03-15-2024 03:25 AM - edited 03-16-2024 04:04 AM
Trying to access device in dmz from device connected to other interface sec on ASA5545.
Both interfaces are connected.
Ok, we have some static routes out from the sec interface, but the dmz and sec are connected, so I do not understand, why the logs show the inside interface?
I see the echo requests on the target device in dmz and I see the echo-replies there,
but in the ASA logs I see:
%ASA-6-110003: Routing failed to locate next hop for ICMP from dmz:10.20.30.200/0 to inside:10.71.19.100/1
Of course when I try to add a route I get:
ERROR: Cannot add route, connected route exists
!
interface Port-channel1.11
vlan 11
nameif dmz
security-level 50
ip address 10.20.30.1 255.255.255.0 standby 10.20.30.2
!
!
interface Port-channel1.15
vlan 15
nameif sec
security-level 21
ip address 10.71.19.1 255.255.255.0 standby 10.71.19.2
!
Solved! Go to Solution.
03-16-2024 04:09 AM
Thanks for reply.
Shame on me.
The problem was: not the ASA is the default-gw for "sec" instead a router connected to this subnet.
And there is static route on the server which route the inside subnet back to ASA.
So I also had to add a static route on server for the DMZ subnet.
03-15-2024 03:40 AM
only clear conn and the issue will solved
MHM
03-16-2024 04:09 AM
Thanks for reply.
Shame on me.
The problem was: not the ASA is the default-gw for "sec" instead a router connected to this subnet.
And there is static route on the server which route the inside subnet back to ASA.
So I also had to add a static route on server for the DMZ subnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide