topic ASA 8.4 static NAT issue in Network Security

ASA 8.4 static NAT issue

Ashley Sahonta — Tue, 12 Mar 2019 00:58:03 GMT

Hi,

I have a small lab setup with the ASA connecting to an 887 router (for internet) and a 3550 switch for LAN. I am also trying to setup two routers in the internal network that need to be accessed from the internet for DMVPN. Both routers can access the internet, however as soon as I apply the static NAT statements on the ASA neither can access the internet or can be accessed from the internet.

For testing purposes I have only permitted ICMP and the port numbers for the DMVPN traffic.

NAT statements:

object network dmvpn-hub1

host 192.168.50.5

nat (inside,outside) static x.x.x.x

access-list OUTSIDE-IN extended permit gre any object dmvpn-hub1

access-list OUTSIDE-IN extended permit esp any object dmvpn-hub1

access-list OUTSIDE-IN extended permit udp any object dmvpn-hub1 eq isakmp

access-list OUTSIDE-IN extended permit icmp any object dmvpn-hub1

access-list OUTSIDE-IN extended permit udp any object dmvpn-hub1 eq 4500

I am curious as to why it causes this issue. Any help would be much appreciated.

Thanks

ASA 8.4 static NAT issue

jj27 — Fri, 08 Feb 2013 15:08:55 GMT

If you do show access-list OUTSIDE-IN do you see the rules incrementing the hit count?

If you do show arp from the 887 router do you see an IP and MAC address resolved in the table for the IP in question?

ASA 8.4 static NAT issue

Ashley Sahonta — Fri, 08 Feb 2013 15:11:11 GMT

The answer is no to both of those questions. The funny thing is when I do a packet-tracer it shows it as passing

ASA 8.4 static NAT issue

jj27 — Fri, 08 Feb 2013 15:14:27 GMT

Well if the answer is no to those questions, then there is an issue between the 887 and the ASA. Is it an issue with attempting to use a static IP that is not assigned to your internet line? Doing a packet tracer from the inside to the outside will always work because its simply doing a logical test of the firewall rules and NAT.

ASA 8.4 static NAT issue

Ashley Sahonta — Fri, 08 Feb 2013 15:16:24 GMT

No, I have a public block of IPs. I did see other posts where others had similar issues to mine. Thought it might have been something I missed.

ASA 8.4 static NAT issue

jj27 — Fri, 08 Feb 2013 15:19:43 GMT

Well what you're trying to do is very basic. Is this the first NAT protected device you're attempting to allow connectivity to? It's a stupid question, but is the command access-group OUTSIDE-IN in interface outside applied? Also, if the public IP block assigned differs from the LAN block on the 887 router you may need to add an IP route for the IP block to the outside interface of the ASA.

ASA 8.4 static NAT issue

Ashley Sahonta — Fri, 08 Feb 2013 15:24:50 GMT

Yeah, indeed it is basic. The ACL is applied and the public block is the same subnet. Also, there is no ACL on the 887 router.

ASA 8.4 static NAT issue

Jouni Forss — Fri, 08 Feb 2013 15:39:29 GMT

Hi,

Any chance you could share the rest of the ASA configurations (And perhaps even the router too). If need be partially remove public IP addresses and any other sensitive information.

- Jouni

Re: ASA 8.4 static NAT issue

Ashley Sahonta — Sat, 09 Feb 2013 10:40:34 GMT

Thanks for the replies on this. It turns out that proxy arp was required. Command below:

No sysopt noproxyarp

Sent from Cisco Technical Support iPhone App