10-28-2013 03:37 AM - edited 03-11-2019 07:56 PM
Hi,
I have configured the CX to filter URLs, however I am having issues with the updates. It seems that the CX module can't access the internet.
How do I configure the CX/management interface of the ASA to reach the internet so that it can perform updates?
Cheers,
Ash
Solved! Go to Solution.
10-29-2013 10:13 AM
OK, so in that case the replies should show up as outbound traffic on the ASA inside interface to the CX Management IP adddress. Does a capture show them?
10-29-2013 10:17 AM
No, the replies aren't showing.
I can ping from the core switch sourced from any VLAN except the CX VLAN.
10-29-2013 10:34 AM
Does the ASA know to route the replies back via the core switch? If it also has its management address on the same subnet, that could be the issue since it thinks that network is connected.
Try adding a /32 route on the ASA inside interface for both the CX VLAN SVI and the CX Management address.
10-29-2013 02:32 PM
I previously had a /32 route for the CX interface, however I did add the route for the CX VLAN SVI. Still not able to get out. I ran a packet tracer and got the following output -
packet-tracer input insid icmp 10.0.125.2 0 8 4.2.2.2 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f3b3350, priority=13, domain=capture, deny=false
hits=236269, user_data=0x7fff9dfbec70, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f2fe570, priority=1, domain=permit, deny=false
hits=27398061, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network CX-MANAGEMENT
nat (inside,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff984e5750, priority=6, domain=nat, deny=false
hits=207, user_data=0x7fffa1ea9380, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.125.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9e8fb6e0, priority=0, domain=nat-per-session, deny=true
hits=418401, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f307540, priority=0, domain=inspect-ip-options, deny=true
hits=1321622, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-cluster-unassigned-pool) NAT unassigned pool in cluster
10-30-2013 06:29 AM
Well from that last trace, it's reporting an issue with your NAT setup. Can you share the network object and associated NAT configuration?
10-30-2013 09:08 AM
object network CX-MANAGEMENT
subnet 10.0.125.0 255.255.255.0
object network CX-MANAGEMENT
nat (inside,outside) dynamic interface
10-30-2013 02:34 PM
Your NAT rule looks very straightforward. Unless there's another NAT rule above it in the firewalls configuration, I'm not convinced the packet-tracer output is legitimately showing what the ASA is doing. After all, your earlier post showed both translate and untranslate hits.
From the ASA inside interface can you ping the CX VLAN SVI and CX IP address (and vice versa)?
11-04-2013 01:47 AM
Hi,
I can't ping the CX SVI or CX IP address from the inside interface
11-04-2013 02:05 AM
Could you post a full sanitized configuration of your ASA please. I am wondering if there is another NAT statement that is messing things up.
11-04-2013 02:35 AM
Hi,
Config attached to original post
11-04-2013 05:20 AM
Your routing statements:
route inside 10.0.125.2 255.255.255.255 10.0.125.4 1
route inside 10.0.125.4 255.255.255.255 10.0.125.4 1
...will not work. They need to define the gateway on the Inside subnet (10.0.35.x). Try changing that and see if you can reach the SVI and then the CX interface. If you can, the CX should be able to get out to the Internet and receive the return traffic.
11-04-2013 05:27 AM
Thank you very much for your help on this
11-04-2013 05:34 AM
You're welcome. Sometimes it's the smallest things.
I was working a setup this weekend and banging on the keyboard most of the night and unable to solve one problem at the end of a string of tasks. I looked at it again after getting a good night's sleep and found the customer had misconfigured the subnet mask on one interface. Sometimes that "sort of" works - you can pass traffic and reach remote devices but EIGRP, even though it would form an adjacency, would not update routes. I changed the /16 mask to /24 and - voila - everything worked as expected.
11-04-2013 05:36 AM
Lol. Yeah, it's always the small things that come back and bite.
Once again, thanks for all the help you have given.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: