Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA firewall not routing 192.161.148.0 network through gateway

Posted on 2014-12-20
12
322 Views
Last Modified: 2014-12-22
I am trying to reach an external site from our corporate network which has a host IP on a 192.161.148.0 network. The site is reachable from my home ISP but our firewall seems to be blocking the network. I have tried adding static routes but the Packets are just expiring in transit.

I can see the packets are getting to the core switch but seems to fail at the next hop which is the firewall.

Any help would be much appreciated.
Cheers
0
Comment
Question by:bigfooter
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 40510982
Check if there's a typo on your firewall.  192.161.x.x is suspiciously close to 192.168.x.x.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 350 total points
ID: 40511674
Is this IP hosting your website and you cant get to it? Just to make sure its not a DNS issue!

Or simply go to

http://192.161.148.1/

and you should see thiscapture
If you execute 'show route outside 192.161.148.0' it should only respond with the gateway of last resort, is that the case?

Do this and see if you get a response

PetesASA# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 86.29.22.237, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 162/165/168 ms
PetesASA#
0
 

Author Comment

by:bigfooter
ID: 40511895
Hi,

Results are as follows:

ASALND-1# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 192.168.135.190, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASALND-1#

show route outside 192.161.148.0

Gateway of last resort is (Our Public Gateway IP) to network 0.0.0.0

The gateway IP is also defined in the static routes on the firewall:

route outside 0.0.0.0 0.0.0.0 83.***.***.** 1

Thanks
Carl
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:bigfooter
ID: 40511919
I just tried defining the route outside as per below and it works..?

It seems a little odd as I was under the assumption the first rule effectively pushes everything through the gateway??

route outside 0.0.0.0 0.0.0.0 83.***.***.** 1
route outside 192.161.148.134 255.255.255.0 83.***.***.** 1

We have a few other static rules in the list for our VLANS but they do not reference the 192.161.0.0 network.

route inside 192.168.134.0 255.255.255.0 192.168.135.1 1
route inside 192.168.137.0 255.255.255.0 192.168.135.1 1
route inside 192.168.139.0 255.255.255.0 192.168.135.1 1
route inside 192.168.141.0 255.255.255.0 192.168.135.1 1
route inside 192.168.144.0 255.255.255.0 192.168.135.1 1

Cheers
Carl
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 100 total points
ID: 40511926
You are quite right there Carl from the config you post it should be sending all unknown traffic to 83.x.x.1

However the the fact that you can make a more specific route and it works say 1 of 2 things.

1. There is a reference to larger net in the route-table which include 192.161.x.x
2. The software is bugged...

Perhaps you could post a more complete config just dot-out specific information so we can see where in the config it goes wrong (if its the config)?
0
 
LVL 28

Expert Comment

by:asavener
ID: 40511951
Any routing protocols enabled?
0
 

Author Comment

by:bigfooter
ID: 40512044
Only Static from what I can see.

It may be something to do with OSPF or RIP but only guess work from me here really.

The config will take considerable time to sanitise so just reading up.

Appreciate all your help.
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 100 total points
ID: 40512110
Try to remove the static route and then do a show route and see whats in the routing table and check if any route statements has a more specific route to 192.161.x.x network.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40512519
show run | incl router
will tell you if you have any routing protocols enabled :)

Also my you response to my ping command is puzzling? you said you got this error;
No source specified. Pinging from identity interface.
Even though you specified 'outside'
Then you said
'route outside 0.0.0.0 0.0.0.0 83.***.***.** 1'
so the interface name is correct? - make sure your outside interface is called outside NOT Outside, and has no spaces in or after/before it.
0
 

Author Comment

by:bigfooter
ID: 40513001
show run | incl router did not show anything…

I can also confirm the outside interface is named without error.

It is odd actually. I just took the static route out to run the test again (ping tcp outside 192.161.148.1 80) and the ICMP was still successful?...

Unless putting the static route in updated / cleared something.

Here is the latest output with the same ‘no source specified’…

Cheers

############################################################

ASALND-1(config)# ping tcp outside 192.161.148.1 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 192.161.148.1 port 80
from 83.***.***.**, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 147/148/149 ms
ASALND-1(config)#

############################################################

ASALND-1# show route

Gateway of last resort is 83.244.140.65 to network 0.0.0.0

S    192.168.134.0 255.255.255.0 [1/0] via 192.168.135.1, inside
C    192.168.135.0 255.255.255.0 is directly connected, inside
S    192.168.144.0 255.255.255.0 [1/0] via 192.168.135.1, inside
C    83.***.***.** 255.255.255.192 is directly connected, outside
S    192.168.141.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S    192.168.137.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S    192.168.139.0 255.255.255.0 [1/0] via 192.168.135.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 83.***.***.**, outside
ASALND-1#

############################################################
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 50 total points
ID: 40513052
I would recommend rebooting in order to make sure the configuration will continue work in the event of a power outage.
0
 

Author Closing Comment

by:bigfooter
ID: 40513081
Cheers.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question