Routing failed to locate next hop for ICMP from outside:10.60.30.111/1 to inside:10.89.30.41/0
ASA 5505 Split tunneling stopped working when upgraded from 8.3(1) to 8.4(3).
When a user was connecting to the old 8.3(1) appliance they could access all of our subnets: 10.60.0.0/16, 10.89.0.0/16, 10.33.0.0/16, 10.1.0.0/16
but now they cannot and in the logs I can just see
6 Oct 31 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 Routing failed to locate next hop for ICMP from outside:10.60.30.111/1 to inside:10.89.30.41/0
any hints? i have tried almost everything. the running configuration is:
: Saved
ASA Version 8.4(3)
hostname asa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.60.70.1 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address 80.90.98.217 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.33.0.0_16
subnet 10.33.0.0 255.255.0.0
object network NETWORK_OBJ_10.60.0.0_16
subnet 10.60.0.0 255.255.0.0
object network NETWORK_OBJ_10.89.0.0_16
subnet 10.89.0.0 255.255.0.0
object network NETWORK_OBJ_10.1.0.0_16
subnet 10.1.0.0 255.255.0.0
object network tetPC
host 10.60.10.1
description test
object network NETWORK_OBJ_10.60.30.0_24
subnet 10.60.30.0 255.255.255.0
object network NETWORK_OBJ_10.60.30.64_26
subnet 10.60.30.64 255.255.255.192
object network SSH-server
host 10.60.20.6
object network SSH_public
object network ftp_public
host 80.90.98.218
object network rdp
host 10.60.10.4
object network ftp_server
host 10.60.20.2
object network ssh_public
host 80.90.98.218
object service FTP
service tcp destination eq 12
object network NETWORK_OBJ_10.60.20.3
host 10.60.20.3
object network NETWORK_OBJ_10.60.40.192_26
subnet 10.60.40.192 255.255.255.192
object network NETWORK_OBJ_10.60.10.10
host 10.60.10.10
object network NETWORK_OBJ_10.60.20.2
host 10.60.20.2
object network NETWORK_OBJ_10.60.20.21
host 10.60.20.21
object network NETWORK_OBJ_10.60.20.4
host 10.60.20.4
object network NETWORK_OBJ_10.60.20.5
host 10.60.20.5
object network NETWORK_OBJ_10.60.20.6
host 10.60.20.6
object network NETWORK_OBJ_10.60.20.7
host 10.60.20.7
object network NETWORK_OBJ_10.60.20.29
host 10.60.20.29
object service port_tomcat
service tcp source range 8080 8082
object network TBSF
subnet 172.16.252.0 255.255.255.0
object network MailServer
host 10.33.10.2
description Mail Server
object service HTTPS
service tcp source eq https
object network test
object network access_web_mail
host 10.60.50.251
object network downtown_Interface_host
host 10.60.50.1
description downtown Interface Host
object service Oracle_port
service tcp source eq sqlnet
object network NETWORK_OBJ_10.60.50.248_29
subnet 10.60.50.248 255.255.255.248
object network NETWORK_OBJ_10.60.50.1
host 10.60.50.1
object network NETWORK_OBJ_10.60.50.0_28
subnet 10.60.50.0 255.255.255.240
object network brisel
subnet 10.191.191.0 255.255.255.0
object network NETWORK_OBJ_10.191.191.0_24
subnet 10.191.191.0 255.255.255.0
object network NETWORK_OBJ_10.60.60.0_24
subnet 10.60.60.0 255.255.255.0
object-group service TCS_Service_Group
description This Group of available Services is for TCS Clients
service-object object port_tomcat
object-group service HTTPS_ACCESS tcp
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object 10.1.0.0 255.255.0.0
network-object 10.33.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0
network-object 10.89.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
access-list outside_3_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp
access-list OUTSIDE_IN extended permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp
access-list OUTSIDE_IN extended permit icmp host 80.90.98.222 host 80.90.98.217
access-list OUTSIDE_IN extended permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp
access-list OUTSIDE_IN extended permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh
access-list OAKDCAcl standard permit 10.60.0.0 255.255.0.0
access-list OAKDCAcl standard permit 10.33.0.0 255.255.0.0
access-list OAKDCAcl remark backoffice
access-list OAKDCAcl standard permit 10.89.0.0 255.255.0.0
access-list OAKDCAcl remark maint
access-list OAKDCAcl standard permit 10.1.0.0 255.255.0.0
access-list osgd standard permit host 10.60.20.4
access-list osgd standard permit host 10.60.20.5
access-list osgd standard permit host 10.60.20.7
access-list testOAK_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
access-list snmp extended permit udp any eq snmptrap any
access-list snmp extended permit udp any any eq snmp
access-list downtown_splitTunnelAcl standard permit host 10.60.20.29
access-list webMailACL standard permit host 10.33.10.2
access-list HBSC standard permit host 10.60.30.107
access-list HBSC standard deny 10.33.0.0 255.255.0.0
access-list HBSC standard deny 10.89.0.0 255.255.0.0
access-list outside_4_cryptomap extended permit ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0
access-list OAK-remote_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
access-list OAK-remote_splitTunnelAcl standard permit 10.33.0.0 255.255.0.0
access-list OAK-remote_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
access-list OAK-remote_splitTunnelAcl standard permit 10.89.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool OAKPRD_pool 10.60.30.110-10.60.30.150 mask 255.255.0.0
ip local pool mail_sddress_pool 10.60.50.251-10.60.50.255 mask 255.255.0.0
ip local pool test 10.60.50.1 mask 255.255.255.255
ip local pool ipad 10.60.30.90-10.60.30.99 mask 255.255.0.0
ip local pool TCS_pool 10.60.40.200-10.60.40.250 mask 255.255.255.0
ip local pool OSGD_POOL 10.60.50.2-10.60.50.10 mask 255.255.0.0
ip local pool OAK_pool 10.60.60.0-10.60.60.255 mask 255.255.0.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name ThreatDetection attack action alarm
ip audit interface inside ThreatDetection
ip audit interface outside ThreatDetection
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any echo outside
asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.33.0.0_16 NETWORK_OBJ_10.33.0.0_16
nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16
nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.1.0.0_16 NETWORK_OBJ_10.1.0.0_16
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.30.0_24 NETWORK_OBJ_10.60.30.0_24
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.30.64_26 NETWORK_OBJ_10.60.30.64_26
nat (inside,outside) source static NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 destination static NETWORK_OBJ_10.60.40.192_26 NETWORK_OBJ_10.60.40.192_26 service any port_tomcat
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1
nat (inside,outside) source static MailServer MailServer destination static NETWORK_OBJ_10.60.50.248_29 NETWORK_OBJ_10.60.50.248_29
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.60.50.0_28 NETWORK_OBJ_10.60.50.0_28
nat (inside,outside) source static NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 destination static NETWORK_OBJ_10.191.191.0_24 NETWORK_OBJ_10.191.191.0_24
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 80.90.98.222 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.60.10.10 255.255.255.255 inside
http 10.33.30.33 255.255.255.255 inside
http 10.60.30.33 255.255.255.255 inside
snmp-server host inside 10.33.30.108 community ***** version 2c
snmp-server host inside 10.89.70.30 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set lux_trans_set esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 84.51.31.173
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 98.85.125.2
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 220.79.236.146
crypto map outside_map 3 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 159.146.232.122
crypto map outside_map 4 set ikev1 transform-set lux_trans_set
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 50
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet 10.60.10.10 255.255.255.255 inside
telnet 10.60.10.1 255.255.255.255 inside
telnet 10.60.10.5 255.255.255.255 inside
telnet 10.60.30.33 255.255.255.255 inside
telnet 10.33.30.33 255.255.255.255 inside
telnet timeout 30
ssh 10.60.10.5 255.255.255.255 inside
ssh 10.60.10.10 255.255.255.255 inside
ssh 10.60.10.3 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd dns 155.2.10.20 155.2.10.50 interface inside
dhcpd auto_config outside interface inside
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server inside 10.60.10.10 configs/config1
webvpn
group-policy testTG internal
group-policy testTG attributes
dns-server value 155.2.10.20 155.2.10.50
vpn-tunnel-protocol ikev1
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 155.2.10.20 155.2.10.50
vpn-tunnel-protocol l2tp-ipsec
group-policy TcsTG internal
group-policy TcsTG attributes
vpn-idle-timeout 20
vpn-session-timeout 120
vpn-tunnel-protocol ikev1
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testOAK_splitTunnelAcl
address-pools value TCS_pool
group-policy downtown_interfaceTG internal
group-policy downtown_interfaceTG attributes
dns-server value 155.2.10.20 155.2.10.50
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value downtown_splitTunnelAcl
group-policy HBSCTG internal
group-policy HBSCTG attributes
dns-server value 155.2.10.20 155.2.10.50
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value HBSC
group-policy OSGD internal
group-policy OSGD attributes
dns-server value 155.2.10.20 155.2.10.50
vpn-session-timeout none
vpn-tunnel-protocol ikev1
group-lock value OSGD
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testOAK_splitTunnelAcl
group-policy OAKDC internal
group-policy OAKDC attributes
vpn-tunnel-protocol ikev1
group-lock value OAKDC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OAKDCAcl
intercept-dhcp 255.255.0.0 disable
address-pools value OAKPRD_pool
group-policy mailTG internal
group-policy mailTG attributes
dns-server value 155.2.10.20 155.2.10.50
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value webMailACL
group-policy OAK-remote internal
group-policy OAK-remote attributes
dns-server value 155.2.10.20 155.2.10.50
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OAK-remote_splitTunnelAcl
vpn-group-policy OAKDC
service-type nas-prompt
tunnel-group DefaultRAGroup general-attributes
address-pool OAKPRD_pool
address-pool ipad
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.51.31.173 type ipsec-l2l
tunnel-group 84.51.31.173 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 98.85.125.2 type ipsec-l2l
tunnel-group 98.85.125.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 220.79.236.146 type ipsec-l2l
tunnel-group 220.79.236.146 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group OAKDC type remote-access
tunnel-group OAKDC general-attributes
address-pool OAKPRD_pool
default-group-policy OAKDC
tunnel-group OAKDC ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TcsTG type remote-access
tunnel-group TcsTG general-attributes
address-pool TCS_pool
default-group-policy TcsTG
tunnel-group TcsTG ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group downtown_interfaceTG type remote-access
tunnel-group downtown_interfaceTG general-attributes
address-pool test
default-group-policy downtown_interfaceTG
tunnel-group downtown_interfaceTG ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TunnelGroup1 type remote-access
tunnel-group mailTG type remote-access
tunnel-group mailTG general-attributes
address-pool mail_sddress_pool
default-group-policy mailTG
tunnel-group mailTG ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group testTG type remote-access
tunnel-group testTG general-attributes
address-pool mail_sddress_pool
default-group-policy testTG
tunnel-group testTG ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group OSGD type remote-access
tunnel-group OSGD general-attributes
address-pool OSGD_POOL
default-group-policy OSGD
tunnel-group OSGD ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HBSCTG type remote-access
tunnel-group HBSCTG general-attributes
address-pool OSGD_POOL
default-group-policy HBSCTG
tunnel-group HBSCTG ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 159.146.232.122 type ipsec-l2l
tunnel-group 159.146.232.122 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group OAK-remote type remote-access
tunnel-group OAK-remote general-attributes
address-pool OAK_pool
default-group-policy OAK-remote
tunnel-group OAK-remote ipsec-attributes
ikev1 pre-shared-key *****
policy-map global_policy
prompt hostname context
no call-home reporting anonymous
hpm topN enable
: end
asdm history enable
Dear Darko,
The problem here is the overlapp issue with the Internal network.
Since the VPN pool is:
ip local pool OAKPRD_pool 10.60.30.110-10.60.30.150 mask 255.255.0.0
And the local network is:
interface Vlan1
nameif inside
security-level 100
ip address 10.60.70.1 255.255.0.0
So since you have some NAT rules telling the FW that 10.60.0.0/16 is connected to the inside, we need to change that and force it to know that 10.60.30.0/24 is actually reachable to the outside.
On the other hand, yes you could point to outside interface, but is not a good practice.
Thanks.
Portu.
In case you do not have any further questions, please mark this post as answered.
Similar Messages
-
How to contact the Dubai technical support for Iphone from outside dubai
how to contact the Dubai technical support for Iphone from outside Dubai
If you purcased your iPhone from one of the UAE cell carriers, you will need to find the support number for the carrier, Etisalat or DU, from which you purchased the iPhone. If you purchased your iPhone from the online Apple Store in the UAE, you can find their phone number here:
http://support.apple.com/kb/HE57#U
Regards. -
Choosing next hop for traffic specific
Hello,
I would like to know how I can use "set tag" in Route-map in order to lead traffic specific throug static route with "ip route".
I believe that I can do the following:
access-list 101 permit ip 192.168.120.0 0.0.0.255 any /* Filtering Lan Traffic Specific 1 */
access-list 102 permit ip 192.168.180.0 0.0.0.255 any /* Filtering Lan Traffic Specific 2 */
route-map XXXX permit 10 /* Tag 20 is related to Lan traffic specific 1 */
match ip address 101
set tag 20
route-map YYYY permit 20 /* Tag 30 is related to Lan traffic specific 2 */
match ip address 102
set tag 30
interface GigabitEthernet0/1.20 /* Applying route-map to Lan subinterface */
encapsulation dot1Q 20
ip address 192.168.120.1 255.255.255.0
ip policy route-map XXXX
interface GigabitEthernet0/1.21 /* Applying route-map to Lan subinterface */
encapsulation dot1Q 21
ip address 192.168.180.1 255.255.255.0
ip policy route-map YYYY
ip route 172.18.70.0 255.255.255.0 11.0.15.1 tag 20 /* traffic specific 1 is transmit to 172.18.0.70 through next hop 11.0.15.1 */
ip route 172.18.70.0 255.255.255.0 11.0.15.5 tag 30 /* traffic specific 2 is transmit to 172.18.0.70 through next hop 11.0.15.5 */
Is this correct ?, or is there another way to approach this issue?
Thanks for your answer in advance.Hello Cadet,
Thanks for your feedback. Sorry, I was wrong. As you say, it looks correct. I did the mistake when I tested the ping from the Router-1 while the PRB applied to ingressing traffic and not to the generated traffic in the Router-1.
I have been doing this work remotely, because the sites are far each other.
Finally one person went to the remote site and verified, from de Lan1 and Lan2, that they was following the correct route.
Also, I was not sure about this routes:
ip route 11.0.12.0 255.255.255.252 GigabitEthernet0/0.80
ip route 11.0.12.4 255.255.255.252 GigabitEthernet0/0.81
ip route 192.168.120.0 255.255.255.0 GigabitEthernet0/1.20
ip route 192.168.180.0 255.255.255.0 GigabitEthernet0/1.21
Thanks for your advise.
The "ip route" in the Router-2, I have corrected too.
Thanks very much.
Best regards,
Sandro -
IP Route - Exit interface vs Next Hop
Hi guys,
I'm sure this has been asked before :) But are there any known issues when using an exit interface in a route statement as opposed to a next hop address?
I have had an issue this morning after a router change whereby some hosts were able to access a web server and some were unable to. My route statement to the web server was pointing to an exit interface and when this was changed to next hop, all users were able to access it. It is very puzzling!
The router is an ASR1001, running 15.4.
Thanks.I am sure that you added the information hoping that it would help us to understand your situation. But I am still not clear whether you are talking about doing something like
ip route x.x.x.x y.y.y.y Eth0/0
or
ip route x.x.x.x y.y.y.y Tun1 (and if it is Tun1 is this a point to point tunnel or a multipoint tunnel?)
As has been mentioned there are (multiple) issues with a static route which specifies only an exit interface if the interface is multipoint like Ethernet.
HTH
Rick -
I seem to have lost a sequence created in Premiere Pro CC. I can't find it anywhere inside the Project bin.
We have so many same-name, older projects (between Auto-Save, different drives and so on) that looking inside each of them would take forever.
But we do know the name of the sequence. I am wondering if there is a way to "search" for a sequence name from outside the project?
Thanksthere is a way to "search" for a sequence name outside of the project,
but it would be a pointless waste of time.
sequences are only saved within the project file itself!!
We have so many same-name, older projects (between Auto-Save, different drives and so on) that looking inside each of them would take forever.
better get at it then!
hahahahahahahaha!!! -
ASA 5505 initial build - Failed to locate egress interface (Please help :-) )
Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard. I am currently unable to access services on the outside of the ASA.
The error: 'Failed to locate egress interface for UDP from inside'.... appears when ever my DNS server attempts a lookup.
I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config.
If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration.
Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet. I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access.
Full config follows, screen shots attached, any help would be very gratefully received.
Result of the command: "sh run"
: Saved
ASA Version 9.0(1)
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
interface Vlan5
no nameif
security-level 50
ip address dhcp
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server1
host 192.168.10.10
object network GoogleDNS1
host 8.8.8.8
description Google DNS Server
object network GoogleDNS2
host 8.8.4.4
description Google DNS Server
object network 192.168.10.x
subnet 192.168.10.0 255.255.255.0
object network InternetRouter
host 192.168.1.1
object-group network DM_INLINE_NETWORK_1
network-object object GoogleDNS1
network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:(REMOVED)
: endJust to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet.
Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results. -
What is the second, third, etc. next-hop address in the route-map set command for?
route-map TEST_PBR permit 10 match
match ip address 101
router(config-route-map)#set ip next-hop 1.1.1.1 ?
A.B.C.D IP address of next hopHi,
You may get your answer in below link
http://www.groupstudy.com/archives/ccielab/200812/msg00999.html
First next-hop will be used unless until that is not unreachable. If first is unreachable, then next one will be used. Since these next-hops are directly connected, router can easily come to know whether they are active or not. In case you want to set some loopback ip as next-hop then you need to use keyword recursive "set ip next-hop recursive"
--Pls dont forget to rate helpful posts--
Regards,
Akash -
BGP route-reflector next-hop issue
Hello,
I have a small GNS3 lab that is working with one exception: I cannot ping loopback0 on RRc2 and RRc3 from RRc1.
RRc1, RRc2 and RRc3 can all ping loopback0 on SmileyISP and RRc2 and RRc3 can ping each others loopback0
interfaces.
I am broken between the two route-reflectors: RRS1 and RRS2.
Given these conditions:
1) Do not configure any IGP.
2) No static routes
How do I get connectivity from RRc1's loopback0 interface to RRc2 loopback0 and RRc3 loopback0?
I used a route-map to set the next hop, but I am obviously doing something wrong.
I am providing relevant show command outputs, router configs, and the GNS3 topology.net config.
You will have to change the image and working directories to match your computer.
Not quite sure where I am going wrong.
Any help would be greatly appreciated.
Thanks.
-- Mark
RRc1#sh ip bgp
BGP table version is 53, local router ID is 172.16.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 1.1.1.0/24 10.1.25.5 0 100 0 100 i
*>i 10.1.12.0/24 10.1.26.2 0 100 0 i
*>i 10.1.13.0/24 10.1.12.1 0 100 0 i
*>i 10.1.14.0/24 10.1.12.1 0 100 0 i
*>i 10.1.15.0/24 10.1.12.1 0 100 0 i
*>i 10.1.25.0/24 10.1.26.2 0 100 0 i
* i 10.1.26.0/24 10.1.26.2 0 100 0 i
*> 0.0.0.0 0 32768 i
*> 172.16.1.0/24 0.0.0.0 0 32768 i
*>i 172.16.2.0/24 10.1.12.1 0 100 0 i
*>i 172.16.3.0/24 10.1.12.1 0 100 0 i
RRc1#
RRc1#ping 172.16.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 0 percent (0/5)
RRc1#
RRc2#sh ip bgp
BGP table version is 31, local router ID is 172.16.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i 1.1.1.0/24 10.1.15.5 0 100 0 100 i
* i 10.1.12.0/24 10.1.12.2 0 100 0 i
* i 10.1.13.0/24 10.1.13.1 0 100 0 i
*> 0.0.0.0 0 32768 i
*>i 10.1.14.0/24 10.1.13.1 0 100 0 i
*>i 10.1.15.0/24 10.1.13.1 0 100 0 i
* i 10.1.25.0/24 10.1.12.2 0 100 0 i
* i 10.1.26.0/24 10.1.12.2 0 100 0 i
* i 172.16.1.0/24 10.1.12.2 0 100 0 i
*> 172.16.2.0/24 0.0.0.0 0 32768 i
*>i 172.16.3.0/24 10.1.14.4 0 100 0 i
RRc2#
SmileyISP#sh run
Building configuration...
Current configuration : 988 bytes
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname SmileyISP
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.15.5 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
ip address 10.1.25.5 255.255.255.0
speed auto
duplex auto
router bgp 100
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.0
network 10.1.15.0 mask 255.255.255.0
neighbor 10.1.15.1 remote-as 200
neighbor 10.1.25.2 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRS1#sh run
Building configuration...
Current configuration : 1594 bytes
! Last configuration change at 19:24:34 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRS1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.15.1 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
ip address 10.1.12.1 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/0
ip address 10.1.13.1 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/1
ip address 10.1.14.1 255.255.255.0
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.13.0 mask 255.255.255.0
network 10.1.14.0 mask 255.255.255.0
network 10.1.15.0 mask 255.255.255.0
neighbor RouteReflectors peer-group
neighbor RouteReflectors remote-as 200
neighbor RouteReflectors route-map NEXTHOP out
neighbor RRClients peer-group
neighbor RRClients remote-as 200
neighbor RRClients route-reflector-client
neighbor 10.1.12.2 peer-group RouteReflectors
neighbor 10.1.13.3 peer-group RRClients
neighbor 10.1.14.4 peer-group RRClients
neighbor 10.1.15.5 remote-as 100
ip forward-protocol nd
no ip http server
no ip http secure-server
route-map NEXTHOP permit 10
set ip next-hop peer-address
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRS2#sh ru
Building configuration...
Current configuration : 1542 bytes
! Last configuration change at 19:42:06 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRS2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.12.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
ip address 10.1.25.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/0
ip address 10.1.26.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.12.0 mask 255.255.255.0
network 10.1.25.0 mask 255.255.255.0
network 10.1.26.0 mask 255.255.255.0
neighbor RouteReflectors peer-group
neighbor RouteReflectors remote-as 200
neighbor RouteReflectors route-map NEXTHOP out
neighbor RRClients peer-group
neighbor RRClients remote-as 200
neighbor RRClients route-reflector-client
neighbor 10.1.12.1 peer-group RouteReflectors
neighbor 10.1.25.5 remote-as 100
neighbor 10.1.26.6 peer-group RRClients
ip forward-protocol nd
no ip http server
no ip http secure-server
route-map NEXTHOP permit 10
set ip next-hop peer-address
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRc1#sh run
Building configuration...
Current configuration : 1005 bytes
! Last configuration change at 18:43:57 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRc1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 172.16.1.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.26.6 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.26.0 mask 255.255.255.0
network 172.16.1.0 mask 255.255.255.0
neighbor 10.1.26.2 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRc2#sh run
Building configuration...
Current configuration : 1005 bytes
! Last configuration change at 18:45:05 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRc2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 172.16.2.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.13.3 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.13.0 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
neighbor 10.1.13.1 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
RRc3#wr term
Building configuration...
Current configuration : 1005 bytes
! Last configuration change at 18:31:12 UTC Sat Feb 7 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RRc3
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 172.16.3.1 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 10.1.14.4 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
router bgp 200
bgp log-neighbor-changes
network 10.1.14.0 mask 255.255.255.0
network 172.16.3.0 mask 255.255.255.0
neighbor 10.1.14.1 remote-as 200
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
autostart = False
version = 0.8.6
[127.0.0.1:7202]
workingdir = C:\Users\Mark\AppData\Local\Temp
udp = 10200
image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
idlepc = 0x62f1e4ec
ghostios = True
console = 2005
aux = 2100
cnfg = configs\SmileyISP.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f1/0
f1/1 = RRS2 f1/1
x = -24.0
y = -259.0
z = 1.0
hx = -1.5
hy = -24.0
console = 2015
aux = 2101
cnfg = configs\RRc1.cfg
slot1 = PA-2FE-TX
f1/0 = RRS2 f2/0
x = -292.0
y = 200.0
z = 1.0
hx = -5.5
hy = -25.0
[127.0.0.1:7200]
workingdir = C:\Users\Mark\AppData\Local\Temp
udp = 10000
image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
idlepc = 0x62f1e4ec
ghostios = True
console = 2012
aux = 2102
cnfg = configs\RRS1.cfg
slot1 = PA-2FE-TX
f1/0 = SmileyISP f1/0
f1/1 = RRS2 f1/0
slot2 = PA-2FE-TX
f2/0 = RRc2 f1/0
f2/1 = RRc3 f1/0
x = 197.0
y = 6.0
z = 1.0
hx = 42.5
hy = -20.0
console = 2013
aux = 2103
cnfg = configs\RRS2.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f1/1
f1/1 = SmileyISP f1/1
slot2 = PA-2FE-TX
f2/0 = RRc1 f1/0
x = -239.0
y = 9.0
z = 1.0
hx = 1.5
hy = -24.0
[127.0.0.1:7201]
workingdir = C:\Users\Mark\AppData\Local\Temp
udp = 10100
image = C:\downloads\GNS3\c7200-adventerprisek9-mz.152-4.S5.image
idlepc = 0x62f1e4ec
ghostios = True
console = 2009
aux = 2104
cnfg = configs\RRc3.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f2/1
x = 337.0
y = 155.0
z = 1.0
hx = 17.5
hy = -25.0
console = 2008
aux = 2105
cnfg = configs\RRc2.cfg
slot1 = PA-2FE-TX
f1/0 = RRS1 f2/0
x = 149.0
y = 204.0
z = 1.0
hx = -13.5
hy = -23.0
[GNS3-DATA]
configs = configs
text = ".1"
x = 208.0
y = -23.0
text = "10.1.12.0/24"
x = -19.0
y = 5.0
text = ".1"
x = 153.0
y = 25.0
text = ".1"
x = 259.0
y = 33.0
text = "10.1.13.0/24"
x = 238.0
y = 84.0
rotate = 99
text = "10.1.25.0/24"
x = -188.0
y = -124.0
text = "l0: 172.16.2.1/24"
x = 125.0
y = 244.0
text = "l0:172.16.1.1/24"
x = -269.0
y = 240.0
text = "10.1.15.0/24"
x = 116.0
y = -127.0
text = "10.1.14.0/24"
x = 293.0
y = 53.0
rotate = 50
text = ".1"
x = 194.0
y = 68.0
text = "AS100"
x = -20.0
y = -342.0
text = ".2"
x = -148.0
y = 46.0
text = "AS200"
x = 33.0
y = 300.0
text = "l0: 1.1.1.1/24"
x = -42.0
y = -306.0
text = ".5"
x = 50.0
y = -213.0
text = ".2"
x = -248.0
y = 60.0
text = ".2"
x = -174.0
y = -52.0
text = ".5"
x = -54.0
y = -209.0
text = ".6"
x = -232.0
y = 189.0
text = "l0:172.16.3.1/24"
x = 299.0
y = 194.0
text = "10.1.26.0/24"
x = -274.0
y = 167.0
rotate = 290
text = ".3"
x = 208.0
y = 187.0
text = ".4"
x = 312.0
y = 155.0
type = ellipse
x = 50.0
y = -35.0
width = 385.0
height = 345.0
fill_color = "#ffff7f"
border_style = 2
z = -1.0
type = ellipse
x = -171.0
y = -346.0
width = 359.0
height = 200.0
fill_color = "#aaff7f"
border_style = 2
z = -1.0
type = ellipse
x = -407.0
y = -87.0
width = 883.0
height = 443.0
border_style = 2
z = -2.0
type = ellipse
x = -361.0
y = -29.0
width = 385.0
height = 326.0
fill_color = "#55aaff"
border_style = 2
z = -3.0BD,
Ahh...
OK. In the original article, the author states that the final piece with the route map
NEXTHOP was supposed to fix the reachability issue. Obviously it doesn't.
After reading your last post, I looked more carefully at the output from 'sh ip bgp'
on each of the client routers and I realized that several of the next hop addresses were
wrong for some of the prefixes.
1) I completely removed the 'neighbor RouteReflectors route-map NEXTHOP out'
from both RR's. Then I ran 'sh ip bgp' on the clients and noted a change in the next hop addresses. Still wrong, but it changed.
2) I then tried next-hop-self from the RR's to the clients, but it did not change from where
it was after I completed step 1. I am not sure why there was no change. (actually, see the very end of this post)
3) I then applied my version of the route map: route-map NEXTHOP permit 10
set ip next-hop peer-address
to the RR's with this: neighbor RRClients route-map NEXTHOP out
That fixed it. All three clients have as their next hop for all prefixes their respective
RR's (which is what they should have for this topology).
I have full connectivity everywhere, even loopback to loopback between all clients.
1) THANK YOU for pointing me in the right direction.
2) If I may ask, why did next hop self fail? More specifically, I saw no change at all
in the next hop for the advertised prefixes. Is it because next-hop-self should be used
for eBGP peers and all of the RR's and clients are all within the same AS? -
Policy Based Routing - set ip next-hop
All,
I am trying to change the next hop for selective traffic to route via a WAN optimiser rather than follow the default route. I am trying to achieve this on a 4506 with IOS 12.2(20)EW.
I have configured an ACL intended to capture traffic from my desired subnet, to my desired subnet:
ip access-list extended INTER-STOR permit ip 192.168.XX.0 0.0.0.128 192.168.YY.0 0.0.0.128 log
I have then created the route map:
route-map WAN-OPT permit 10 match ip address INTER-STOR set interface Vlan1 set ip next-hop 192.168.XX.50
I have tested both with and without setting the interface. Neither make any difference.
I am then applying the route map policy to the vlan in which the traffic I wish to re-route is originating.
ip policy route-map WAN-OPT
I am finding however that this configuration doesn't work.
I have reviewed a number of documents and can not find any limitations based on the version of IOS I am using or my configuration.
This switch performs the routing for this environment, however there are no interfaces assigned to this vlan for anything other than testing on this switch. They are assigned on a stack on 3750's running as a VTP client. Again - testing from a port in the relevant vlan on this switch doing the routing (4500) does not change the results. The traffic continues to be routed the via the default route.
I'm not so sure that it is even the route map that has the problem as if I look at the access lists I can not see any hits being registered. I'm not sure whether this is a red-herring or not as I can't see what is wrong with the ACL or anything to suggest this ACL would not be supported.
If anybody can offer any guidance or suggestions it would be very much appreciated.
Thanks,Below is the "offical" explanation, I have bolded and underlined ESTENTIAL information:-
set ip next-hop
•Specifies the next hop for which to route the packet (the next hop must be adjacent). This behavior is identical to a next hop specified in the normal routing table.
set interface
•Sets output interface for the packet. This action specifies that the packet is forwarded out of the local interface. The interface must be a Layer 3 interface (no switchports), and the destination address in the packet must lie within the IP network assigned to that interface. If the destination address for the packet does not lie within that network, the packet is dropped.
set ip default next-hop
•Sets next hop to which to route the packet if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet's destination address in the unicast routing table. If a match is found, the packet is forwarded by way of the routing table. If no match is found, the packet is forwarded to the specified next hop.
set default interface
•Sets output interface for the packet if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet's destination address in the unicast routing table. If a match is found, the packet is forwarded via the routing table. If no match is found, the packet is forwarded to the specified output interface. If the destination address for the packet does not lie within that network, the packet is dropped.
HTH> -
Hi All,
I want to discuss a problem that I am facing in the BGP scenario.
The problem is that I have 2 ISP connections from a service provider which is terminating on 6509 VSS and our companies 2 routers and ASA is also connected to 6509 VSS.
R5 is creating a eBGP peering with R3 (Primary ISP) and R4 (Secondary ISP) and in same way R6 is having eBGP peering with R3 and R4.
I am using 2 default routes 1st with default AD towards R3 (Pri ISP) and 2nd with a higher AD value towards R4 (Sec ISP).
After this I had changed Next-hop with the help of route-map.So, that the traffic will hit on ASAs interface from WAN side.
The route-map for R3 is having a set IP next-hop of ASAs IP address x.x.x.10 and the route-map for R4 is having a set IP next-hop of ASAs 2nd interface IP address y.y.y.10
So, now problem is when I use command on R5 to see which next-hop I am sending to customer(#sh ip bgp nei x.x.x.3 advertised-routes) than for R3 network it shows me the exact next-hop which I want of x.x.x.10 ASAs interfaces but when I use same command to check for R4 than the output is also same i.e. it is having the next-hop of ASAs IP x.x.x.10 even in my route-map I am having a entry to set next-hop for R4 is ASAs interface IP y.y.y.10
After this I used wireshark to capture packet and I also used debug but the output shows that next-hop is set for R4 is y.y.y.10
So, this is the problem i.e. in show output command it is showing wrong next-hop but in capturing it is acknowledging that it is using the next-hop mentioned in route-map.
This is my configuration on R5 and same is on R6 just IPs are like y.y.y.6
R5#
interface GigabitEthernet0/0
description TO Primary ISP
ip address x.x.x.5 255.255.255.248
duplex auto
speed auto
no shut
interface GigabitEthernet0/1
description To Secondary ISP
ip address y.y.y.5 255.255.255.248
duplex auto
speed auto
no shut
ip access-list standard BLOCK
deny any
route-map as_prepend_secondary permit 10
set ip next-hop y.y.y.10
route-map as_prepend_primary permit 10
set ip next-hop x.x.x.10
router bgp AAAAA
no synchronization
bgp log-neighbor-changes
network z.z.z.z mask 255.255.255.248
timers bgp 10 30
neighbor y.y.y.4 remote-as BBBBB
neighbor y.y.y.4 route-map as_prepend_secondary out
neighbor x.x.x.3 remote-as BBBBB
neighbor x.x.x.3 route-map as_prepend_primary out
distribute-list BLOCK in
no auto-summary
ip route x.x.x.0 255.255.255.0 x.x.x.3
ip route y.y.y.0 255.255.255.0 y.y.y.3 2
This is the output of Debug on R6
BGP: TX IPv4 Unicast Wkr global 7 Cur Processing.
BGP: TX IPv4 Unicast Wkr global 7 Cur Attr change from 0x0 to 0x68F081C8.
*Sep 15 13:16:15.056: BGP(0): y.y.y.4 NEXT_HOP is set to y.y.y.10 by policy for net y.y.y.128,
Thanks & Regards,
Rahul ChhabraTopology Diagram
-
BGP - next hop self command.
Hi,
I am learning bgp...need your help...
Connectivity is like as follows:
Router A (ebgp) Router B (ibgp) Router C (ibgp) Router D
when loopback subnet of Router A is received at Router C, defalult with next hop address of outgoing interface of router A.
after configuring next hop self command on router B to C, on Router C then show next hop add outgoing interface of router B. k no prob.
but same subnet isn't received on router D because of ibgp split horizon rule; used route-reflector client on router C. then router D received subnet of Router A; but shows next hop address outgoing interface of router B. even though i used next hop self on router C towards D.; router D didn't show next hop add of router C. Why ??
Its ok i used IGP i.e. EIGRP in between router B, C & D. it works.
=> why next hop self doesn't work in this scenario ?? & is it the reaseon we need to use IGP into IBGP AS ??
--Sandy.Hi,
I agree with Milan, you can use a route-map applied in the outbound direction to rewrite the next-hop.
Another option is to use the "next-hop-self all" (note the keyword all), that will update the next hop of both iBGP and eBGP learned prefixes:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp4972925610
The use case for this (next-hop-self all) is I see is in a DMVPN Network, but not for an ISP - MPLS/VPN Provider.
Regarding BGP and the need of IGP, think that different protocols have different purposes. The IGP, specially used in large-scale deployments, is used to build the topology and provide reachability to internal prefixes. The IGPs used in large-scale designs, IS-IS/OSPF, are good here because as they are link-state protocols and have a complete view of the network and will detect fast a change and run SPF for a new topology if needed. Furthermore, they have extensions to use MPLS/Traffic Engineering.
Once the topology is build and the routers have reachability to internal prefixes, then you can run iBGP (typically between loopbacks) to provide reachability to external prefixes. BGP is very good to transport a good amount of prefixes, as it is based in TCP. If the IGPs could handle the amount of prefixes can handle BGP, then you would not need iBGP, you would redistribute (which is another option) them to the IGP and we will only have external BGP. However, in order to provide reachability and build and scalable network, you need BGP plus an IGP.
The reason of having the need of an iBGP full mesh is to prevent black-holes in the network. Think that routers A-B-C, A is running iBGP with C, which are edge routers receiving prefixes from other ASN´s. As B is not running BGP, when it receives a packet destined to an external network it will drop that packet as it has no information in the RIB.
There was also an old rule called synchronization that prevented the problem of advertising a black hole to another AS. The rule was that if the prefix is not in the IGP, BGP will not advertise that prefix. So, redistribution solved in the old days the problem of black holes and the rule of sync the problem of advertising them to other ASNs. As the networks got bigger and bigger, there was no point to redistribute the external prefixes to the IGP, so iBGP full-mesh/RRs were deployed and the sync rule disabled.
Hope this helps,
Jose. -
Hi,
could someone please advice how to change a next-hop for incoming SMTP traffic? I've successfully created PBR to redirect customer SMTP traffic to a different next-hop:
C6509#access-list 150 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (customer LAN is 85.175.191.0/24; from customer to the internet)
C6509#access-list 160 permit tcp any 85.175.191.0 0.0.0.255 eq smtp (from the internet to customer LAN; doesn't work!)
C6509#route-map MAIL-Redirect permit 10
C6509#match ip address 150
C6509#set ip next-hop 20.10.10.10
C6509#route-map MAIL-Redirect permit 20
C6509#match ip address 160
C6509#set ip next-hop 20.10.10.10
C6509#interface Vlan100
C6509#ip address 85.175.191.1 255.255.255.0
C6509#ip policy route-map MAIL-Redirect
Redirect customer SMTP traffic from inside to the internet works as expected:
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, FIB policy match
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, PBR Counted
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, g=20.10.10.10, len 60, FIB policy routed
C6509#sh access-list 150
Extended IP access list 150
10 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (17 matches)
But the other direction (SMTP traffic coming in from the internet to 85.175.191.0/24) seems not working:
C6509#sh access-list 160
Extended IP access list 160
10 permit tcp any 5.175.191.0 0.0.0.255 eq smtp
Any ideas?
Thanks,
ThomasI think it's because PBR must be configured in interface receiving traffic; try configuring PBR on the WAN interface (obviously you can split the route-map in the routemaps: one for incoming traffic (used on WAN inertf) and one for outgoing traffic (used on VLAN 100))
Let me know, bye,
enrico
PS: please rate if useful -
BGP Next-hop conflict with MPLS Label.
Hi, Experts
Equipment: Cisco ASR9922, IOS-XR 4.3.2
Issue: I have problem that my RR do the next-hop-self by using route-policy for client routers, the next-hop is changed as intended but the MPLS label doesn’t changed to reflect the new next-hop.
What I would like to achieve: I would like RR to set next-hop-self only for selected prefixes(172.168.0.0/24, 0.0.0.0/0) but maintain original next-hop for the rest, I do this by using route-policy.
Detail:
I have routers running MPLS infrastructure with ASR9922 as an RR. RN router is in neighbor-group RN and CPE-xx routers are in neighbor-group AN.
•- Every routers are in same BGP AS64549.
•- RN sends prefixes 0.0.0.0/0 and 172.168.0.0/24 to RR.
•- CPE-25 sends prefix 192.168.25.1/32 to RR.
Neighbor-group AN has the route-policy AN-OUT2 to set next-hop of prefix 172.168.0.0/24 and 0.0.0.0/0 to RR#loopback1 before send out update to CPE routers. Below is BGP and RPL configuration at RR.
router bgp 64549
nsr
bgp graceful-restart
ibgp policy out enforce-modifications
address-family vpnv4 unicast
additional-paths receive
additional-paths send
additional-paths selection route-policy ADD-PATH-iBGP
retain route-target all
neighbor-group AN
remote-as 64549
cluster-id 172.16.1.11
update-source Loopback1
address-family vpnv4 unicast
route-reflector-client
route-policy AN-OUT2 out
soft-reconfiguration inbound
route-policy AN-OUT2
if destination in DEFAULT or destination in RNC then
set next-hop 192.168.10.11
else
pass
endif
end-policy
This is what RR advertises to CPE-24
RP/0/RP0/CPU0:RR#show bgp vpnv4 unicast neighbors 192.168.10.24 advertised-routes
Fri Dec 20 15:23:14.931 BKK
Network Next Hop From AS Path
Route Distinguisher: 64549:3339
0.0.0.0/0 192.168.10.11 172.16.1.1 ?
172.16.1.2 ?
172.168.0.0/24 192.168.10.11 172.16.1.1 ?
172.16.1.2 ?
192.168.0.1/32 192.168.10.11 192.168.10.24 i
192.168.0.26/32 192.168.10.26 192.168.10.26 i
192.168.25.1/32 192.168.10.25 192.168.10.25 i
192.168.211.8/30 192.168.10.22 192.168.10.22 i
The IP part works as intended but MPLS Label doesn’t work as intended. Please take a look at RN who is originates 172.168.0.0/24, label 16025 is locally assigned.
RP/0/RP0/CPU0:RN1#show bgp vpnv4 unicast labels
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 64549:3339 (default for vrf VLAN3339)
*> 0.0.0.0/0 0.0.0.0 nolabel 16025
* i 172.16.1.11 16068 16025
* i 172.16.1.13 16033 16025
*> 172.168.0.0/24 0.0.0.0 nolabel 16025
* i 172.16.1.11 16059 16025
* i 172.16.1.13 16024 16025
172.168.0.0/24 at RR, label 16059 is locally assigned, label 16025 is receive from RN router. It should send 172.168.0.0/24 with label 16059 to CPE-24 to reflect next-hop changed.
RP/0/RSP0/CPU0:RR#show bgp vpnv4 unicast labels
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 64549:3339
*>i0.0.0.0/0 172.16.1.1 16025 16068
* i 172.16.1.2 16007 16068
*>i172.168.0.0/24 172.16.1.1 16025 16059
* i 172.16.1.2 16007 16059
*>i192.168.0.1/32 192.168.10.24 131070 16060
*>i192.168.25.1/32 192.168.10.25 131070 16062
*>i192.168.211.8/30 192.168.10.22 131070 16065
What I found at CPE-24 which is Alcatel router is that, RR send prefix 172.168.0.0/24, nh 192.168.10.11 with label 16025 which is incorrect.
A:CPE-24# show router bgp routes vpn-ipv4 172.168.0.0/24
===============================================================================
BGP Router ID:192.168.10.24 AS:64549 Local AS:64549
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
Origin codes : i - IGP, e - EGP, ? - incomplete, > - best, b - backup
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
Flag Network LocalPref MED
Nexthop Path-Id VPNLabel
As-Path
u*>? 64549:3339:172.168.0.0/24 100 0
192.168.10.11 None 16025
No As-Path
Routes : 1
===============================================================================
On RR If I just remove the policy and do the next-hop-self under vpv4 address family, CPE-24 will get corrent nh with correct label(16059) but that won’t achieve our requirement to change nh only on selected prefixes. Is this software problem? Or is there any solution to work around?
Regard,
MaritHello Marit,
I am able to recreate this in the lab, and unfortunately this scenario is not supported. BGP does not advertise allocated label if we set nexhop using route policy. The only way is by next-hop-self configured on RR, and yes it eventually will applies to all prefixes advertised to neighbor-group AN. Currently i do not have workaround available.
Below is the capture of what i have tested in the lab:
The topology:
CRS-4-02 ---------- CRS-8-01 ------------ ASR-9006-1
CRS-8-01 is Route-reflector of CRS-4-02 and ASR-9006-1.
CRS-4-02 advertise some prefixes.
This issue occurs when RR have route-policy toward ASR-9006-1, where it assign incorrect label. But it assign correct label if CRS-8-01 use next-hop-self.
Below is the test done in the lab if RR use next-hop-self:
RP/0/RP0/CPU0:CRS-4-02#show run router bgp
Tue Jan 7 08:16:18.945 UTC
router bgp 1
bgp router-id 172.16.4.1
ibgp policy out enforce-modifications
address-family ipv4 unicast
address-family vpnv4 unicast
neighbor 172.16.8.3
remote-as 1
update-source Loopback0
address-family ipv4 unicast
address-family vpnv4 unicast
route-policy PASS in
route-policy PASS out
vrf RTAMAELA
rd 100:1
address-family ipv4 unicast
redistribute connected
RP/0/RP0/CPU0:CRS-4-02#show bgp vpnv4 unicast advertised summary
Tue Jan 7 08:16:29.001 UTC
Network Next Hop From Advertised to
Route Distinguisher: 100:1
78.22.11.2/32 172.16.4.1 Local 172.16.8.3
78.22.11.3/32 172.16.4.1 Local 172.16.8.3
93.22.15.61/32 172.16.4.1 Local 172.16.8.3
RP/0/RP0/CPU0:CRS-4-02#
RP/0/RP0/CPU0:CRS-4-02#show bgp vpnv4 unicast labels
Tue Jan 7 08:16:53.655 UTC
BGP router identifier 172.16.4.1, local AS number 1
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0
BGP main routing table version 57
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 100:1 (default for vrf RTAMAELA)
*>i22.51.32.77/32 172.16.8.3 16056 nolabel
*> 78.22.11.2/32 0.0.0.0 nolabel 16003
*> 78.22.11.3/32 0.0.0.0 nolabel 16003
*> 93.22.15.61/32 0.0.0.0 nolabel 16003
Processed 4 prefixes, 4 paths
RP/0/RP0/CPU0:CRS-4-02#
RP/0/RP1/CPU0:CRS-8-01#show run router bgp
Wed Jan 8 11:07:05.436 UTC
router bgp 1
bgp graceful-restart
ibgp policy out enforce-modifications
address-family ipv4 unicast
allocate-label all
address-family vpnv4 unicast
retain route-target all
neighbor-group AN
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
next-hop-self <-- use next-hop-self toward ASR-9006-1
soft-reconfiguration inbound
neighbor-group RN
remote-as 1
update-source Loopback0
graceful-restart
address-family vpnv4 unicast
route-reflector-client
next-hop-self
soft-reconfiguration inbound
neighbor 10.10.10.10
remote-as 1
address-family ipv4 unicast
neighbor 72.15.48.5
use neighbor-group AN
neighbor 172.16.4.1
use neighbor-group RN
RP/0/RP1/CPU0:CRS-8-01#show bgp vpnv4 unicast labels
Wed Jan 8 11:07:09.091 UTC
BGP router identifier 172.16.8.3, local AS number 1
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0 RD version: 344169
BGP main routing table version 92
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 100:1
*>i22.51.32.77/32 72.15.48.5 16000 16056
*>i78.22.11.2/32 172.16.4.1 16003 16053
*>i78.22.11.3/32 172.16.4.1 16003 16054
*>i93.22.15.61/32 172.16.4.1 16003 16055
Processed 4 prefixes, 4 paths
RP/0/RP1/CPU0:CRS-8-01#
RP/0/RSP1/CPU0:ASR-9006-01#show run router bgp
Wed Jan 8 17:02:02.796 UTC
router bgp 1
bgp router-id 72.15.48.5
bgp graceful-restart
ibgp policy out enforce-modifications
address-family ipv4 unicast
address-family vpnv4 unicast
retain route-target all
neighbor-group RR
remote-as 1
update-source Loopback0
graceful-restart
address-family vpnv4 unicast
route-reflector-client
soft-reconfiguration inbound
neighbor 172.16.8.3
use neighbor-group RR
neighbor 192.169.1.2
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
route-policy PASS in
route-policy PASS out
vrf RTAMAELA
rd 100:1
address-family ipv4 unicast
redistribute connected
RP/0/RSP1/CPU0:ASR-9006-01#show bgp vpnv4 unicast labels
Wed Jan 8 17:02:04.381 UTC
BGP router identifier 72.15.48.5, local AS number 1
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0 RD version: 253825
BGP main routing table version 126
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 100:1 (default for vrf RTAMAELA)
*> 22.51.32.77/32 0.0.0.0 nolabel 16000
*>i78.22.11.2/32 172.16.8.3 16053 nolabel <== 172.16.8.3 is the loopback address of CRS-8-01
*>i78.22.11.3/32 172.16.8.3 16054 nolabel
*>i93.22.15.61/32 172.16.8.3 16055 nolabel
Processed 4 prefixes, 4 paths
RP/0/RSP1/CPU0:ASR-9006-01#
From output above we can see that ASR-9006-01 received correct label for each prefix.
Below is the output with route-policy configured and ASR-9006-01 receive incorrect label:
RP/0/RP1/CPU0:CRS-8-01#show run router bgp
Wed Jan 8 11:04:46.310 UTC
router bgp 1
bgp graceful-restart
ibgp policy out enforce-modifications
address-family ipv4 unicast
allocate-label all
address-family vpnv4 unicast
retain route-target all
neighbor-group AN
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
route-policy RTAMAELA out
soft-reconfiguration inbound
neighbor-group RN
remote-as 1
update-source Loopback0
graceful-restart
address-family vpnv4 unicast
route-reflector-client
next-hop-self
soft-reconfiguration inbound
neighbor 72.15.48.5
use neighbor-group AN
neighbor 172.16.4.1
use neighbor-group RN
RP/0/RP1/CPU0:CRS-8-01#show run route-policy RTAMAELA
Wed Jan 8 11:16:06.847 UTC
route-policy RTAMAELA
if destination in RNC then
set next-hop 172.16.8.3
else
pass
endif
end-policy
RP/0/RP1/CPU0:CRS-8-01#show run prefix-set RNC
Wed Jan 8 11:16:12.099 UTC
prefix-set RNC
78.22.11.3/32
end-set
RP/0/RP1/CPU0:CRS-8-01#show bgp vpnv4 unicast labels
Wed Jan 8 11:04:33.512 UTC
BGP router identifier 172.16.8.3, local AS number 1
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0 RD version: 344013
BGP main routing table version 92
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 100:1
*>i22.51.32.77/32 72.15.48.5 16000 16056
*>i78.22.11.2/32 172.16.4.1 16003 16053
*>i78.22.11.3/32 172.16.4.1 16003 16054
*>i93.22.15.61/32 172.16.4.1 16003 16055
Processed 4 prefixes, 4 paths
RP/0/RP1/CPU0:CRS-8-01#
RP/0/RSP1/CPU0:ASR-9006-01#show run router bgp
Wed Jan 8 16:59:41.601 UTC
router bgp 1
bgp router-id 72.15.48.5
bgp graceful-restart
ibgp policy out enforce-modifications
address-family ipv4 unicast
address-family vpnv4 unicast
retain route-target all
neighbor-group RR
remote-as 1
update-source Loopback0
graceful-restart
address-family vpnv4 unicast
route-reflector-client
soft-reconfiguration inbound
neighbor 172.16.8.3
use neighbor-group RR
neighbor 192.169.1.2
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
route-policy PASS in
route-policy PASS out
vrf RTAMAELA
rd 100:1
address-family ipv4 unicast
redistribute connected
RP/0/RSP1/CPU0:ASR-9006-01#show bgp ipv4 unicast labels
Wed Jan 8 16:59:52.173 UTC
RP/0/RSP1/CPU0:ASR-9006-01#show bgp vpnv4 unicast labels
Wed Jan 8 17:00:00.457 UTC
BGP router identifier 72.15.48.5, local AS number 1
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0 RD version: 253701
BGP main routing table version 123
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 100:1 (default for vrf RTAMAELA)
*> 22.51.32.77/32 0.0.0.0 nolabel 16000
*>i78.22.11.2/32 172.16.4.1 16003 nolabel
*>i78.22.11.3/32 172.16.8.3 16003 nolabel <-- It receive label 16003, which is wrong. it should receive label 16054.
*>i93.22.15.61/32 172.16.4.1 16003 nolabel
Processed 4 prefixes, 4 paths
RP/0/RSP1/CPU0:ASR-9006-01#
Rivalino -
Importance of specifiying MAC add of next hop L3 device in FWSM config
Hi,
With refrence of Cisco Secure Firewall Services Module (FWSM) of Cisco Press book it's mentioned that
"While configuring the transparent mode in FWSM, it is important to specify the MAC address and the CAM entries on the Layer 3 next hop device of FWSM."
This part of configuration is not very much clear to me please let me know the logic of this things
The following are two examples:
Layer 3 Device A (PFC) at the Outside Security Domain
! IP address of the next hop for the outside security domain
interface Vlan20
mac-address 0000.0000.0001
ip address 10.10.1.1 255.255.255.0
! Specify the IP address and MAC address at the first hop layer 3 interface
! of the inside security domain
arp 10.10.1.21 0000.0000.0001 ARPA
Layer 3 Device B at the Inside Security Domain
! IP address of the next hop for the inside security domain
interface Vlan21
mac-address 0000.0000.0021
ip address 10.10.1.21 255.255.255.0
! Specify the IP address and MAC address defined at the first hop interface
! of the outside security domain
arp 10.10.1.21 0000.0000.0002 ARPA
Regards
Ambivert SkillHello Mikis,
Fair enough, Just remember beggining on 8.3 how the ASA handles the packets it's different from 8.2 and older versions.
As you said now the ASA is going to check the proper Nat rules first and then the Acl's that is why when we want to allow traffic from outside to an inside server we need to poing the ACL to the private or un-nated Ip as the nat rule was taken in place first
Good post by the way,
Remember to rate all the community answers, for us that is more important than a thanks
Julio -
The next-hop-self command PLEASE HELP
I have a question about the next hop-self command, i have a topology with 3 routers lets say R1,R2 and R3. Know R1 and R2 are Ebgps neighbors and R2 and R3 are iBgp neighbors. Know lets say i have a loop back address or lan on R3. Do i need to configure Next-hop-self on R2 towords R1 so R1 can ping R3s lans.
I need to be able to know the Logic very well so a clear explenation would be very appreciated.Sorry, you did say you wanted to understand the logic.
When a BGP router advertises a route to an EBGP peer the next hop in the route is itself. By definition the receiving router must know how to get to that next hop because they are peering with BGP.
When a BGP router receives a route from an EBGP peer if it advertises it to an IBGP peer by default it does not change the next hop IP so the next hop IP is that of the originating router.
So there is a good chance that the IBGP router does not know how to get to that next hop IP.
There are a couple of solutions to this and one of them is to configure the receiving EBGP router to change the next hop IP to itself which obviously the IBGP peer knows how to get because again it has a peering.
Jon
Maybe you are looking for
-
Is there a way to apply all the font styles before importing the file
Hi, I've some text as below in a text file that needs to be imported into InDesign. "Law of Civil Procedures" And in InDesign this is to be made bold. I want to know if there is a way to make it bold directly and then import it into InDesign, I'm ask
-
Data source doesn't show porper data while flat file data loading
Hi Experts, I am trying to load data from flat file for info object 0GL_ACCOUNT. I have created an application component and data source. My question is after loading text data in the corresponding data source, it shows only few characters of the act
-
How to Install Premiere Pro Title Templates Properly
Hi everyone. I know this might seem like second nature to the PC iniated but I just don't have a clue how to install... well anything on a PC. I've found the content I need to install here: http://helpx.adobe.com/x-productkb/multi/library-functional-
-
Noise while running the report
hi, A speaker with amplifier is attached to my Server and when ever i run a report, heavy noise is coming in the speaker. ravikiran
-
Video files .mod or .moi from a JVC camera to imovie?
I have a JVC camera GZ-MG360BU from 2009. The video files ends with .mod or .moi and I can´t import the files into iMovie. Can not open the camera from iMovie either. Does the files needs to be converted or how shall I proceed? Any tips appreciated!