ASA firewall not routing 192.161.148.0 network through gateway

I am trying to reach an external site from our corporate network which has a host IP on a 192.161.148.0 network. The site is reachable from my home ISP but our firewall seems to be blocking the network. I have tried adding static routes but the Packets are just expiring in transit.

I can see the packets are getting to the core switch but seems to fail at the next hop which is the firewall.

Any help would be much appreciated.
Cheers
bigfooterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
Check if there's a typo on your firewall.  192.161.x.x is suspiciously close to 192.168.x.x.
0
Pete LongTechnical ConsultantCommented:
Is this IP hosting your website and you cant get to it? Just to make sure its not a DNS issue!

Or simply go to

http://192.161.148.1/

and you should see thiscapture
If you execute 'show route outside 192.161.148.0' it should only respond with the gateway of last resort, is that the case?

Do this and see if you get a response

PetesASA# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 86.29.22.237, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 162/165/168 ms
PetesASA#
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bigfooterAuthor Commented:
Hi,

Results are as follows:

ASALND-1# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 192.168.135.190, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASALND-1#

show route outside 192.161.148.0

Gateway of last resort is (Our Public Gateway IP) to network 0.0.0.0

The gateway IP is also defined in the static routes on the firewall:

route outside 0.0.0.0 0.0.0.0 83.***.***.** 1

Thanks
Carl
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

bigfooterAuthor Commented:
I just tried defining the route outside as per below and it works..?

It seems a little odd as I was under the assumption the first rule effectively pushes everything through the gateway??

route outside 0.0.0.0 0.0.0.0 83.***.***.** 1
route outside 192.161.148.134 255.255.255.0 83.***.***.** 1

We have a few other static rules in the list for our VLANS but they do not reference the 192.161.0.0 network.

route inside 192.168.134.0 255.255.255.0 192.168.135.1 1
route inside 192.168.137.0 255.255.255.0 192.168.135.1 1
route inside 192.168.139.0 255.255.255.0 192.168.135.1 1
route inside 192.168.141.0 255.255.255.0 192.168.135.1 1
route inside 192.168.144.0 255.255.255.0 192.168.135.1 1

Cheers
Carl
0
DonbooCommented:
You are quite right there Carl from the config you post it should be sending all unknown traffic to 83.x.x.1

However the the fact that you can make a more specific route and it works say 1 of 2 things.

1. There is a reference to larger net in the route-table which include 192.161.x.x
2. The software is bugged...

Perhaps you could post a more complete config just dot-out specific information so we can see where in the config it goes wrong (if its the config)?
0
asavenerCommented:
Any routing protocols enabled?
0
bigfooterAuthor Commented:
Only Static from what I can see.

It may be something to do with OSPF or RIP but only guess work from me here really.

The config will take considerable time to sanitise so just reading up.

Appreciate all your help.
0
DonbooCommented:
Try to remove the static route and then do a show route and see whats in the routing table and check if any route statements has a more specific route to 192.161.x.x network.
0
Pete LongTechnical ConsultantCommented:
show run | incl router
will tell you if you have any routing protocols enabled :)

Also my you response to my ping command is puzzling? you said you got this error;
No source specified. Pinging from identity interface.
Even though you specified 'outside'
Then you said
'route outside 0.0.0.0 0.0.0.0 83.***.***.** 1'
so the interface name is correct? - make sure your outside interface is called outside NOT Outside, and has no spaces in or after/before it.
0
bigfooterAuthor Commented:
show run | incl router did not show anything…

I can also confirm the outside interface is named without error.

It is odd actually. I just took the static route out to run the test again (ping tcp outside 192.161.148.1 80) and the ICMP was still successful?...

Unless putting the static route in updated / cleared something.

Here is the latest output with the same ‘no source specified’…

Cheers

############################################################

ASALND-1(config)# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 83.***.***.**, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 147/148/149 ms
ASALND-1(config)#

############################################################

ASALND-1# show route

Gateway of last resort is 83.244.140.65 to network 0.0.0.0

S    192.168.134.0 255.255.255.0 [1/0] via 192.168.135.1, inside
C    192.168.135.0 255.255.255.0 is directly connected, inside
S    192.168.144.0 255.255.255.0 [1/0] via 192.168.135.1, inside
C    83.***.***.** 255.255.255.192 is directly connected, outside
S    192.168.141.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S    192.168.137.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S    192.168.139.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 83.***.***.**, outside
ASALND-1#

############################################################
0
asavenerCommented:
I would recommend rebooting in order to make sure the configuration will continue work in the event of a power outage.
0
bigfooterAuthor Commented:
Cheers.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.