cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

897
Views
0
Helpful
12
Replies
Highlighted
Beginner

Cisco ASA with multiple WAN and NAT

Hello,

 

I have a ASA 5545X with two outside interfaces. We are using both wan links with route maps. So WAN 1 is used by VLAN 100-120 and WAN2 is used by VLAN 200-220.

When I configure incoming nat to access a webserver in VLAN 100 over WAN1 everything is working.

When I configure incoming nat for a webserver on vlan 200 over WAN2 the pakets arrive on the webserver. But I have seen on wireshark a wireshark dump that the there are retransmissions and than the connection is canceled. 

On ASA Log I saw the entry Teardown TCP connection ......... No valid adjacency

 

Could anyone tell me, what's the problem and how can I solve this?

12 REPLIES 12
Highlighted

Hi,

 

Can you share your ASA config ?

Highlighted

I hope this helps you

 

Highlighted

Hi,

 

From the shared config, I can see you only did static NAT for 10.10.10.111 to WAN 2 interface. Which one is Webserver ? 

Highlighted

10.10.10.111 is the server. I forwarded now ftp.

Interesting is the screenshot attached from a wireshark dump. The .111 is the ftp server and .106 is the public ip where request du access the ftp server comes from

 

Highlighted

It seems issue is there on the reply packets. Can you tell me why there is "access-group DMZ-1_access_in in interface DMZ-1" on DMZ-1 interface without any ACL ? I did not find any ACL. If there is no ACL then please remove it.

Highlighted

Sorry. There are some acls

 

access-list DMZ-1_access_in extended deny ip object NET_10.10.10.0_DMZ-1 object-group OG_Internal-Networks
access-list DMZ-1_access_in extended permit tcp object DMZ-SRV_Test any object-group DM_INLINE_TCP_1
access-list DMZ-1_access_in extended permit icmp object NET_10.10.10.0_DMZ-1 any
access-group DMZ-1_access_in in interface DMZ-1

Highlighted

Highlighted

Does anybody have an idea what the problem could be?

When I do incoming nat on OUTSIDE it works.

When I do incoming nat on WAN-2 I get the error "no valif adjacence" 

Outgoing traffic over WAN-2 works without problems.

 

Highlighted

Thanks for sharing, all looks good to me. Not sure why it is happening on WAN-2 since DMZ-1 is directly connected. 

 

From the link you shared, problem will be there if we use "any" but you already specified the interface. Regarding WAN-1 are you using similar config right and scneario ?

 

 

Highlighted

Sorry. Where do you mean could be the problem?

Highlighted

sorry for the confusion, problem might could happen if u use (any, WAN-2) instead of ( DMZ-1, WAN-2 ).

 

Your DMZ-1 with WAN-1 have same NAT configuration and ACL policies for your FTP server in DMZ-1 right ?

Highlighted

Ah ok. Sorry, but I have already changed this and reconfigured it more times.

I have found no solution yet. I'm very confused why it does not work an the whole public IP space on WAN-2

I was hoping that this article is the solution but it does not help

http://blog.davidvassallo.me/2013/03/02/lessons-learned-overriding-routing-in-cisco-asa/ 

Content for Community-Ad