ASA static route inside failure

Alex Wong · ‎09-08-2011

Hello,

i have a asa 5510 device

int0 is connected to ISP

int1 is connected to lan (192.168.3.253/255.255.252.0)

what is the problem:

i need to configure asa to route all traffic to lan 192.168.4.0/255.255.255.0 through 192.168.3.46

i configure on device a static route:

route inside 192.168.4.0 255.255.255.0 192.168.3.46 1

the problem is if i ping 192.168.4.z network is ok, but use HTTP or SMTP is not work

ASA log: teardom TCP connection 95 for inside: 192.168.2.100/50240 to inside: 192.168.4.6/80 duration 0:00:24bytes 0 TCP reset-o

(192.168.2.100 my PC, 192.168.4.6 Web server)

if i put on a computer the gw 192.168.3.46 and i HTTP or SMTP 192.168.4.6 it works.

Pls help!

Running Config

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.3.253 255.255.252.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.10.10.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone HKST 8

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip 192.168.0.0 255.255.252.0 192.168.4.0 255.255.255.0 log

access-list inside_access_in extended permit ip 192.168.4.0 255.255.255.0 192.168.0.0 255.255.252.0 log

access-list cap_acl extended permit tcp host 192.168.2.154 host 192.168.4.6

access-list cap_acl extended permit tcp host 192.168.4.6 host 192.168.2.154

access-list cap_acl extended permit ip host 192.168.4.6 host 192.168.2.154

access-list cap_acl extended permit ip host 192.168.2.154 host 192.168.4.6

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (inside) 101 interface

static (inside,inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

route inside 192.168.4.0 255.255.255.0 192.168.3.46 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.252.0 inside

http 10.10.10.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.252.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

!

prompt hostname context

Cryptochecksum:4bbbe85a4cac4ea5a2db961b73a20e33

: end

Julio Carvajal · ‎09-08-2011

Hello,

Would you mind to add the Nat (inside) 101 0 0

We are missing that. Now lets try a packet tracer to check the result of that

packet-tracer input inside tcp 192.168.2.100 1025 192.168.4.6 80

packet-tracer input inside tcp 192.168.4.6 1025 192.168.2.100 25 ( You have allow IP on the access-list so do not worry for this, is just for testing purposes).

Please let me know the result of this,

Best Regards,

Julio

Alex Wong · ‎09-13-2011

Hi Jcarvaja,

Thanks your help, but still not work.

below full configure, i try add nat (inside) 101 0 0 still not work. any commend ?

hostname asa5510a
names

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 203.185.4.253 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.253 255.255.252.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.253 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone HKST 8
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list inside_access_in remark Allow all outgoing traffic for the server pool from 192.168.3.225-192.168.3.253
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 inside-serverpool1 255.255.255.224 any
access-list inside_access_in remark Allow all outgoing traffic for the server pool from 192.168.3.225-192.168.3.253
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 inside-serverpool2 255.255.255.224 any
access-list inside_access_in remark DHCP Clients Pool with unlimited outgoing network access
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object-group inside-clientpool1 any
access-list inside_access_in remark For all LAN users
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.252.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in remark For all LAN users
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.0.0 255.255.252.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 192.168.2.0 255.255.255.224 log
access-list inside_nat0_outbound extended permit ip inside-voice 255.255.255.0 192.168.2.0 255.255.255.224 log
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.252.0 192.168.4.0 255.255.255.0 log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.0.0 255.255.252.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.185.4.254 1
route inside inside-voice 255.255.255.0 192.168.3.46 1
timeout xlate 3:00:00
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 management
http 192.168.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!

Cryptochecksum:

Alex Wong · ‎09-14-2011

Hi Jcarvaja,

another problem is i wanna access from 192.168.4.0 to 192.168.3.0, but failure.

Can you help ?

Julio Carvajal · ‎09-14-2011

Hello Alex so you have as a Default gateway from the PC 192.168.2.100 the Router on the inside.

Would you mind to change it to 192.168.3.253

Just to let you know you need to have the following:

Nat (inside) 101 00

Global (inside) 101 interface

route inside 192.168.2.0 255.255.255.0 192.168.3.46

same-security-permit intra-interface

Just to confirm run the packet tracers

packet-tracer input inside tcp 192.168.2.100 1025 192.168.4.6 80

packet-tracer input inside tcp 192.168.4.6 1025 192.168.2.100 25

And then give me the outputs you are getting.

Alex Wong · ‎09-14-2011

Hi Jcarvaja,

LAN1 192.168.0.0/22

LAN2 192.168.4.0/24

LAN 1 - ASA 0/1 inside IP: 192.168.3.253/22

0/0 outside IP: xxx.xxx.xxx.xxx

LAN 2 - router: 0/1 IP: 192.168.3.46/22

0/.0 IP: 192.168.4.254

Now complete access LAN1 and LAN 2 devices on LAN 1, PC's default gateway : 192.168.3.253

but on LAN 2 can't access LAN 1 devices, PC's default gateway 192.168.4.254

packet-tracer result

ciscoasa# packet-tracer input inside tcp 192.168.4.6 80 192.168.2.158 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.0.0 255.255.252.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

match ip inside 192.168.4.0 255.255.255.0 inside any

static translation to 192.168.4.0

translate_hits = 3, untranslate_hits = 13

Additional Information:

Static translate 192.168.4.0/0 to 192.168.4.0/0 using netmask 255.255.255.0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

match ip inside 192.168.4.0 255.255.255.0 inside any

static translation to 192.168.4.0

translate_hits = 3, untranslate_hits = 13

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 101 (192.168.3.253 [Interface PAT])

translate_hits = 13, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#