lookup. 

I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config. 

If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration. 

Overview, inside the ASA, outside the ASA, is the gateway to the internet.  I ideally want the ASA to use PAT to mask the network behind the ASAs network address but still allow clients to gain internet access. 

Full config follows, screen shots attached, any help would be very gratefully received. 


Result of the command: "sh run"

: Saved
ASA Version 9.0(1)
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan5
 no nameif
 security-level 50
 ip address dhcp
ftp mode passive
object network obj_any
object network Server1
object network GoogleDNS1
 description Google DNS Server
object network GoogleDNS2
 description Google DNS Server
object network 192.168.10.x
object network InternetRouter
object-group network DM_INLINE_NETWORK_1
 network-object object GoogleDNS1
 network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymous
: end

Everyone's tags (1)

Accepted Solutions
Hall of Fame Super Silver

Your default route statement

Your default route statement is incorrectly formed. You have:

route outside 1

and it should be:

route outside 1

Hall of Fame Super Silver

Your default route statement

Your default route statement is incorrectly formed. You have:

route outside 1

and it should be:

route outside 1

New Member

Hi Marvin,Thank you so much

Hi Marvin,

Thank you so much for your reply, I have changed the route as per your recommendation and applied the configuration, however I still get the same results with the packet trace.  (no-route) No route to host.

Any thoughts?


Hall of Fame Super Silver

You did delete the incorrect

You did delete the incorrect route, yes? If you didn't it's still in there.

Please provide the output of:

show run route

packet-tracer input inside udp 53 53

New Member

Yes, I did delete the

Yes, I did delete the incorrect route, and also applied the configuration.  Here is the output:

Result of the command: "show run route"
route outside 1
Result of the command: "packet-tracer input inside udp 53 53"
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Hall of Fame Super Silver

Hmm, the routing looks good

Hmm, the routing looks good now.

Can you verify that the outside interface (Ethernet0/0) is UP/UP:

"show interface Eth0/0"

New Member

Ah.  That switch port had

Ah.  That switch port had gone into error disable before my last test, I have changed the cable and the interfaces are now clean of errors. (Apologies)

I have now retested and its working! I have double checked and it looks like my issue was all down to that default gateway setting being incorrect. 

As you said, it should have read:

route outside 1

Thank you for all your help with this. I am really very grateful. 

Disregards my comment just

Disregards my comment just now then :)

Hall of Fame Super Silver

You're welcome. Funny how the

You're welcome. Funny how the simplest things can sometimes trip us up.

Thanks for the rating.

Just to want to be sure, can

Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet. 

Once done, try do another packet-tracer to using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.

I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.



CreatePlease login to create content