topic Unfortunately still learning in Network Security

Cannot connect ASA interfaces

Dave Kozlowski — Tue, 12 Mar 2019 05:30:10 GMT

Having a problem Trying to setup an 5520 ASA

I can get the static route 0.0.0.0 thru the external interface to work fine. System accepts it with no errors

When I try to setup other routes, say a route to my lan side network, I keep getting the error " Cannot add route, connected route exist

Seems line the wan and lan interfaces aren't communicating to each other.

I can ping out via my wan interface but not my lan interface.

Help is appreciated.

Dave

DaveThat usually means you

Jon Marshall — Sat, 14 Feb 2015 12:57:55 GMT

Dave

That usually means you are adding a route for a subnet that the ASA has an IP from on one of it's interfaces.

What route are you trying to add and what does the routing table look like on the ASA ?

Jon

Here is what I haveWan

Dave Kozlowski — Sat, 14 Feb 2015 13:11:34 GMT

Here is what I have

Wan interface 50.206.215.130 other side 50.206.215.129

Routing 0.0.0.0 thru 50.206.215.129 works fine. I can ping outside (8.8.8.8)

Lan interface 17216.100.251 other side switch 172.16.100.250

From this interface I can ping inside the switch.

But if I use the Wan interface I cannot inside the switch

Also from the lan interface I cannot pintg out (8.8.8.8)

Tried to setup a route 172.16.100.0/24 using the 172.16.100.250 gateway and I get an error.

Hope this makes sense.

Thanks

Dave

DaveYou can't add that route

Jon Marshall — Sat, 14 Feb 2015 13:16:41 GMT

Dave

You can't add that route because the ASA inside interface is already in that IP subnet so it doesn't need a route.

I also don't think you can ping from the WAN interface to the switch because the ASA doesn't allow that or at least the versions I worked on didn't.

If you want to test connectivity don't use the ASA interfaces, use the switch and try to ping out.

Have you setup NAT for the 172.16.100.0/24 subnet ?

Jon

from switch I can only ping

Dave Kozlowski — Sat, 14 Feb 2015 13:24:46 GMT

from switch I can only ping the lan interface 172.16.100.251

Haven't setup anything with NAT yet.

Thanks

Okay when testing from the

Jon Marshall — Sat, 14 Feb 2015 13:29:23 GMT

Okay when testing from the switch don't try and ping the outside interface of the ASA as it won't work. Ping an IP beyond the ASA.

So you will need to setup -

1) dynamic PAT if you are translating all internal IPs to the outside interface IP of your ASA

and

2) if you are using ping to test then you need either -

i) ICMP inspection

ii) an acl on the outside interface allowing ICMP back in

do you know how to set this up ?

Jon

Unfortunately still learning

Dave Kozlowski — Sat, 14 Feb 2015 14:04:33 GMT

Unfortunately still learning the ASA so no to the PAT piece

Add this to your ASA -object

Jon Marshall — Sat, 14 Feb 2015 15:19:53 GMT

Add this to your ASA -

object network PAT
subnet 172.16.100.0 255.255.255.0
nat (inside,outside) dynamic interface

policy-map global_policy
class inspection_default
inspect icmp

Note the above is a basic configuration to get you going.

There are other ways to do the NAT depending on what your other NAT requirements are.

See this document for 8.3 NAT onwards written by Jouni Forss. It's one of the best documents on this site in my opinion.

He normally configures dynamic PAT in section 3 using the after-auto option but I have given you just a basic example using object NAT.

If you read the doc you'll understand what I am talking about and it is worth reading to get a better understanding of how it all works -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Any problems with the config above let me know.

Jon