Cannot connect ASA interfaces

Dave Kozlowski · ‎02-14-2015

Having a problem Trying to setup an 5520 ASA

I can get the static route 0.0.0.0 thru the external interface to work fine. System accepts it with no errors

When I try to setup other routes, say a route to my lan side network, I keep getting the error " Cannot add route, connected route exist

Seems line the wan and lan interfaces aren't communicating to each other.

I can ping out via my wan interface but not my lan interface.

Help is appreciated.

Dave

Jon Marshall · ‎02-14-2015

Dave

That usually means you are adding a route for a subnet that the ASA has an IP from on one of it's interfaces.

What route are you trying to add and what does the routing table look like on the ASA ?

Jon

Dave Kozlowski · ‎02-14-2015

Here is what I have

Wan interface 50.206.215.130 other side 50.206.215.129

Routing 0.0.0.0 thru 50.206.215.129 works fine. I can ping outside (8.8.8.8)

Lan interface 17216.100.251 other side switch 172.16.100.250

From this interface I can ping inside the switch.

But if I use the Wan interface I cannot inside the switch

Also from the lan interface I cannot pintg out (8.8.8.8)

Tried to setup a route 172.16.100.0/24 using the 172.16.100.250 gateway and I get an error.

Hope this makes sense.

Thanks

Dave

Jon Marshall · ‎02-14-2015

Dave

You can't add that route because the ASA inside interface is already in that IP subnet so it doesn't need a route.

I also don't think you can ping from the WAN interface to the switch because the ASA doesn't allow that or at least the versions I worked on didn't.

If you want to test connectivity don't use the ASA interfaces, use the switch and try to ping out.

Have you setup NAT for the 172.16.100.0/24 subnet ?

Jon

Dave Kozlowski · ‎02-14-2015

from switch I can only ping the lan interface 172.16.100.251

Haven't setup anything with NAT yet.

Thanks

Jon Marshall · ‎02-14-2015

Okay when testing from the switch don't try and ping the outside interface of the ASA as it won't work. Ping an IP beyond the ASA.

So you will need to setup -

1) dynamic PAT if you are translating all internal IPs to the outside interface IP of your ASA

and

2) if you are using ping to test then you need either -

i) ICMP inspection

or

ii) an acl on the outside interface allowing ICMP back in

do you know how to set this up ?

Jon

Dave Kozlowski · ‎02-14-2015

Unfortunately still learning the ASA so no to the PAT piece

Jon Marshall · ‎02-14-2015

Add this to your ASA -

object network PAT
subnet 172.16.100.0 255.255.255.0
nat (inside,outside) dynamic interface

policy-map global_policy
class inspection_default
inspect icmp

Note the above is a basic configuration to get you going.

There are other ways to do the NAT depending on what your other NAT requirements are.

See this document for 8.3 NAT onwards written by Jouni Forss. It's one of the best documents on this site in my opinion.

He normally configures dynamic PAT in section 3 using the after-auto option but I have given you just a basic example using object NAT.

If you read the doc you'll understand what I am talking about and it is worth reading to get a better understanding of how it all works -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Any problems with the config above let me know.

Jon