• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2704
  • Last Modified:

Cisco ASA 5510, Two Inside Networks, Routing Error

Hey all,

Well I'm a bit perplexed by this probably easy issue (easy when you know how to fix it, I guess...)

I need to have another interface acting like a second inside subnet.  When I try to access inside hosts on the secondary inside subnet from the outside, I get a routing error:

%ASA-6-110003: Routing failed to locate next-hop for protocol from src
interface:src IP/src port to dest interface:dest IP/dest port

Actual log entry: 6      Aug 13 2012      14:48:30      110003      x.x.123.232      59147      10.2.x.x      22      Routing failed to locate next hop for TCP from outside: x.x.123.232/59147 to inside:10.2.x.x/22


I dont care about accessing the actual inside to inside subnets as I know that is probably just a NAT statement between the two subnets (I think).  I am hoping its that simple with OUTSIDE to (secondary) INSIDE.

***********************************************

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 200.x.x.x 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.x 255.255.255.0
!
interface Ethernet0/2
 nameif aosoft
 security-level 100
 ip address 10.2.2.x 255.255.255.0

object network ITMS_VLAN
 subnet 10.1.1.0 255.255.255.0

object network AOSOFT_VLAN
 subnet 10.2.2.0 255.255.255.0

object network AOSOFT_DRAC_1
 host 10.2.2.11

access-list outside_access_in extended permit tcp any object ITMS_Exchange object-group smtp
access-list outside_access_in extended permit tcp any object AOSOFT_DRAC_1 object-group tftp

object network ITMS_Exchange
 nat (inside,outside) static 200.x.x.1

object network AOSOFT_DRAC_1
 nat (inside,outside) static 200.x.x.2

object network ANY
 nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 200.x.x.x 1

***********************************************

Hopefully this makes sense....
0
joshuadway
Asked:
joshuadway
  • 2
  • 2
1 Solution
 
Cyclops3590Commented:
your secondary interface has a name of aosoft but doesn't have any nat statements associated with it for inside or outside.  once those are created and the appropriate ACLs are in place that is all you need to be good
0
 
joshuadwayAuthor Commented:
GOOOD GRIEF!!!  I should just hang this up!!!  This is the second NOOB mistake I have made this month!!  

Thank you!!!  That fixed everything!!!
0
 
Cyclops3590Commented:
LOL.  Well maybe not hang it up, but definitely take a break.  Trust me, that happens to everyone at some point.  Just staring at it so long your brain just puts stuff in there so you see things that aren't really there.  :)
0
 
joshuadwayAuthor Commented:
Haha!!  Totally!!  

And that's exactly what was happening...  I had to walk an old guy through the initial changes over the PHONE...  in phonetics!!  I was certainly burnt out by the time I had control...

Thanks again!!  All is running nice and smooth...  I'm glad my config did't have to get complicated.  I love clean!  :D
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now