Cisco – ASA failed to locate egress interface and Nat? issues

ciscocisco-asa

I cant ping from Inside->Outside ,DMZ->Outside ,Inside->DMZ
Packet tracer in ASDM indicates access rule but i cannot see(click on the rule) , and i cannot create a reverse rule from Packet tracer. When i had a similar issue it was Nat issues.
Documentation and blogs are saying about how the Asa is using Xlate(Nat) rules to route traffic first prior to routing table and thus the failed to locate egress interface(cannot route traffic) if Nat fails.
Moreover Inside->DMZ etc do not suppose to require any Nat or access rules to work. Just in case i tried allow all traffic rules but did not help.

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.0.10.1 255.255.255.0 
!
interface Ethernet0/1
 nameif DMZ
 security-level 50
 ip address 10.0.20.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Outside
 security-level 0
 ip address 10.0.50.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup Outside
same-security-traffic permit intra-interface
object network DMZtoOUT 
 subnet 10.0.20.0 255.255.255.0
object network DMZtoOUThttp 
 host 10.0.20.2
object network INStoOUTdyn 
 subnet 10.0.10.0 255.255.255.0
object network DMZtoOUTftp 
 host 10.0.20.2
object network INStoDMZ 
 subnet 192.168.1.0 255.255.255.0
object network InsideNetwork 
 subnet 10.0.10.0 255.255.255.0
object network TrustedUsers 
 subnet 10.0.50.0 255.255.255.128
object network UntrustedUsers 
 subnet 10.0.50.128 255.255.255.128
object network IntoOut 
 subnet 10.0.10.0 255.255.255.0
object network TEST 
 range 10.0.10.1 10.0.10.254
object network TEST2 
 range 10.0.20.1 10.0.20.254
object network FUCK 
 range 10.0.20.1 10.0.20.254
object network Insidenet 
 subnet 10.0.10.0 255.255.255.0
object network INStoOut 
 subnet 10.0.10.0 255.255.255.0
object network ANY 
 subnet 0.0.0.0 0.0.0.0
object network INtoOUT 
 subnet 10.0.10.0 255.255.255.0
object-group icmp-type ICMPALL
 icmp-object alternate-address
 icmp-object conversion-error
 icmp-object echo
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object information-request
 icmp-object mask-reply
 icmp-object mask-request
 icmp-object mobile-redirect
 icmp-object parameter-problem
 icmp-object redirect
 icmp-object router-advertisement
 icmp-object router-solicitation
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object timestamp-reply
 icmp-object timestamp-request
 icmp-object traceroute
 icmp-object unreachable
object-group service DMZservices
 service-object tcp destination eq ftp 
 service-object tcp destination eq ftp-data 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group network MAPPEDINDMZ
 network-object object TEST
 network-object object TEST2
access-list inside_access_in extended permit icmp any any 
access-list Outside_access_in extended permit object-group DMZservices object TrustedUsers host 10.0.20.2 
access-list Outside_access_in extended permit tcp object UntrustedUsers host 10.0.20.2 eq www 
access-list InsideNet standard permit 10.0.10.0 255.255.255.0 
access-list DMZ_access_in extended permit icmp any any object-group ICMPALL 
access-list global_access extended permit icmp any any object-group ICMPALL 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu Outside 1500
mtu management 1500
ip local pool VPNpool 10.0.10.100-10.0.10.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.20.0 255.255.255.0 inside
icmp permit 10.0.10.0 255.255.255.0 inside
icmp permit host 10.0.20.1 inside
icmp permit 10.0.10.0 255.255.255.0 DMZ
icmp permit 10.0.20.0 255.255.255.0 DMZ
no asdm history enable
arp timeout 14400
nat (inside,Outside) source static InsideNetwork InsideNetwork destination static InsideNetwork InsideNetwork
!
object network DMZtoOUT
 nat (DMZ,Outside) dynamic interface
object network DMZtoOUThttp
 nat (DMZ,Outside) static interface service tcp www www 
object network DMZtoOUTftp
 nat (DMZ,Outside) static interface service tcp ftp ftp 
object network INtoOUT
 nat (inside,Outside) dynamic interface
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface Outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NewRad protocol radius
aaa-server NewRad (DMZ) host 10.0.20.3
 timeout 5
 key *****
 authentication-port 1812
 accounting-port 1813
http server enable
http 10.0.10.0 255.255.255.0 inside
dhcpd address 10.0.10.2-10.0.10.99 inside
dhcpd enable inside
!
dhcpd address 10.0.50.2-10.0.50.254 Outside
dhcpd enable Outside
!
dhcpd address 192.168.1.2-192.168.1.254 management

Best Answer

On your identity NAT (nonat) add "route-lookup" at the end of the command to bypass the behavior of using the XLATE for the egress interface.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco NAT – Configuring NAT from Outside Interface to Outside Interface

Answer: Assuming this is Cisco - no you can't NAT between two OUTSIDE interfaces*

Corollary: you can achieve what you want by migrating your NAT configuration to use NAT Virtual Interface (NVI). NVI precludes the need to have INSIDE/OUTSIDE interfaces and is the new way to do things. I think you will need at least 12.3T (possibly 12.4T will have to check).

*You can do what you are trying to do with the addition of a route-map and a loopback address but I'm not going to suggest or recommend it.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco NAT – Configuring NAT from Outside Interface to Outside Interface

Related Topic