Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4181
Views
0
Helpful
21
Replies

ASA 5510 and static route

mnetworks
Level 1
Level 1

‎05-21-2007 04:41 AM - edited ‎03-11-2019 03:17 AM

Hi all.

This is my first setup of a Cisco ASA box.

I'm having a lot of problems with use of static route

If I make a PING from the ASA box, I get a replay.

But if the ping comes from a computer, I keep getting: Deny inbound icmp src inside:XXX des inside:YYY (Type 8, code 0)

I have tried to make a NAT rule for this, but I cannot make a role src inside, drs inside

Can any one help me whit this?

Thanks?

Best regards.

Stig B.

Labels:
0 Helpful
21 Replies 21

acomiskey
Level 10
Level 10
In response to srue

‎05-22-2007 05:53 AM

srue, he is trying to hairpin inside, not pat to the outside.

mnetworks,

Mind if we try something else?

no global (LAN) 200 interface

access-list LAN_nat0_outbound extended permit ip any 192.168.168.0 255.255.255.0

Then try to ping something on 192.168.168.0.

0 Helpful

mnetworks
Level 1
Level 1
In response to acomiskey

‎05-22-2007 06:38 AM

Sorry, no connection.

The log says:

6|May 22 2007 16:40:41|302021: Teardown ICMP connection for faddr 192.168.163.11/512 gaddr 192.168.168.12/0 laddr 192.168.168.12/0

On a computer, on the 192.168.168.x network I can ping 192.168.163.1

Thanks...

0 Helpful

acomiskey
Level 10
Level 10
In response to mnetworks

‎05-22-2007 06:45 AM

Yes, you can ping from 192.168.168 to 192.168.163 because it is not being routed through the ASA. Maybe the problem is the return traffic from 192.168.168.12 must be routed back to inside of ASA. As it stands now, the return traffic from the ping would not, it would be routed directly from 192.168.163.30 to 192.168.163.11. Maybe try to add a static route on 163.30 like this.

ip route 192.168.163.11 255.255.255.255 192.168.163.1

This would force the return traffic to inside of ASA.

0 Helpful

acomiskey
Level 10
Level 10
In response to acomiskey

‎05-22-2007 07:08 AM

Another way to force traffic to the ASA would be to nat the traffic 192.168.163.x to 192.168.168.x like this.

access-list nat_to_168 extended permit ip 192.168.163.0 255.255.255.0 192.168.168.0 255.255.255.0

global (inside) 20 interface

nat (inside) 20 access-list nat_to_168

0 Helpful

acomiskey
Level 10
Level 10
In response to acomiskey

‎05-23-2007 09:59 AM

Have you had any luck with this?

0 Helpful

srue
Level 7
Level 7
In response to acomiskey

‎05-23-2007 10:05 AM

what kind of device is 192.168.163.30? is this a router? multi layer switch?

0 Helpful

acomiskey
Level 10
Level 10
In response to srue

‎05-23-2007 10:06 AM

Router

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card