Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
47904
Views
0
Helpful
2
Replies

Access issues "no valid adjacency".

Go to solution
gosborne1969
Level 1
Level 1

‎10-14-2013 06:32 AM - edited ‎03-11-2019 07:52 PM

Hi I'm running a 5505 version 8.4(2).

Around a month ago i addedd a second interface called inside2.  Everthing was going fine until I needed to expose some websites on the new network to external parties.  If i try to access the sites via my outside interface I see "no valid adjacency" in the log files.  If I run a packet trace from the outside interface to the inside2 interface is see the following...

Type -

NAT

Subtype -

rpf-check

Action -

DROP

Show rule in NAT Rules table.

Config

object network obj_any_inside2
nat (inside2,outside) dynamic interface

Here is the relevant portion of my config...

Result of the command: "sh run"

: Saved

:

ASA Version 8.4(2)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 15

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.57.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 77.221.164.138 255.255.255.0

!

interface Vlan15

nameif inside2

security-level 75

ip address 192.168.59.1 255.255.255.0

!

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any_inside2

subnet 0.0.0.0 0.0.0.0

object network webserver16

host 192.168.59.22

object network webserver14

host 192.168.59.19

access-list outside_access extended permit object-group HTTP(S) any object webserver16

access-list outside_access extended permit object-group HTTP(S) any object webserver14

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any_inside2

nat (spinsport,outside) dynamic interface

object network webserver16

nat (inside,outside) static 77.221.164.141

object network webserver14

nat (inside,outside) static 77.221.164.142

access-group outside_access in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 77.221.164.137 1

What exactly am i doing wrong here?

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-14-2013 10:34 AM

Hi,

The NAT configuration at the very top is a Dynamic PAT usually configured for internal networks to enable outbound connections to the Internet.

For inbound connections from the Internet you would have to specify a Static NAT which binds a single public IP address to a single local IP address. Or you would have to specify a Static PAT which binds a single public port of a public IP address to a single local port of a local IP address.

Essentially you would need a configuration like this

object network NEW-SERVER

host 192.168.59.x

nat (inside2,outside) static

access-list permit tcp any object NEW-SERVER eq

Or are the "webserver14" and "webserver16" perhaps the Static NAT configurations you are trying to use? If they are notice that they are using the wrong source interface of "inside" instead of "inside2"

So the problem might most likely be the wrong interface in the "nat" command

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question

Feel free to ask more if needed

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-14-2013 10:34 AM

Hi,

The NAT configuration at the very top is a Dynamic PAT usually configured for internal networks to enable outbound connections to the Internet.

For inbound connections from the Internet you would have to specify a Static NAT which binds a single public IP address to a single local IP address. Or you would have to specify a Static PAT which binds a single public port of a public IP address to a single local port of a local IP address.

Essentially you would need a configuration like this

object network NEW-SERVER

host 192.168.59.x

nat (inside2,outside) static

access-list permit tcp any object NEW-SERVER eq

Or are the "webserver14" and "webserver16" perhaps the Static NAT configurations you are trying to use? If they are notice that they are using the wrong source interface of "inside" instead of "inside2"

So the problem might most likely be the wrong interface in the "nat" command

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
gosborne1969
Level 1
Level 1
In response to Jouni Forss

‎10-14-2013 11:50 PM

Oh my lord I didn't notice I was pointing the nat rule to the inside interface instead of inside2.  This is what happens when your boss has you messing abot with firewalls when you have the flu.

Thank you so much JouniForss for the sanity check.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card