topic Access issues "no valid adjacency". in Network Security

Access issues "no valid adjacency".

gosborne1969 — Tue, 12 Mar 2019 02:52:00 GMT

Hi I'm running a 5505 version 8.4(2).

Around a month ago i addedd a second interface called inside2. Everthing was going fine until I needed to expose some websites on the new network to external parties. If i try to access the sites via my outside interface I see "no valid adjacency" in the log files. If I run a packet trace from the outside interface to the inside2 interface is see the following...

Type -

NAT

Subtype -

rpf-check

Action -

DROP

Show rule in NAT Rules table.

Config

object network obj_any_inside2
nat (inside2,outside) dynamic interface

Here is the relevant portion of my config...

Result of the command: "sh run"

: Saved

ASA Version 8.4(2)

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

switchport access vlan 15

interface Ethernet0/5

switchport access vlan 5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.57.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 77.221.164.138 255.255.255.0

interface Vlan15

nameif inside2

security-level 75

ip address 192.168.59.1 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any_inside2

subnet 0.0.0.0 0.0.0.0

object network webserver16

host 192.168.59.22

object network webserver14

host 192.168.59.19

access-list outside_access extended permit object-group HTTP(S) any object webserver16

access-list outside_access extended permit object-group HTTP(S) any object webserver14

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any_inside2

nat (spinsport,outside) dynamic interface

object network webserver16

nat (inside,outside) static 77.221.164.141

object network webserver14

nat (inside,outside) static 77.221.164.142

access-group outside_access in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 77.221.164.137 1

What exactly am i doing wrong here?

Access issues "no valid adjacency".

Jouni Forss — Mon, 14 Oct 2013 17:34:28 GMT

Hi,

The NAT configuration at the very top is a Dynamic PAT usually configured for internal networks to enable outbound connections to the Internet.

For inbound connections from the Internet you would have to specify a Static NAT which binds a single public IP address to a single local IP address. Or you would have to specify a Static PAT which binds a single public port of a public IP address to a single local port of a local IP address.

Essentially you would need a configuration like this

object network NEW-SERVER

host 192.168.59.x

nat (inside2,outside) static

access-list permit tcp any object NEW-SERVER eq

Or are the "webserver14" and "webserver16" perhaps the Static NAT configurations you are trying to use? If they are notice that they are using the wrong source interface of "inside" instead of "inside2"

So the problem might most likely be the wrong interface in the "nat" command

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question

Feel free to ask more if needed

- Jouni

Access issues "no valid adjacency".

gosborne1969 — Tue, 15 Oct 2013 06:50:26 GMT

Oh my lord I didn't notice I was pointing the nat rule to the inside interface instead of inside2. This is what happens when your boss has you messing abot with firewalls when you have the flu.

Thank you so much JouniForss for the sanity check.