topic subnet (123.123.123.192/26) in Network Security

ASA Routing/NAT problem

Chewbakka1 — Tue, 12 Mar 2019 09:00:12 GMT

Hi,

I have an ASA running 9.7 which has a public ip (222.222.222.222) assigned to its outside interface and a default gw pointing to the first address in the 222.222.222 -network.

I then route another subnet (123.123.123.192/26) to the ASA's outside address.

When i try to perform dynamic nat (PAT) for one of the inside interfaces to one of the public ip's in the 123.123.123.192/27 range, no traffic is passed, even though i can see the states being created and ARP entries in the router.

The 'permit arp not-connected' feature is turned on.

When changing the object nat to the outside ip 222.222.222.222, traffic flows without any problem.

Any idea why this is?

subnet (123.123.123.192/26)

Hassan Chalabi — Thu, 02 Mar 2017 17:03:45 GMT

subnet (123.123.123.192/26) is public IP? is it known to your ISP?

Yes.

Chewbakka1 — Thu, 02 Mar 2017 17:51:20 GMT

Yes.

check the gateway of 123.123

Hassan Chalabi — Thu, 02 Mar 2017 18:04:17 GMT

check the gateway of 123.123.123.192/26 if it is reachable, I am assuming this is a secondary subnet from the ISP that comes from the same interface of the edge router to the outside interface of the FW.

The gateway of 123.123.123

Chewbakka1 — Thu, 02 Mar 2017 19:57:06 GMT

The gateway of 123.123.123.192/26 is reachable. And yes, the subnet comes in on the same (outside) interface to the ASA.

can you post packet tracer

Hassan Chalabi — Thu, 02 Mar 2017 20:02:33 GMT

can you post packet tracer output?

run one from an inside ip icmp to 8.8.8.8 after you NAT to the secondary subnet.

something like:

ASA#packet-tracer input inside icmp 10.0.0.1 0 0 8.8.8.8

Interface names and public ip

Chewbakka1 — Thu, 02 Mar 2017 20:48:45 GMT

Interface names and public ip's have been changed to obscure the original customer

packet-tracer input inside icmp <inside-ip> 0 0 8.8.8.8

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 222.222.222.1 using egress ifc Outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network INSIDE-OUTSIDE-NAT
nat (INSIDE-INTERFACE,OUTSIDE) dynamic
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: <Inside-interface>
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed