Solved

ASA firewall not routing 192.161.148.0 network through gateway

Posted on 2014-12-20
12
256 Views
Last Modified: 2014-12-22
I am trying to reach an external site from our corporate network which has a host IP on a 192.161.148.0 network. The site is reachable from my home ISP but our firewall seems to be blocking the network. I have tried adding static routes but the Packets are just expiring in transit.

I can see the packets are getting to the core switch but seems to fail at the next hop which is the firewall.

Any help would be much appreciated.
Cheers
0
Comment
Question by:bigfooter
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 40510982
Check if there's a typo on your firewall.  192.161.x.x is suspiciously close to 192.168.x.x.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 350 total points
ID: 40511674
Is this IP hosting your website and you cant get to it? Just to make sure its not a DNS issue!

Or simply go to

http://192.161.148.1/

and you should see thiscapture
If you execute 'show route outside 192.161.148.0' it should only respond with the gateway of last resort, is that the case?

Do this and see if you get a response

PetesASA# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 86.29.22.237, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 162/165/168 ms
PetesASA#
0
 

Author Comment

by:bigfooter
ID: 40511895
Hi,

Results are as follows:

ASALND-1# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 192.168.135.190, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASALND-1#

show route outside 192.161.148.0

Gateway of last resort is (Our Public Gateway IP) to network 0.0.0.0

The gateway IP is also defined in the static routes on the firewall:

route outside 0.0.0.0 0.0.0.0 83.***.***.** 1

Thanks
Carl
0
 

Author Comment

by:bigfooter
ID: 40511919
I just tried defining the route outside as per below and it works..?

It seems a little odd as I was under the assumption the first rule effectively pushes everything through the gateway??

route outside 0.0.0.0 0.0.0.0 83.***.***.** 1
route outside 192.161.148.134 255.255.255.0 83.***.***.** 1

We have a few other static rules in the list for our VLANS but they do not reference the 192.161.0.0 network.

route inside 192.168.134.0 255.255.255.0 192.168.135.1 1
route inside 192.168.137.0 255.255.255.0 192.168.135.1 1
route inside 192.168.139.0 255.255.255.0 192.168.135.1 1
route inside 192.168.141.0 255.255.255.0 192.168.135.1 1
route inside 192.168.144.0 255.255.255.0 192.168.135.1 1

Cheers
Carl
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 100 total points
ID: 40511926
You are quite right there Carl from the config you post it should be sending all unknown traffic to 83.x.x.1

However the the fact that you can make a more specific route and it works say 1 of 2 things.

1. There is a reference to larger net in the route-table which include 192.161.x.x
2. The software is bugged...

Perhaps you could post a more complete config just dot-out specific information so we can see where in the config it goes wrong (if its the config)?
0
 
LVL 28

Expert Comment

by:asavener
ID: 40511951
Any routing protocols enabled?
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 

Author Comment

by:bigfooter
ID: 40512044
Only Static from what I can see.

It may be something to do with OSPF or RIP but only guess work from me here really.

The config will take considerable time to sanitise so just reading up.

Appreciate all your help.
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 100 total points
ID: 40512110
Try to remove the static route and then do a show route and see whats in the routing table and check if any route statements has a more specific route to 192.161.x.x network.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40512519
show run | incl router
will tell you if you have any routing protocols enabled :)

Also my you response to my ping command is puzzling? you said you got this error;
No source specified. Pinging from identity interface.
Even though you specified 'outside'
Then you said
'route outside 0.0.0.0 0.0.0.0 83.***.***.** 1'
so the interface name is correct? - make sure your outside interface is called outside NOT Outside, and has no spaces in or after/before it.
0
 

Author Comment

by:bigfooter
ID: 40513001
show run | incl router did not show anything…

I can also confirm the outside interface is named without error.

It is odd actually. I just took the static route out to run the test again (ping tcp outside 192.161.148.1 80) and the ICMP was still successful?...

Unless putting the static route in updated / cleared something.

Here is the latest output with the same ‘no source specified’…

Cheers

############################################################

ASALND-1(config)# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 83.***.***.**, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 147/148/149 ms
ASALND-1(config)#

############################################################

ASALND-1# show route

Gateway of last resort is 83.244.140.65 to network 0.0.0.0

S    192.168.134.0 255.255.255.0 [1/0] via 192.168.135.1, inside
C    192.168.135.0 255.255.255.0 is directly connected, inside
S    192.168.144.0 255.255.255.0 [1/0] via 192.168.135.1, inside
C    83.***.***.** 255.255.255.192 is directly connected, outside
S    192.168.141.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S    192.168.137.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S    192.168.139.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 83.***.***.**, outside
ASALND-1#

############################################################
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 50 total points
ID: 40513052
I would recommend rebooting in order to make sure the configuration will continue work in the event of a power outage.
0
 

Author Closing Comment

by:bigfooter
ID: 40513081
Cheers.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now