10-14-2013 06:32 AM - edited 03-11-2019 07:52 PM
Hi I'm running a 5505 version 8.4(2).
Around a month ago i addedd a second interface called inside2. Everthing was going fine until I needed to expose some websites on the new network to external parties. If i try to access the sites via my outside interface I see "no valid adjacency" in the log files. If I run a packet trace from the outside interface to the inside2 interface is see the following...
|
|
|
|
|
Here is the relevant portion of my config...
Result of the command: "sh run"
: Saved
:
ASA Version 8.4(2)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 15
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.57.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 77.221.164.138 255.255.255.0
!
interface Vlan15
nameif inside2
security-level 75
ip address 192.168.59.1 255.255.255.0
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any_inside2
subnet 0.0.0.0 0.0.0.0
object network webserver16
host 192.168.59.22
object network webserver14
host 192.168.59.19
access-list outside_access extended permit object-group HTTP(S) any object webserver16
access-list outside_access extended permit object-group HTTP(S) any object webserver14
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any_inside2
nat (spinsport,outside) dynamic interface
object network webserver16
nat (inside,outside) static 77.221.164.141
object network webserver14
nat (inside,outside) static 77.221.164.142
access-group outside_access in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 77.221.164.137 1
What exactly am i doing wrong here?
Solved! Go to Solution.
10-14-2013 10:34 AM
Hi,
The NAT configuration at the very top is a Dynamic PAT usually configured for internal networks to enable outbound connections to the Internet.
For inbound connections from the Internet you would have to specify a Static NAT which binds a single public IP address to a single local IP address. Or you would have to specify a Static PAT which binds a single public port of a public IP address to a single local port of a local IP address.
Essentially you would need a configuration like this
object network NEW-SERVER
host 192.168.59.x
nat (inside2,outside) static
access-list
Or are the "webserver14" and "webserver16" perhaps the Static NAT configurations you are trying to use? If they are notice that they are using the wrong source interface of "inside" instead of "inside2"
So the problem might most likely be the wrong interface in the "nat" command
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question
Feel free to ask more if needed
- Jouni
10-14-2013 10:34 AM
Hi,
The NAT configuration at the very top is a Dynamic PAT usually configured for internal networks to enable outbound connections to the Internet.
For inbound connections from the Internet you would have to specify a Static NAT which binds a single public IP address to a single local IP address. Or you would have to specify a Static PAT which binds a single public port of a public IP address to a single local port of a local IP address.
Essentially you would need a configuration like this
object network NEW-SERVER
host 192.168.59.x
nat (inside2,outside) static
access-list
Or are the "webserver14" and "webserver16" perhaps the Static NAT configurations you are trying to use? If they are notice that they are using the wrong source interface of "inside" instead of "inside2"
So the problem might most likely be the wrong interface in the "nat" command
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question
Feel free to ask more if needed
- Jouni
10-14-2013 11:50 PM
Oh my lord I didn't notice I was pointing the nat rule to the inside interface instead of inside2. This is what happens when your boss has you messing abot with firewalls when you have the flu.
Thank you so much JouniForss for the sanity check.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide