10-31-2012 05:35 PM
Hi,
I have a issue with our ASA firewall. I have a firewall which has inside, outside and DMZ interface. I have VPN clients that connect correctly and can acces the internal network. However for the profiles I have setup to connect via VPN to the DMZ network fails with the following messages.
ASA-6-110003: Routing failed to locate next hop
&
ASA-6-302014: Teardown TCP connection......No valid adjacency
I have connections to the DMZ which aren't VPN but are via the outside and internal interfaces with no problem.
The route table has a route to that network, and I have a nat in place - I am rather stumped by this.
Thanks
Ed
Solved! Go to Solution.
11-02-2012 11:50 AM
Hello Ed,
Okay, Nat looks good but can you do the following for me please:
object network DMZ_subnet
subnet 10.1.213.0 255.255.255.0
object network VPN_Subnet
subnet x.x.x.x 255.255.x.x
nat (dmz-2,outside) source static DMZ_subnet DMZ_subnet destination static VPN_Subnet VPN_Subnet
Regards,
Julio
10-31-2012 06:19 PM
Hello Ed,
What version are you running,
Can you share the Nat statement you have configured for that VPN
Can you share the route you have for that DMZ subnet you are tying to access (Unless directly connected)
Regards,
Julio
11-01-2012 03:12 AM
Hi,
Thanks for replying.
The NAT command is :
nat (dmz-2,outside) source static any any destination static VPN-Pool VPN-Pool
ver 8.4(3)
In terms of the route it is directly connected. The machine to be accessed are on a switch which is connected to the firewall.
Now I have two vlans going to this switch. Which have been setup as sub ethernets as such:
interface Ethernet0/3
nameif dmz
security-level 75
ip address 10.1.212.1 255.255.255.0
!
interface Ethernet0/3.2
vlan 2
nameif dmz-2
security-level 70
ip address 10.1.213.1 255.255.255.0
As stated, all traffic to machine on these two interfaces which are VPN are fine and working.
Thanks for any help.
Ed
11-02-2012 10:03 AM
Bump ;)
Sent from Cisco Technical Support iPhone App
11-02-2012 11:50 AM
Hello Ed,
Okay, Nat looks good but can you do the following for me please:
object network DMZ_subnet
subnet 10.1.213.0 255.255.255.0
object network VPN_Subnet
subnet x.x.x.x 255.255.x.x
nat (dmz-2,outside) source static DMZ_subnet DMZ_subnet destination static VPN_Subnet VPN_Subnet
Regards,
Julio
11-02-2012 04:58 PM
Hi,
Have tried this, however still no change. The access list for this VPN group is counting up when I try to make a connection if that is any help??
Thanks
Ed
11-02-2012 05:03 PM
Hello Ed,
Have you clear the xlate table already?
Regards
11-02-2012 05:46 PM
Hi
I believe I did this early this week. Does it need to be done after tweaking that rule each time?
Thanks
Ed
Sent from Cisco Technical Support iPhone App
11-02-2012 05:52 PM
Hello Ed,
Please do it and let me know
Also do packet-tracer input dmz-2 icmp 10.1.213.10 8 0 x.x.x.x
Where x.x.x.x is one of the ip addresses on the vpn pool
Regards,
11-02-2012 06:35 PM
Hi,
Have done but will have to test tomorrow.
i also did the packet trace and the output is below.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: dmz-2
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks Again for your help.
Ed
11-02-2012 09:25 PM
Sure, let me know the result
11-03-2012 08:41 AM
Hi,
It's now working. However the fix was the order of the manual nat statements.
First I added the keyword route-lookup to the NAT statement. This worked, however my understanding is that keyword is not used in transparent mode. So then I thought I would move my source static any any NAT statement to the bottom of the list thus moving the the DMZ one up, also removing the keyword route-lookup. It kept working. So now we are running.
Thanks
Ed
11-03-2012 10:00 AM
Hello Ed,
Great to hear that
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide