topic NAT Issues continue with ASA 5510 in Network Security

NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 12 Mar 2019 03:36:37 GMT

I am still having access issues when using NAT on my ASA 5510. I think it is due to the way I have my ASA setup and the usage of PAT and NAT. I am not sure of the differences in them as of yet, but because I have routers behind my ASA, it seems to me that the issues might relate to the PAT, NAT and the Routers.

Can refer to this link to see my network diagram.

https://supportforums.cisco.com/message/4145313#4145313

The problem is, I cannot seem to access any devices behind the routers.

My initial thought when I started this learning process was to use the ASA as the one point of access to the internet as a firewall. Then behind that I would have my routers and the subnets behind them, including switches and all that stuff. But there is apparently different ways of doing this and the information I get doesn't seem to be consistent, or I should say it is consistent, but doesn't work.

For some reason, I cannot seem to forward packets from the external interface (internet) on the ASA, to resources behind the routers.

I create a network object. Assign it a host. Create the NAT statement. Create the access list. and yet the packets still get denied. The error I see on the ASDM is basically always the same.

Jan 27 2014

10:36:46

98.22.xxx.xxx

14979

192.168.1.2

3389

Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/14979 to Inside:192.168.1.2/3389

One thing I noticed is that no matter what I specify as the port leaving my network here at work, the ASA doesn't see it as that port. RDP, for example, is supposed to use 3389. But as you see from this caption of my ASA log, I initiated an RDP connection from my work computer and when it hit the ASA is is on port 14979 which if I read this correctly is 98.22.xxx.xxx 14979 then converted to 192.168.1.2 port 3389.

I created a Object Network Group:

object network RDP-DC1

host 192.168.1.2

Set NAT within the group:

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

Then created an Access-List:

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

But the result is the same as I get when I created the one to allow http traffic on port 8080 to hit an internal address on port 80.

I don't know where my NAT issue is, but I am beginning to think it is in the PAT. Maybe I should create only static routes from the ASA to the routers and then setup the routers to allow access as needed? Right now, I believe the routers are allowing any traffic, since I have the access-list permit any any statement. That does mean allow any traffic to any location, including from the 'Outside' source?

Is the PAT trying to bypass the routers?

Here are some outputs:

ASA5510(config)# sh run nat

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

ASA5510(config)# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ASA5510(config)# sh run object-group

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

network-object 192.168.0.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 128.162.1.0 255.255.255.0

network-object 128.162.10.0 255.255.255.0

network-object 128.162.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

I seem to be missing something in my config preventing nat from working as it should and the work arounds that I do seem to not work properly.

The only statements that do work are the o nes that allow me to SSH into the Routers that are on each interface of the ASA. So I can ssh into the 2811, 2821 fine, but nothing behind them.

NAT Issues continue with ASA 5510

Jon Marshall — Mon, 27 Jan 2014 20:57:09 GMT

Mitchell

Do you have a route on your ASA telling it how to get to 192.168.1.2 ie.

route inside 192.168.1.0 255.255.255.0 10.10.1.2

In addition does the router have a route pointing to the ASA eg.

ip route 0.0.0.0 0.0.0.0 10.10.1.1

Jon

Re: NAT Issues continue with ASA 5510

Mitchell Tuckness — Mon, 27 Jan 2014 21:45:45 GMT

The 2811 has:

CISCO-2811#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 10.10.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.1.1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.1.0/30 is directly connected, FastEthernet0/0

L 10.10.1.2/32 is directly connected, FastEthernet0/0

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 172.16.10.0/24 is directly connected, FastEthernet0/1.1

L 172.16.10.1/32 is directly connected, FastEthernet0/1.1

C 172.16.20.0/24 is directly connected, FastEthernet0/1.2

L 172.16.20.1/32 is directly connected, FastEthernet0/1.2

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, FastEthernet0/1.3

L 192.168.1.1/32 is directly connected, FastEthernet0/1.3

The ASA has:

ASA5510# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 199.195.xxx.xxx to network 0.0.0.0

C 199.195.xxx.xxx 255.255.255.240 is directly connected, Outside

C 10.10.0.0 255.255.255.252 is directly connected, DMZ

C 10.10.1.0 255.255.255.252 is directly connected, Inside

C 10.10.2.0 255.255.255.252 is directly connected, VOIP

S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.xxx.xxx, Outside

ASA5510# sh ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0/0 Inside 10.10.1.1 255.255.255.252 CONFIG

Ethernet0/1 Outside 199.195.xxx.xxx 255.255.255.240 CONFIG

Ethernet0/2 DMZ 10.10.0.1 255.255.255.252 manual

Ethernet0/3 VOIP 10.10.2.1 255.255.255.252 manual

Current IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0/0 Inside 10.10.1.1 255.255.255.252 CONFIG

Ethernet0/1 Outside 199.195.xxx.xxx 255.255.255.240 CONFIG

Ethernet0/2 DMZ 10.10.0.1 255.255.255.252 manual

Ethernet0/3 VOIP 10.10.2.1 255.255.255.252 manual

Re: NAT Issues continue with ASA 5510

Jon Marshall — Mon, 27 Jan 2014 22:06:42 GMT

Mitchell

I think you are reading it incorrectly. What it is saying is the source of the packet is 98.22.x.x using a random port and the destination is the 192.168.1.2 using RDP ie. it has already translated the destination IP from the interface IP to 192.168.1.2.

There is a route on the ASA for 192.168.1.0/24. From the ASA can you ping 192.168.1.2 ?

Jon

Re: NAT Issues continue with ASA 5510

Mitchell Tuckness — Mon, 27 Jan 2014 22:10:30 GMT

I cannot ping any addresses behind the routers, including 192.168.1.2.

ASA5510(config)# ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Re: NAT Issues continue with ASA 5510

Jon Marshall — Mon, 27 Jan 2014 22:16:08 GMT

Mitchell

For some reason the ASA is not using the route for 192.168.1.0/24 you have added.

Can you post "sh xlate local 192.168.1.2"

Jon

Re: NAT Issues continue with ASA 5510

Mitchell Tuckness — Mon, 27 Jan 2014 22:27:36 GMT

ASA5510(config)# sh xlate local 192.168.1.2

21 in use, 784 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.xxx.xxx 3389-3389

flags sr idle 3:19:10 timeout 0:00:00

Here is the one for the WEBCAM that is also not working:

ASA5510(config)# sh xlate local 192.168.1.5

36 in use, 784 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.xxx.xxx 8080-8080

flags sr idle 0:43:27 timeout 0:00:00

NAT Issues continue with ASA 5510

Jon Marshall — Mon, 27 Jan 2014 22:42:01 GMT

Mitchell

I can't see anything obviously wrong with this.

It has the correct xlate entry and the correct route for this to work.

How are you accessing it ie. via VPN or not ?

Jon

Re: NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 28 Jan 2014 00:12:51 GMT

From a static IP (not VPN) at work. No VPN tunnel, just from my works PC, which runs on a 192.168.116.0 subnet through a couple of routers and out a firewall with the static IP of 98.22.xxx.xxx and then to my ASA @ home.

Message was edited by: Mitchell Tuckness : IP (not VPN)

NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 28 Jan 2014 03:16:24 GMT

I noticed I had ip source-route enabled on the router, you don't think that could have any impact on this issue? I also read that depending on the license on the ASA it can only do so much?

I tured off ip source-route since it seems like most posts say it is not usually enabled. I am at a loss as to why I can't get this to work.

Re: NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 28 Jan 2014 16:11:30 GMT

No more ideas? I am a /sad sad camper. I hate it when you're (think) doing things right and it doesn't work and your trying to learn and not sure what's up.

NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 28 Jan 2014 18:56:22 GMT

Is there anything I can run to help diagnose this? Something on the ASA or router? Some config I might run that would help figure it out?

NAT Issues continue with ASA 5510

Jon Marshall — Tue, 28 Jan 2014 21:14:41 GMT

Mitchell

I still can't see what's wrong with this. Can you try removing the NAT statement for the routers outside interface ie. the ssh one and see if you still see the same problem.

The failed to locate next hop is usually to do with VPN traffic which is why i asked about it.

I don't think it is anything on the router as it is the ASA that seems unable to use the route in it's routing table.

Jon

NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 28 Jan 2014 22:30:01 GMT

I'm sorry, which statement should I remove?

NAT Issues continue with ASA 5510

Jon Marshall — Tue, 28 Jan 2014 22:32:34 GMT

Mitchell

The NAT statement you have for the outside interface of the 2811. It is a long shot but i am wondering if because the next hop in the route also has a NAT statement for the same IP they are somehow conflicting.

Jon

NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 28 Jan 2014 22:50:58 GMT

OK, I removed the statement under the network object for the NAT for ssh, no change.

object network ROUTER-2811

no nat (Inside,Outside) static interface service tcp ssh 222

I assume that was the NAT you were talking about?

Here is the route table as well.

ASA5510# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 199.195.xxx.xxx to network 0.0.0.0

S 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, Inside

S 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, Inside

S 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, Inside

C 199.195.xxx.xxx 255.255.255.240 is directly connected, Outside

C 10.10.0.0 255.255.255.252 is directly connected, DMZ

C 10.10.1.0 255.255.255.252 is directly connected, Inside

C 10.10.2.0 255.255.255.252 is directly connected, VOIP

S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.xxx.xxx, Outside

NAT Issues continue with ASA 5510

Jon Marshall — Tue, 28 Jan 2014 23:00:38 GMT

Mitchell

Did you clear the xlate table for that NAT statement when you removed it ?

Can you post full config of ASA ?

Jon

NAT Issues continue with ASA 5510

Mitchell Tuckness — Tue, 28 Jan 2014 23:07:07 GMT

Shoot, no I didn't and I thought about it, but didn't .

ASA5510# sh running-config

: Saved

ASA Version 9.1(4)

hostname ASA5510

domain-name maladomini.int

enable password liSfzvir2g encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd fzvir2g encrypted

names

dns-guard

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.xxx.xxx 255.255.255.240

interface Ethernet0/2

description DMZ

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

interface Ethernet0/3

description VOIP

nameif VOIP

security-level 100

ip address 10.10.2.1 255.255.255.252

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.xxx.xxx

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

same-security-traffic permit inter-interface

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object network WEBCAM-01

host 192.168.1.5

object network DNS-SERVER

host 192.168.1.2

object network ROUTER-3745

host 10.10.2.2

object network RDP-DC1

host 192.168.1.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

network-object 192.168.0.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 128.162.1.0 255.255.255.0

network-object 128.162.10.0 255.255.255.0

network-object 128.162.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object RDP-DC1 eq 3389

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

mtu VOIP 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

router rip

network 10.0.0.0

version 2

no auto-summary

route Outside 0.0.0.0 0.0.0.0 199.195.xxx.xxx 1

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.xxx.xxx 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

inspect pptp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:95cd1440463ac3f

: end

NAT Issues continue with ASA 5510

Naisamuddin pk — Wed, 29 Jan 2014 11:13:37 GMT

Hi,

Can you please put "ip subnet-zero "command and then try.

Regards,

Naisam

NAT Issues continue with ASA 5510

Mitchell Tuckness — Wed, 29 Jan 2014 15:43:12 GMT

I am sorry, I can't seem to find that command to run.

Closest I found was:

ASA5510# sh ip address inside

System IP Address:

Interface Name IP address Subnet mask Method

Ethernet0/0 Inside 10.10.1.1 255.255.255.252 CONFIG

Current IP Address:

Interface Name IP address Subnet mask Method

Ethernet0/0 Inside 10.10.1.1 255.255.255.252 CONFIG

ASA5510# sh ip address outside

System IP Address:

Interface Name IP address Subnet mask Method

Ethernet0/1 Outside 199.195.xxx.xxx 255.255.255.240 CONFIG

Current IP Address:

Interface Name IP address Subnet mask Method

Ethernet0/1 Outside 199.195.xxx.xxx 255.255.255.240 CONFIG

ASA5510# sh ip address DMZ

System IP Address:

Interface Name IP address Subnet mask Method

Ethernet0/2 DMZ 10.10.0.1 255.255.255.252 manual

Current IP Address:

Interface Name IP address Subnet mask Method

Ethernet0/2 DMZ 10.10.0.1 255.255.255.252 manual

Naisamuddin pk wrote:

Hi,

Can you please put "ip subnet-zero "command and then try.

Regards,

Naisam