01-29-2020 01:10 PM
Hello,
I have a ASA 5545X with two outside interfaces. We are using both wan links with route maps. So WAN 1 is used by VLAN 100-120 and WAN2 is used by VLAN 200-220.
When I configure incoming nat to access a webserver in VLAN 100 over WAN1 everything is working.
When I configure incoming nat for a webserver on vlan 200 over WAN2 the pakets arrive on the webserver. But I have seen on wireshark a wireshark dump that the there are retransmissions and than the connection is canceled.
On ASA Log I saw the entry Teardown TCP connection ......... No valid adjacency
Could anyone tell me, what's the problem and how can I solve this?
01-29-2020 01:35 PM
Hi,
Can you share your ASA config ?
01-30-2020 01:50 AM
01-30-2020 03:41 AM
Hi,
From the shared config, I can see you only did static NAT for 10.10.10.111 to WAN 2 interface. Which one is Webserver ?
01-30-2020 04:47 AM
01-30-2020 04:22 PM
It seems issue is there on the reply packets. Can you tell me why there is "access-group DMZ-1_access_in in interface DMZ-1" on DMZ-1 interface without any ACL ? I did not find any ACL. If there is no ACL then please remove it.
02-03-2020 12:29 AM
Sorry. There are some acls
access-list DMZ-1_access_in extended deny ip object NET_10.10.10.0_DMZ-1 object-group OG_Internal-Networks
access-list DMZ-1_access_in extended permit tcp object DMZ-SRV_Test any object-group DM_INLINE_TCP_1
access-list DMZ-1_access_in extended permit icmp object NET_10.10.10.0_DMZ-1 any
access-group DMZ-1_access_in in interface DMZ-1
02-03-2020 04:57 AM
I saw this article but it does not solfe my problem
http://blog.davidvassallo.me/2013/03/02/lessons-learned-overriding-routing-in-cisco-asa/
02-03-2020 07:41 AM
Does anybody have an idea what the problem could be?
When I do incoming nat on OUTSIDE it works.
When I do incoming nat on WAN-2 I get the error "no valif adjacence"
Outgoing traffic over WAN-2 works without problems.
02-03-2020 03:53 PM
Thanks for sharing, all looks good to me. Not sure why it is happening on WAN-2 since DMZ-1 is directly connected.
From the link you shared, problem will be there if we use "any" but you already specified the interface. Regarding WAN-1 are you using similar config right and scneario ?
02-04-2020 01:52 AM
Sorry. Where do you mean could be the problem?
02-04-2020 02:24 AM
sorry for the confusion, problem might could happen if u use (any, WAN-2) instead of ( DMZ-1, WAN-2 ).
Your DMZ-1 with WAN-1 have same NAT configuration and ACL policies for your FTP server in DMZ-1 right ?
02-04-2020 07:02 AM - edited 02-04-2020 07:04 AM
Ah ok. Sorry, but I have already changed this and reconfigured it more times.
I have found no solution yet. I'm very confused why it does not work an the whole public IP space on WAN-2
I was hoping that this article is the solution but it does not help
http://blog.davidvassallo.me/2013/03/02/lessons-learned-overriding-routing-in-cisco-asa/
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: