Re: Cisco ASA with multiple WAN and NAT

markus.bock · ‎01-29-2020

Hello,

I have a ASA 5545X with two outside interfaces. We are using both wan links with route maps. So WAN 1 is used by VLAN 100-120 and WAN2 is used by VLAN 200-220.

When I configure incoming nat to access a webserver in VLAN 100 over WAN1 everything is working.

When I configure incoming nat for a webserver on vlan 200 over WAN2 the pakets arrive on the webserver. But I have seen on wireshark a wireshark dump that the there are retransmissions and than the connection is canceled.

On ASA Log I saw the entry Teardown TCP connection ......... No valid adjacency

Could anyone tell me, what's the problem and how can I solve this?

Muhammad Awais Khan · ‎01-29-2020

Hi,

Can you share your ASA config ?

markus.bock · ‎01-30-2020

I hope this helps you

Muhammad Awais Khan · ‎01-30-2020

Hi,

From the shared config, I can see you only did static NAT for 10.10.10.111 to WAN 2 interface. Which one is Webserver ?

markus.bock · ‎01-30-2020

10.10.10.111 is the server. I forwarded now ftp.

Interesting is the screenshot attached from a wireshark dump. The .111 is the ftp server and .106 is the public ip where request du access the ftp server comes from

Muhammad Awais Khan · ‎01-30-2020

It seems issue is there on the reply packets. Can you tell me why there is "access-group DMZ-1_access_in in interface DMZ-1" on DMZ-1 interface without any ACL ? I did not find any ACL. If there is no ACL then please remove it.

markus.bock · ‎02-03-2020

Sorry. There are some acls

access-list DMZ-1_access_in extended deny ip object NET_10.10.10.0_DMZ-1 object-group OG_Internal-Networks
access-list DMZ-1_access_in extended permit tcp object DMZ-SRV_Test any object-group DM_INLINE_TCP_1
access-list DMZ-1_access_in extended permit icmp object NET_10.10.10.0_DMZ-1 any
access-group DMZ-1_access_in in interface DMZ-1

markus.bock · ‎02-03-2020

I saw this article but it does not solfe my problem

http://blog.davidvassallo.me/2013/03/02/lessons-learned-overriding-routing-in-cisco-asa/

markus.bock · ‎02-03-2020

Does anybody have an idea what the problem could be?

When I do incoming nat on OUTSIDE it works.

When I do incoming nat on WAN-2 I get the error "no valif adjacence"

Outgoing traffic over WAN-2 works without problems.

Muhammad Awais Khan · ‎02-03-2020

Thanks for sharing, all looks good to me. Not sure why it is happening on WAN-2 since DMZ-1 is directly connected.

From the link you shared, problem will be there if we use "any" but you already specified the interface. Regarding WAN-1 are you using similar config right and scneario ?

markus.bock · ‎02-04-2020

Sorry. Where do you mean could be the problem?

Muhammad Awais Khan · ‎02-04-2020

sorry for the confusion, problem might could happen if u use (any, WAN-2) instead of ( DMZ-1, WAN-2 ).

Your DMZ-1 with WAN-1 have same NAT configuration and ACL policies for your FTP server in DMZ-1 right ?

markus.bock · ‎02-04-2020

Ah ok. Sorry, but I have already changed this and reconfigured it more times.

I have found no solution yet. I'm very confused why it does not work an the whole public IP space on WAN-2

I was hoping that this article is the solution but it does not help

http://blog.davidvassallo.me/2013/03/02/lessons-learned-overriding-routing-in-cisco-asa/