Hello All,

So I have an ASA 5505 that was working fine up until our gateway supplier changed it's firewall and where it was connected. Anyway since then we get an error saying "failed to locate egress interface" and i'm not sure why.

Below is a sanitised copy of the config

SA Version 8.4(1)

!

hostname INTER-xxxxx-FW

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif AAAA

security-level 0

ip address x.116.250.2 255.255.255.252

!

interface Vlan160

nameif inside

security-level 100

ip address x.x.160.50 255.255.255.0

!

interface Vlan200

nameif sanmng

security-level 0

ip address 172.x.6.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 160

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

description SAN Management

switchport access vlan 200

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

object-group network XXXXX_SUBNETS

network-object x.x.0.0 255.255.252.0

network-object x.x.8.0 255.255.255.0

network-object x.x.9.0 255.255.255.0

network-object x.x.10.0 255.255.255.0

network-object x.x.11.0 255.255.255.0

network-object x.x.12.0 255.255.255.0

object-group network YYYY_PE

network-object host x.x.26.21

network-object host x.x.26.22

object-group service XXXX_TCP_PORTS tcp

port-object eq https

object-group network WWWW_PE

network-object host XXXXPRCSG01

object-group network ZZZZZ_SUBNETS

network-object x.x.0.0 255.255.0.0

object-group network SAN_MANAGEMENT_SUBNET

network-object 172.X.6.0 255.255.255.0

object-group network HITACHI_SAN_MONITORING

network-object host 207.126.254.52

access-list ACL_XXXX_IN extended permit tcp object-group XXXX_SUBNETS object-group WWWW_PE object-group XXXX_TCP_PORTS

access-list ACL_XXXX_IN extended permit icmp any any

access-list ACL_XXXX_IN extended deny ip any any

access-list ACL__ACCESS_OUT extended permit tcp object-group ZZZZ_SUBNETS object-group YYYY_PE object-group XXXX_TCP_PORTS

access-list ACL__ACCESS_OUT extended permit icmp any any

access-list ACL__ACCESS_OUT extended deny ip any any

access-list ACL_SAN_ACCESS_OUT extended permit tcp object-group SAN_MANAGEMENT_SUBNET object-group HITACHI_SAN_MONITORING eq https

access-list ACL_SAN_ACCESS_OUT extended permit icmp any any

access-list ACL_SAN_ACCESS_OUT extended deny ip any any

access-group ACL_XXXX_IN in interface AAAA

access-group ACL__ACCESS_OUT in interface inside

access-group ACL_SAN_ACCESS_OUT in interface sanmng

route inside 10.X.32.0 255.255.255.0 155.187.160.1 1

route gbrmpa X.X.2.0 255.255.255.0 X.116.250.1 1

route gbrmpa x.x.3.0 255.255.255.0 X.116.250.1 1

route gbrmpa x.x.8.0 255.255.255.0 X.116.250.1 1

route gbrmpa x.x.9.0 255.255.255.0 X.116.250.1 1

route gbrmpa x.x.10.0 255.255.255.0 X.116.250.1 1

route gbrmpa x.x.11.0 255.255.255.0 X.116.250.1 1

route gbrmpa x.x.12.0 255.255.255.0 X.116.250.1 1

route gbrmpa x.x.26.21 255.255.255.255 X.116.250.1 1

route gbrmpa x.x.26.22 255.255.255.255 X.116.250.1 1

route inside x.x.0.0 255.255.0.0 X.X.160.1 1

route inside 207.126.254.52 255.255.255.255 X.X.160.1 1

So traffic coming in from interface AAAA (Vlan 2) can get to it's destination happily enough but when the SAN management subnet 172.x.6.0/24 tries to connect to Hitachi out on the web that's when we get the error message.

I'm not great with FW's so any advice would be greatly appreciated.