Cannot connect ASA interfaces

Having a problem  Trying to setup an 5520 ASA
I can get the static route 0.0.0.0 thru the external interface to work fine. System accepts it with no errors
When I try to setup other routes,  say a route to my lan side network, I keep getting the error   " Cannot add route, connected route exist
Seems line the wan and lan interfaces aren't communicating to each other.
I can ping out via my wan interface but not my lan interface.
Help is appreciated.
Dave

Add this to your ASA -
object network PAT
subnet 172.16.100.0 255.255.255.0
nat (inside,outside) dynamic interface
policy-map global_policy
  class inspection_default
    inspect icmp
Note the above is a basic configuration to get you going.
There are other ways to do the NAT depending on what your other NAT requirements are.
See this document for 8.3 NAT onwards written by Jouni Forss. It's one of the best documents on this site in my opinion.
He normally configures dynamic PAT in section 3 using the after-auto option but I have given you just a basic example using object NAT.
If you read the doc you'll understand what I am talking about and it is worth reading to get a better understanding of how it all works -
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Any problems with the config above let me know.
Jon

Similar Messages

  • Cannot connect to ASDM on ASA 5505 over https

    Problem: Cannot connect to ASDM on ASA 5505 when vlan1 network is changed from the factory default.
    Hi all. I am just getting started on a new ASA 5505, working it in a test lab environment. I ran thru the initial setup wizard. During that time I specified a name for Vlan1 (changed from 'inside' to 'INTR-NET'), modified the Vlan1 IP address to use DHCP, and then populated the Device Config Access table with entries corresponding to the entire Class B network here on the local intranet. I don't recall if the factory-default network was already populated, but if it wasn't I added it as 192.168.1.0/255.255.255.0
    I then saved the config, and verified that the ASA got a dhcp address using the RS-232 console. I then reconfigured the laptop I have plugged into port 0/1 with it's normal address on the intranet and discovered that I couldn't reconnect to ASDM. The ASDM client times out, and a web browser opened to https://(ASA5505's dhcp addr) fails as well.
    I then used the console to add another http IP address matching the specific IP address (xxx.240.113.129/255.255.255.255) which the laptop is set for, to the list of permissible admin connections, but saw no difference.
    This issue is much the same as was reported in this prior forum posting:
    http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&topicID=.ee6e1f8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc16cb8/4
    EXCEPT that I was already aware the admin IP address(es) needed to be registered to enable access via SSH/Telnet/HTTPS.
    And, I did that step, but it is not working. I have tried adding various combinations of network ranges in the device config access list, including the specific subnet that the lab's dhcp server assigned to the ASA 5505 (xxx.240.112.0/255.255.254.0), but there is no difference. I can traceroute to the laptop and ping the Vlan1 interface from the laptop, but the https ASDM (and ssh connections too) are not successful. This is very frustrating.
    The device is brand new, I see that upon boot it loads asa724-k8.bin, and the software banner says Cisco Adaptive Security Appliance Software Version 7.2(4)
    Note also that, from the RS-232 console, if I reset the IP address to the static, factory default (192.168.1.1) and manually config my laptop on the same subnet, then ASDM makes the connection. Just like out of the box. But when I put it back onto our intranet and verify the DHCP lease, then ASDM is a no go.
    Can you think of what I've missed?

    Good question. Let me add that info plus related Vlan config details:
    ASA5505A# show ip
    System IP Addresses:
    Interface Name IP address Subnet mask Method
    Vlan1 INTR-NET XXX.240.112.92 255.255.254.0 DHCP
    Vlan2 VoIP 172.26.99.1 255.255.255.0 manual
    Vlan3 dmz-unused 192.168.99.1 255.255.255.0 manual
    Current IP Addresses:
    Interface Name IP address Subnet mask Method
    Vlan1 INTR-NET XXX.240.112.92 255.255.254.0 DHCP
    Vlan2 VoIP 172.26.99.1 255.255.255.0 manual
    Vlan3 dmz-unused 192.168.99.1 255.255.255.0 manual
    ASA5505A# show switch vlan
    VLAN Name Status Ports
    1 INTR-NET up Et0/1, Et0/2, Et0/3, Et0/4
    2 VoIP down Et0/5, Et0/6, Et0/7
    3 dmz-unused down Et0/0
    ASA5505A#
    ASA5505A# config t
    ASA5505A(config)# show running-config http
    http server enable
    http XXX.240.0.0 255.255.0.0 INTR-NET
    http 192.168.1.0 255.255.255.0 INTR-NET
    http XXX.240.113.129 255.255.255.255 INTR-NET
    ASA5505A(config)#
    ASA5505A(config)# show running-config ssh
    ssh 192.168.1.0 255.255.255.0 INTR-NET
    ssh XXX.240.0.0 255.255.0.0 INTR-NET
    ssh timeout 5
    SECURITY LEVEL IS 100 ON Vlan1 and Vlan2, 50 on Vlan3, and traffic is restricted from Vlan3 to Vlan1 because this is the basic license.

  • Ni-fbus communications cannot connect interface

    I am using NI-FBUS Communications Manager 3.2 with a NI PCMCIA-FBUS Series 2 card in a Ricoh R/RL/... series PCMCIA adapter on a desktop computer.  I enabled the PCMCIA card via the Interface Configuration Utility.  When I start the Comm Manager, I get the following error message:
    NI_FBUS Communications Manager cannot connect interface 0 on the fieldbus board 1. Click OK to.....
    Windows sees the Ricoh adapter card and the Series 2 card as working properly.  If I install the Series 2 card in a laptop, the Comm Manager starts properly.  The same series 2 card and Ricoh adapter card has been used in another desktop computer also running XP SP2.
    How do I get this combination up and running?

    I tried the PCMCIA card and adapter card in another computer running XP and NI-FBUS Communications Manager 3.1.1.  The combination worked properly; the card was seen and the Comm Manager opened.  When Configurator was opened, the device attached to the link was seen.
    Is there a compatibility difference between Comm Mgr 3.1.1 and 3.2?

  • Connecting ASA 5510s to a DSL modem with a static IP range

    I have DSL service with AT&T and I have a Motorola 3360 modem.  We also have a /28 network of static IPs from AT&T.  When I login using PPPoE on the modem it gets x.x.x.190 as it's address.  Our range is 177-190.  I have two ASA 5510s in an active/passive failover configuration with the Ethernet port of the modem and one interface of each of the ASAs on a dumb layer 2 switch. 
    I want to setup this DSL connection as a backup to our main Internet connection.  I cannot figure out what setting on the DSL modem to use to make this happen.  I know I cannot use PPPoE in a failover setting so I can't have the modem in bridged mode.  There is some mode where it passes the 190 address to the connected device and when I plug in a PC directly to the modem and set it for DHCP it does get 190 as it's address.  So do I configure the ASA interface as 190 with one of the other addresses as it's standby?  What do I set my route on the ASA to for use of this connection?  Can I then make use of these other static addresses when plugging other devices into the layer 2 switch?

    Thanks for your prompt response.  From your information, your network near the firewalls looks like this:
    Your cable modem connects to your provider without any intervention from your equipment, and you are free to assign IP addresses from your assigned block.  The cable ISP knows to route traffic to your block down to the layer 2 segment attached to the cable mode. 
    As you described, the Motorola 3360 DSL modem is an odd fish.  I do not have personal experience with that device,  but from internet searches that appears to be a model AT&T bundles with small business DSL service.  The 3360 appears to have three modes:
    --router mode where it uses a single public IP on the WAN side and issues IP addresses in the 192.168.1.x range on the LAN side.  The modem performs the PPPoE function in this mode.
    --hybrid mode where it gets a single public IP on the WAN side and then passes that through to one device connected on the LAN side.  The modem performs the PPPoE function in this mode.
    --bridge mode.  A device on the LAN side must perform the PPPoE function.
    Various links I found indicate folks with static IP address assignments from their ISP (usually AT&T) have difficulty getting those static IP addresses to work with the Motorol 3360 except in bridge mode.
    To your original question, I'm guessing you match the configuration you performed on the cable modem side and use two of your static IPs for the ASA's.  Howver, it's unclear if the additional IP addresses will work with 3360's odd behavior.  If you have internet-exposed hosts (as shown in my simple drawing), try assigning some of the DSL static IPs to those hosts and test communications both ways -- host-->internet, internet-->host.  If possible, test two hosts at the same time to verify the 3360 can handle multiple public IPs at the same time (one posting I found claimed it could only handle one public IP address at a time).

  • Cannot connect to SAP R/3 (datastore RD_110 using host n1.n2.n3.n4 , cli

    We use Business Objects Data Integrator 6.5 to connect to SAP R/3 system to generate ABAP extracts and load these extracts into a custom Oracle database. The current production R/3 system is in 4.6. We are planning to upgrade the R/3 system to ECC 6.0 and currently testing our interface from BODI 6.5 to R/3 6.0. We were able to successfully create a data store point to R/3. However when we execute a job, we get the following error
    Cannot connect to SAP R/3 (datastore <dsname> using host <host ip>, client <cl#>, user <uname>, and system number <0>. Please make sure the SAP R/3 server is running and login information is correct.
    The same login info was used to connect SAP GUI and it is working and we are able to execute the ABAP extractors. We have also tried running the RFC_GENERATE_AND_EXECUTE_ABAP function and it is executing as well.
    BODI is installed on Solaris and R/3 is on Aix.
    Any help with this would be greatly appreciated.
    Thanks

    We use Business Objects Data Integrator 6.5 to connect to SAP R/3 system to generate ABAP extracts and load these extracts into a custom Oracle database. The current production R/3 system is in 4.6. We are planning to upgrade the R/3 system to ECC 6.0 and currently testing our interface from BODI 6.5 to R/3 6.0. We were able to successfully create a data store point to R/3. However when we execute a job, we get the following error
    Cannot connect to SAP R/3 (datastore <dsname> using host <host ip>, client <cl#>, user <uname>, and system number <0>. Please make sure the SAP R/3 server is running and login information is correct.
    The same login info was used to connect SAP GUI and it is working and we are able to execute the ABAP extractors. We have also tried running the RFC_GENERATE_AND_EXECUTE_ABAP function and it is executing as well.
    BODI is installed on Solaris and R/3 is on Aix.
    Any help with this would be greatly appreciated.
    Thanks

  • DPM 2012 R2 Rollup 1 x64.. cant save scheduled report.. gives error: "Reporting services server cannot connect to the dpm database"

    The error also has "to repair the configuration, follow steps for repairing dpm from DPM setup help ID: 3001
    I tried the solution outlined here:
    http://social.technet.microsoft.com/Forums/en-US/8be919ee-f358-47a4-9cc3-d23eb05d3f18/system-center-2012-r2-dpm-smtp-issue-reporting-services-server-cannot-connect-to-the-dpm?forum=dataprotectionmanager
    and also the graphical depiction here: http://www.ms4u.info/2014/01/reporting-services-server-cannot.html
    I tried these steps, but everytime i try to change it, it tells me:
    "The permissions granted to user 'domain\userid' are insufficient for performing this action rsaccessdenied..
    Nothing seems to work.. 
    I thought if i went into sql management studio and made sure my userid had admin rights to the db it would work.. but i cant change it there (via integrated security).. i believe i need to login as SA, but i dont recall the password for SA, though it appears
    i can change the SA password from within sql management studio.. i'm unsure if doing so will break DPM though or is even needed to fix the reporting integration issue..
    Any thoughts on this?
    Thanks
    Tech, the Universe, Everything: http://tech-stew.com

    Using:
    data source="servername\MSDPM2012";persist security info=False;initial catalog=DPMDB 
    I used the domain sqlservice account and test connection was ok.
    However.. accessing reports still crashes in the MMC
    Tech, the Universe, Everything: http://tech-stew.com
    When i recreated the db.. i called it Reporting2 or similiar.. 
    Then the reports folder i created called "Reports Folder"
    Then datasource name "reports datasource"
    The issue here is that the DPM reports in the reporting web interface are gone, since this is a new DB.. how do i redeploy them
    Tech, the Universe, Everything: http://tech-stew.com
    i went back into the sql reporting services area.. hit change db.. chose the original .. then back to the url.. went to the OLD reporting services folder and datasource.. added the connect string and now reporting area works.. so does scheduling..
    Problem now solved
    Tech, the Universe, Everything: http://tech-stew.com
    Oops spoke too soon.. the first time i set it to do "status" as a schedule.. it seemed to work (clicked ok, no error).. went back and added an email notification..
    Now i'm getting.. "an error occurred causing the reporting job to fail" "system files may be corrupt".
    Seems to only occur if i try to add the email address portion
    Tech, the Universe, Everything: http://tech-stew.com
    rechecked the datasource.. i think there was an error in the connect string.. now everything seems to be working.. email notifications and all.
    Tech, the Universe, Everything: http://tech-stew.com

  • Cannot connect to iTunes store - error -3212

    iTunes is telling me that I cannot connect to their store or to my account. But I am connected to the internet as writing this support request should prove. The message says 'an unknown error occured - error (-3212)'  This error only happened yesterday and is happening with both of my iPods.  I have rebooted my laptop.  When I did the iTunes Diognostic Check it says 'secure link to iTunes Store failed' but the others passed ('Network interfaces & Internet connection verified').  My computer is only 1 yr old (Asus Model U47A - i7, 8gb ram) and one iPod is only a week old and another is older.  I hope there is a simple solution as I am not very tech savvy.  I have checked online and have not seen this error anywhere. 

    I 'played' around with my Norton 360, did a scan, etc, and whatever I did something seems to have done the trick. It is solved and I am able to connect to iTunes store.  I wish you luck with your -50 error.

  • TS1368 I cannot connect to iTunes store using iTunes. 'Secure link to iTunes store failed'. Please help!

    I cannot connect to iTunes store using iTunes. I have version 11.0.2.26 on Win 7 pc. I have had no problems until recently. Can't say exactly the problem began as I don't normally use my computer to access the store but my last successful access according to iTunes diagnostics was 28th Feb 2013 (if thats useful?!)
    I've run the Network Connectivity Test in iTunes diagnostics and I got the following results:
    - Network interfaces verified.
    -Internet connection verified.
    -Secure link to iTunes failed.
    When I click the help button next to the 'Secure link to iTunes failed' message I get the following:
              ''iTunes Help is unavailable because your computer isn't connected to the internet.'
    My pc is connected to the internet. I've checked firewalls. Windows firewall is off. I'm running AVG internet security 2013. Iv've checked the firewall settings on that and iTunes is not being blocked.
    Getting kinda frustrated. Can anybody help please???

    I seem to have tracked down the problem. AVG Family Safety software was causing the issue somehow. I have uninstalled it and iTunes now working. I will contact AVG for a solution as I now have no way of blocking certain sites.

  • HT1212 I cannot connect my I-Phone it says to connect to i-tunnes

    I cannot connect my I-Phone to i-tunnes it says to connect to i-tunnes on the screen and on itunnes says that it is locked which it is not - Please help

    Hello,
    Try putting these numbers in Network>TCP/IP>DNS Servers, for the Interface you connect with...
    208.67.222.222
    208.67.220.220
    Then Apply. For 10.5/10.6 Network, highlight Interface>Advanced button>DNS tab>little + icon.
    DNS Servers are a bit like Phone books where you look up a name and it gives you the phone number, in our case, you put in apple.com and it comes back with 17.149.160.49 behind the scenes.  
    These Servers have been patched to guard against DNS poisoning, and are faster/more reliable than most ISP's DNS Servers.

  • Cannot Connect to Nokia Suite

    Hi,
    As my Nokia was running bit slow, i did a hard reset by pressing *#7370#, the phone was not connected to PC. After the phone was restarted, I cannot connect to the Nokia Suite on my laptop. It seems it cannot even realise that a phone is connected through USB. Please help.
    Thanks 

    @Worldwar
    If you change USB connectivity mode on C5-00 user interface to "mass storage" mode does your PC recognise it in this mode?
    Happy to have helped forum with a Support Ratio = 42.5

  • Cannot connect to database using SQL*Plus

    Hi, I have Oracle 10g XE installed in my labtop and I cannot connect using SQL*Plus.
    I can connect using the broser User Interface though, which I was able to do after doing the following procedure to change the password of the sys account:
    -     open a command prompt
    -     - type sqlplus
    -     On the “Enter user-name” line, type /as sysdba
    -     On the SQL> prompt, type alter user sys identified by NewPassword;
    But the thing is that even though I am able to connect using sys/NewPassword from my browser UI, I dont get the same result when doing it using the SQL prompt.
    What I am trying to do is this:
    SQL> connect sys/NewPassword
    Then I get first a warming saying that I need to use either sysdba or sysoper to connect to the system account, but neither of those work.
    Can anyone advice me on this matter?
    Thanks in advance

    Thanks for that.
    I run the command to list the usernames on the database and I got SYS and SYSTEM in the list. But again, when I try to use SYS with a password that I know is working because I can access it through the browser UI, it doesnt work. It seems like this sys is different to the sys I used in the UI.
    I dont know if I am explaining myself correclty... In the Browser UI I use sys, and a password and I get connected to the sys account. However, if I try to use the same sys.password combination from my sqlplus prompt, I get error messages
    Does this make sense at all?

  • CiscoWorks ANI server cannot connect, Joe Clark please help

    Joe, if you see this, please help
    I noticed yesterday I was getting some Java errors when opening different modules of Cisco Works, Campus Manager, RME.
    I rebooted the server and everything seemd to be working fine. I tried to set up Notification Services after the reboot and it seemed to go without incident.
    This morning Common Services shows
    "DCA Server is down or inaccessable"
    Campus Manager shows:
    "Cannot connect to ANI Server since it is down"
    Here is a clip from ani.log:
    2007/12/28 08:00:08 Thread-76 ani ERROR DBConnection$ConnectionCreator: Failed to establish DB connectivity because: java.sql.SQLException: JZ006: Caught IOException: java.net.ConnectException: Connection refused: connect
    2007/12/28 08:00:08 Discovery ani ERROR DiscoveryTimeBaseStat: Failed to enumerate Wbu table names because null
    2007/12/28 08:00:08 Discovery ani DiscoveryTimeBaseStat: {NumDevices=31}{NumDiscovered=0}{NumDeleted=0}{DPH=14695}{OPH=0}
    2007/12/28 08:00:08 Discovery ani DiscoveryTimeBaseImpl: completed: Discovery in 8578 ms
    1198846847568 December 28, 2007 8:00:47 AM ES_SVRCWLMS__1198788044958(127) SVRCWLMS Error EDSSY0012: Cannot connect to EDS.
    1198846910568 December 28, 2007 8:01:50 AM ES_SVRCWLMS__1198788044958(127) SVRCWLMS Error EDSSY0012: Cannot connect to EDS.
    1198846973568 December 28, 2007 8:02:53 AM ES_SVRCWLMS__1198788044958(127) SVRCWLMS Error EDSSY0012: Cannot connect to EDS.
    Reboot has not helped this morning.
    I just found out we did some WIndows patches a couple of days ago.

    Joe,
    Is there any way this could have been related to me setting up Notification Services?
    Something I noticed yesterday is that when setting up "Event Sets", nothing shows up.
    Per the document (and I saw this yesterday after a reboot of the server (most likely what caused the problem), I should see a list of items to trigger notification and I can configure nine different sets.
    But, I see "No Records" on the Event Sets page.
    I see the A,B,C etc, but nothing under them.
    After a reboot yesterday, then I saw the items and checked off for the different event sets.
    My goal is to have an e-mail alert when switch or router interfaces go down , or high utilization of fragmentation.

  • Cannot connect to Google Server

    Can anyone help me figure out why I cannot connect to Google? I'm on a MacBook Pro, running 10.6.8.
    I get the error messages:
    "Unable to connect: Firefox can't establish a connection to the server at www.google.com."
    "Safari can't connect to the server"
    What's going on? YouTube is fine, Bing is fine, everything else works. Could surfing job search websites have given me some virus?
    Thanks in advance, Valerie

    It looks like something or someone has modified your /etc/hosts file.
    By far the easiest way to fix the hosts file is to restore it from a Time Machine (or other) backup that predates the modification. If that's not possible, then do the following.
    Back up all data if you haven’t already done so. Before proceeding, you must be sure you can restore your system to the state it’s in now. If you skip this step, no one but you will be responsible for the consequences.
    These instructions must be carried out in an administrator account, if you have more than one user account.
    Select "Go to Folder..." from the Finder menu bar. In the text box, enter "/etc" (without the quotes.) A Finder window will open on the "etc" folder.
    Double-click the file named "hosts" in that folder. It should open in TextEdit. At the top of the file, you should see something like this:
    # Host Database
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    127.0.0.1                              localhost
    255.255.255.255          broadcasthost
    ::1                                        localhost
    fe80::1%lo0                    localhost
    Below that, you'll see some other lines. Delete everything below the last line shown above. Make sure you scroll all the way to the bottom of the document. In Lion, scroll bars are hidden by default until you actually start scrolling, so you may not realize that you’re not seeing the whole document.
    Don’t try to save; you won't be able to. Instead, duplicate (in Lion) or select "Save As..." from the file menu (pre-Lion.) In the Save dialog, make the name of the file “hosts” and deselect the option to add a ".txt" extension to the file name, if it's selected. Save the file to your Desktop. You should now have a file named exactly "hosts" with no extension on your Desktop, having the contents shown above.
    Now launch the Terminal application, for instance by entering the first few letters of its name in a Spotlight search. Copy or drag -- do not type -- the line of text below into the window, and press return:
    sudo sh -c ' cat Desktop/hosts > /etc/hosts '
    You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Confirm. Quit Terminal.
    Do not type anything into the Terminal window except your password.
    That will fix your hosts file. You can now close the “etc” folder and delete the hosts file on your Desktop. Unless you know how the file was modified, I can’t guarantee that no other damage has been done to your system.

  • Other Devices Cannot Connect

    I just set up my Linksys Internet, and I noticed that my other devices such as my laptop and xbox 360 cannot connect to the internet. THere is no wireless security such as WEP, but it still won't connect. The xbox360 troubleshooter says (DNS Failed). What do I Do?
    Thanks
    -Mike

    logon to the router's web interface .. go to the "status" tab and check the internet ip add .. ensure that you have a valid internet ip add ...
    change the MTU settings to 1365 and go to the "applications and gaming" tab..click on "port trigerring" subtab.. trigger ports 88 and 3074 ...
    change the wireless settings , channel - 11 , beacon interval - 50 , Fragmentation and RTS threshold - 2304
    check whether this makes any difference ..

  • Software Update Cannot connect and Safari cannot connect to URLs

    I have copied this problem report from the Safari forum in the hope that I may get some additional help here.
    This morning I went to the local library and connected to the internet directly using airport to their WAN. So I now know my problem is independent of the weird dial up arrangement I have at home.
    Safari still does not open the sites. It gives a message "Cannot open page "x" because it cannot connect to server "X""
    When I open Firefox all my sites are working normally. (I also downloaded and installed Firefox 3 this morning)
    I have reset Safari but that does not help.
    I have even downloaded the latest greatest version of safari (the beta 4) but it exhibits the same problems
    When I invoke Software Update it claims I am not connected to the internet. Does this depend on Safari? Is there a preference I can change to make it work through Firefox
    When I invoke internet connect diagnostics it says my internet connection is working normally.

    Hi Steve,
    Great clues there!
    FF uses it's own Proxy & DNS settings for a couple of things, where Safari & other Apple Apps use System Preferences.
    First, Go to System Preferences>Network, Show Airport>Proxies tab, make sure no Proxies are set.
    Second, Try putting these numbers in Network>TCP/IP>DNS Servers, for the Airport Interface...
    208.67.222.222
    208.67.220.220
    Then Apply
    DNS Servers are a bit like Phone books where you look up a name and it gives you the phone number, in our case, you put in apple.com and it comes back with 17.149.160.49 behind the scenes.
    These Servers have been patched to guard against DNS poisoning, and are faster/more reliable than most ISP's DNS Servers.

Maybe you are looking for