Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Static route problems

Hey All,

I have an ASA5510 w/ Security+ that's giving me issues with some static routes. The inside network is 192.168.1.0/24, the inside interface is 192.168.1.3. There is a second router in the network that exists at 192.168.1.180. I need any traffic destined for the subnet 192.168.20.0/24 to go to the 180 gateway. All machines use the asa(192.168.1.3) as their gateway. I have a few routes in the asa:

route inside 10.1.1.0 255.255.255.0 192.168.1.15 1
route inside 10.1.10.0 255.255.255.0 192.168.1.15 1
route inside 192.168.3.0 255.255.255.0 192.168.1.3 1
route inside 192.168.20.0 255.255.255.0 192.168.1.180 1

All machines are able to get on the internet, but none can reach the 20.x network. When I try to ping the 20.x network I get the following error in the logs of the ASA:
Deny inbound icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)

I know my routes are programmed into the 192.168.1.180 router correctly, becuase if i set a machine's gateway to be 1.180, i can ping and get to the 20.x network fine. But the ASA is preventing the routes from completing. Any ideas?

4 REPLIES
VIP Green

First off, are you able to

First off, are you able to reach your hosts on the 20.x network using different protocols, such as RDP, WWW, FTP....etc?

Could you run a packet-tracer, this will give us an idea of what setting on the ASA is dropping the traffic.

packet-tracer input inside tcp <source address> 12345 <destination address> 80 detail

 

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Marius & Rudy,First off,

Marius & Rudy,
First off, thanks for your help!
No, I'm not able to reach my hosts using any protocols. I have a Fluke Etherscope which is running a webserver at 192.168.20.250, and i can't reach it. It seems like my traffic is making there, but unable to return, due to the ASA dropping the packets, although i may be wrong about that.
Rudy, yes that's correct. If use my router as the gateway, everything seems to work fine. When i use that ASA as my default gateway, i can't reach (or get return packets) from the 20.x network.
 Also, I guess that's correct about the ICMP-inspection policy, I never seem to be able to ping hosts on the internet.
 
Thanks Again,
Mehrzad
 
 
 
Result of the command: "packet-tracer input inside tcp 192.168.1.181 12345 192.168.20.253 80 detail"
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8c5d98, priority=1, domain=permit, deny=false
hits=2829692679, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
 
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 
  match ip inside 192.168.20.0 255.255.255.0 inside any
    static translation to 192.168.20.0
    translate_hits = 5, untranslate_hits = 1587
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.20.0/0 to 192.168.20.0/0 using netmask 255.255.255.0
 
Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8c6e60, priority=3, domain=permit, deny=false
hits=2513198, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab8c84d0, priority=0, domain=inspect-ip-options, deny=true
hits=154410326, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Phase: 5
Type: NAT
Subtype: 
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 2383570, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaba45948, priority=1, domain=nat, deny=false
hits=2749385, user_data=0xaba45888, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Hall of Fame Super Blue

The problem is that when

-

According to you, all

According to you, all machines in your inside network is not able to ping 20.x network when the ASA is the default gateway and works fine if you use the router as the default gateway. Just like Marius said, are you able to reach 20.x using different protocol? If yes and only ICMP that is not working, then it is high likely that your ICMP policy is the cause.

I see that you have a policy map configured for inspecting icmp, but it is applied on the outside interface. 

133
Views
0
Helpful
4
Replies
CreatePlease to create content