topic Re: Unable to access server from static NAT in Network Security

Unable to access server from static NAT

Alex Chan — Mon, 11 Mar 2019 18:51:06 GMT

%ASA-session-6-302021: Teardown ICMP connection for faddr 192.168.1.109/0 gaddr 192.168.1.4/0 laddr 192.168.1.4/0
I have upgraded my ASA from 8.0 to 8.2.

However, none of static NAT working. All outside_access_in access-list has no HIT. Please help.

Re: Unable to access server from static NAT

mirober2 — Wed, 06 Oct 2010 20:15:11 GMT

Hi Alex,

Can you post the config? That would help us identify where the problem lies.

-Mike

Re: Unable to access server from static NAT

Alex Chan — Wed, 06 Oct 2010 20:35:33 GMT

I have attached the config file. Please check.

Re: Unable to access server from static NAT

mirober2 — Wed, 06 Oct 2010 20:48:01 GMT

Hi Alex,

Which static statements aren't working? I tried to connect to a handful on TCP/80 and they all seemed to go through.

-Mike

Re: Unable to access server from static NAT

Alex Chan — Wed, 06 Oct 2010 20:51:19 GMT

It is because the primary firewall with old 8.0 version is still in production.

I am updating the standby firewall and testing tonight.

But fail to access any of NAT, so I put it offline now.

Re: Unable to access server from static NAT

Alex Chan — Wed, 06 Oct 2010 20:59:20 GMT

Dear Support:

static (inside,outside) 210.177.218.1 192.168.1.23 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.2 192.168.1.24 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.3 192.168.1.11 netmask 255.255.255.255 dns
static (DMZ,outside) 210.177.98.33 192.168.41.63 netmask 255.255.255.255 dns
static (DMZ,outside) 210.177.98.35 192.168.41.62 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.4 192.168.1.51 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.11 192.168.1.20 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.12 192.168.1.18 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.16 192.168.1.19 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.17 192.168.1.48 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.18 192.168.2.16 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.19 192.168.1.81 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.20 192.168.1.17 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.21 192.168.1.26 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.22 192.168.1.37 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.23 192.168.1.52 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.24 192.168.1.54 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.36 192.168.1.53 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.38 192.168.1.27 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.39 192.168.1.65 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.40 192.168.1.30 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.42 192.168.1.3 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.43 192.168.1.71 netmask 255.255.255.255
static (inside,outside) 210.177.98.37 192.168.1.92 netmask 255.255.255.255 dns

None of them are able to ping or access via Internet.

Re: Unable to access server from static NAT

mirober2 — Wed, 06 Oct 2010 21:02:29 GMT

Hi Alex,

Is this on the 8.0 or 8.2 unit? They cannot run simultaneously with the same config since the upstream router's ARP table will not be correct and won't know which firewall actually owns the public addresses.

-Mike

Re: Unable to access server from static NAT

Alex Chan — Wed, 06 Oct 2010 21:06:09 GMT

Dear Support:

The 8.0 unit is in production now. The 8.2 unit is currently offline. But I am wondering if there is any wrong configuration I have done in the 8.2 unit per attached file I sent since I can't get any of NAT server up.

Thanks.

Re: Unable to access server from static NAT

Allen P Chen — Wed, 06 Oct 2010 21:41:31 GMT

Hi Alex,

I assume the 8.0 unit and the 8.2 unit have the exact same IP address and static NAT configurations, correct? And when you initially tested, you just swapped the 8.0 unit with the 8.2 unit and tested the NAT, correct?

The reason the static statements were most likely failing is because the upstream device (probably the ISP router) still had the IP addresses of the static associated with the MAC address of the 8.0 unit. To resolve this issue, you can simply clear the arp cache on the upstream device (clear arp-cache) if you have management access to it, or you can simply reload it to clear the arp cache as well.

Therefore, please try the following:

-replace the 8.0 ASA with the 8.2 ASA (I am assuming both devices have the exact same IP address assignment and configuration)

-clear the arp cache on the upstream device either with the command "clear arp-cache" or reloading the device

Hope that helps.