Solved: Re: ASA5545 no access from other connected if to dmz

chris-doro · ‎03-15-2024

Trying to access device in dmz from device connected to other interface sec on ASA5545.
Both interfaces are connected.
Ok, we have some static routes out from the sec interface, but the dmz and sec are connected, so I do not understand, why the logs show the inside interface?
I see the echo requests on the target device in dmz and I see the echo-replies there,
but in the ASA logs I see:
%ASA-6-110003: Routing failed to locate next hop for ICMP from dmz:10.20.30.200/0 to inside:10.71.19.100/1

Of course when I try to add a route I get:
ERROR: Cannot add route, connected route exists

!
interface Port-channel1.11
vlan 11
nameif dmz
security-level 50
ip address 10.20.30.1 255.255.255.0 standby 10.20.30.2
!
!
interface Port-channel1.15
vlan 15
nameif sec
security-level 21
ip address 10.71.19.1 255.255.255.0 standby 10.71.19.2
!

chris-doro · ‎03-16-2024

Thanks for reply.
Shame on me.
The problem was: not the ASA is the default-gw for "sec" instead a router connected to this subnet.
And there is static route on the server which route the inside subnet back to ASA.
So I also had to add a static route on server for the DMZ subnet.

View solution in original post

MHM Cisco World · ‎03-15-2024

only clear conn and the issue will solved
MHM

chris-doro · ‎03-16-2024

Thanks for reply.
Shame on me.
The problem was: not the ASA is the default-gw for "sec" instead a router connected to this subnet.
And there is static route on the server which route the inside subnet back to ASA.
So I also had to add a static route on server for the DMZ subnet.