I was working on upgrading my ASA firewall and was running into an issue with internet working on my device, but none of my server services were responding to requests:<\/p>\n\n\n\n
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency<\/p>\n\n\n\n
I had configured 1-to-1 Object Based NAT translations for my servers for this purpose as had been configured on my prior ASA device. I had just copied the NAT rules to the new device thinking that it should just work. Needless to say, I had to call Cisco TAC and open a case. This seemed to be an issue for them as well. We kept getting the same error as above with another error listed during the NAT translation of the packets:<\/p>\n\n\n\n
ifc selected is not same as preferred ifc
Doing route lookup again on ifc inside<\/p>\n\n\n\n
We could ping internally to the server successfully from the ASA through the inside port:<\/p>\n\n\n\n
LDLNET-FW01(config)# ping LDLNET-LAN 192.168.100.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5\/5), round-trip min\/avg\/max = 1\/1\/1 ms
Packet Capture:
4 packets captured
1: 01:01:21.086894 192.168.100.2 > 192.168.100.x: icmp: echo request
2: 01:01:21.087153 192.168.100.x > 192.168.100.2: icmp: echo reply
3: 01:01:21.087886 192.168.100.2 > 192.168.100.x: icmp: echo request
4: 01:01:21.088069 192.168.100.x > 192.168.100.2: icmp: echo reply<\/p>\n\n\n\n
Again, I had created Object based NAT translations that should have worked for all the inside ports and allowed the packet traffic through properly:<\/p>\n\n\n\n
object network Exchange_Server
nat (any,any) static ExchOut net-to-net<\/p>\n\n\n\n
Not having knowledge what the net-to-net statement within the NAT Rule stood for, we ended up scrapping all of the Object based NAT rules and created a new rule using a static route:<\/p>\n\n\n\n
nat (LDLNET-LAN,outside) source static Exchange_Server ExchOut description Exchange NAT Both Directions<\/p>\n\n\n\n
Doing this worked for us and allowed traffic that was NOT translating correctly to be translated and flowing correctly through the ASA.<\/p>\n\n\n\n
Phase: 17
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12345, packet dispatched to next module
Module information for forward flow \u2026
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow \u2026
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: LDLNET-LAN
output-status: up
output-line-status: up
Action: allow<\/p>\n\n\n\n
Great! This is working now! The only issue is that I had to create static rules that go through the single interface on the ASA. What if I need to connect other devices to the ASA on different interface ports? Well, I will have to create the static NAT rules for those ports as well. If the current interface fails, I will have to recreate the static NAT Rules for the interface port that I change to. Secure in a way, but not how I think it should be designed.<\/p>\n\n\n\n
If anyone has any suggestions for the configuration of this, why I was getting the error, or a way to get the Object Based NAT rules working properly, PLEASE COMMENT!<\/strong><\/p>\n\n\n\n I was working on upgrading my ASA firewall and was running into an issue with internet working on my device, but none<\/p>\nI’M ALWAYS LOOKING FOR THE BEST SOLUTION!
PLEASE LEAVE YOUR COMMENTS!<\/h3>\n\n\n\n![\"LDLNET](\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2019\/05\/LDLNET-Leaderboard-728x90.png\")