https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266900#M825565 <P>ASA 5520 running ver. 8.0(3).</P><P></P><P>Here's the basic config:</P><P>global (outside) 101 interface</P><P>nat (101) 0.0.0.0 0.0.0.0</P><P>static (inside,outside) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255</P><P></P><P>If I remove the static line then I send get to the Internet on 10.75.244.241. Re-apply the static command will kill the Internet connection. All clients (without static) are fine with or without the static command.</P><P></P><P>No access-list created - everything is using default from out of the box.</P><P></P><P>Please help!!!!</P><P></P><P>Here's the config:</P><P></P><P></P><P>ASA Version 8.0(3) </P><P>!</P><P>hostname ASA-5520</P><P>names</P><P>dns-guard</P><P>!</P><P>interface GigabitEthernet0/0</P><P> description Outside to TW</P><P> nameif OUTSIDE-TW</P><P> security-level 0</P><P> ip address xxx.97.65.3 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/1</P><P> description Connection to 4506</P><P> nameif INSIDE</P><P> security-level 100</P><P> ip address INSIDE-10.75.244.12 255.255.255.0 </P><P>!</P><P>interface GigabitEthernet0/2</P><P> shutdown</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 172.16.200.3 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>boot system disk0:/asa803-k8.bin</P><P>ftp mode passive</P><P>clock timezone PST -8</P><P>clock summer-time PDT recurring</P><P>dns domain-lookup INSIDE</P><P>dns server-group DefaultDNS</P><P> name-server 10.75.244.252</P><P> name-server 10.75.244.151</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group icmp-type ICMP-ANY</P><P> description ICMP-ANY</P><P> icmp-object echo</P><P> icmp-object echo-reply</P><P> icmp-object traceroute</P><P> icmp-object unreachable</P><P>access-list INSIDE_nat_outbound extended permit ip object-group ALL_CRMC_SUBNET any </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging trap notifications</P><P>logging asdm informational</P><P>logging mail emergencies</P><P>logging host INSIDE 10.75.244.158</P><P>logging permit-hostdown</P><P>mtu OUTSIDE-TW 1500</P><P>mtu INSIDE 1500</P><P>mtu DMZ 1500</P><P>ip local pool VPN_Pool 192.168.222.2-192.168.222.127 mask 255.255.255.128</P><P>ip verify reverse-path interface OUTSIDE-TW</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-61551.bin</P><P>asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (OUTSIDE-TW) 101 interface</P><P>nat (INSIDE) 101 0.0.0.0 0.0.0.0</P><P>static (INSIDE,OUTSIDE-TW) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255 </P><P>route OUTSIDE-TW 0.0.0.0 0.0.0.0 xxx.97.65.1 1</P><P>timeout xlate 0:30:00</P><P>timeout conn 0:15:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P></P> Mon, 11 Mar 2019 16:22:18 GMT jimmy.tran 2019-03-11T16:22:18Z https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266900#M825565 <P>ASA 5520 running ver. 8.0(3).</P><P></P><P>Here's the basic config:</P><P>global (outside) 101 interface</P><P>nat (101) 0.0.0.0 0.0.0.0</P><P>static (inside,outside) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255</P><P></P><P>If I remove the static line then I send get to the Internet on 10.75.244.241. Re-apply the static command will kill the Internet connection. All clients (without static) are fine with or without the static command.</P><P></P><P>No access-list created - everything is using default from out of the box.</P><P></P><P>Please help!!!!</P><P></P><P>Here's the config:</P><P></P><P></P><P>ASA Version 8.0(3) </P><P>!</P><P>hostname ASA-5520</P><P>names</P><P>dns-guard</P><P>!</P><P>interface GigabitEthernet0/0</P><P> description Outside to TW</P><P> nameif OUTSIDE-TW</P><P> security-level 0</P><P> ip address xxx.97.65.3 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/1</P><P> description Connection to 4506</P><P> nameif INSIDE</P><P> security-level 100</P><P> ip address INSIDE-10.75.244.12 255.255.255.0 </P><P>!</P><P>interface GigabitEthernet0/2</P><P> shutdown</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 172.16.200.3 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>boot system disk0:/asa803-k8.bin</P><P>ftp mode passive</P><P>clock timezone PST -8</P><P>clock summer-time PDT recurring</P><P>dns domain-lookup INSIDE</P><P>dns server-group DefaultDNS</P><P> name-server 10.75.244.252</P><P> name-server 10.75.244.151</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group icmp-type ICMP-ANY</P><P> description ICMP-ANY</P><P> icmp-object echo</P><P> icmp-object echo-reply</P><P> icmp-object traceroute</P><P> icmp-object unreachable</P><P>access-list INSIDE_nat_outbound extended permit ip object-group ALL_CRMC_SUBNET any </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging trap notifications</P><P>logging asdm informational</P><P>logging mail emergencies</P><P>logging host INSIDE 10.75.244.158</P><P>logging permit-hostdown</P><P>mtu OUTSIDE-TW 1500</P><P>mtu INSIDE 1500</P><P>mtu DMZ 1500</P><P>ip local pool VPN_Pool 192.168.222.2-192.168.222.127 mask 255.255.255.128</P><P>ip verify reverse-path interface OUTSIDE-TW</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-61551.bin</P><P>asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (OUTSIDE-TW) 101 interface</P><P>nat (INSIDE) 101 0.0.0.0 0.0.0.0</P><P>static (INSIDE,OUTSIDE-TW) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255 </P><P>route OUTSIDE-TW 0.0.0.0 0.0.0.0 xxx.97.65.1 1</P><P>timeout xlate 0:30:00</P><P>timeout conn 0:15:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P></P> Mon, 11 Mar 2019 16:22:18 GMT https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266900#M825565 jimmy.tran 2019-03-11T16:22:18Z https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266901#M825566 <HTML><HEAD></HEAD><BODY><P>Hi Jimmy,</P><P></P><P>This looks to a gratuitous ARP issue. </P><P>I would suggest the following to get this fixed:</P><P>no static (inside,outside) xxx.97.65.5 10.75.244.241</P><P>int g0/0</P><P>ip address xxx.97.65.5 255.255.255.128 </P><P>ping 4.2.2.2</P><P>int g0/0</P><P>ip address xxx.97.65.3 255.255.255.128 </P><P></P><P>static (inside,outside) xxx.97.65.5 10.75.244.241</P><P></P><P>Reason for the fix:</P><P></P><P>Firewall does a proxy ARP for the public ip address applied in the static statement. At times this ARP is not learned by the upstream device so we have to force this ARP. The best way to do it is by applying that public ip address in the static statement to the firewall outside interface and then applying it to the static statement again.</P><P></P><P>Note: This might cause termination of the active connection through the firewall so applying it off production hours is always recommended.</P></BODY></HTML> Fri, 02 Oct 2009 16:28:39 GMT https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266901#M825566 mkharban 2009-10-02T16:28:39Z https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266902#M825567 <HTML><HEAD></HEAD><BODY><P>Hi mkharban,</P><P></P><P>I did exactly as you suggested and it worked beautiful!!!</P><P></P><P>BTW: Thought you may want to know this - Internet connection was up and running just fine during the process of changing the outside IP address.</P><P></P><P>Thank you so much for your help!</P><P></P><P>Jimmy-</P></BODY></HTML> Fri, 02 Oct 2009 20:04:29 GMT https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266902#M825567 jimmy.tran 2009-10-02T20:04:29Z https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266903#M825568 <HTML><HEAD></HEAD><BODY><P>Hi Jimmy,</P><P></P><P>Internet connection generally stays up but to avoid any risks I always recommend adding that one-liner. </P><P></P><P>Thanks,</P><P>Manish Kharbanda</P></BODY></HTML> Fri, 02 Oct 2009 20:22:06 GMT https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266903#M825568 mkharban 2009-10-02T20:22:06Z https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266904#M825569 <HTML><HEAD></HEAD><BODY><P>Manish,</P><P></P><P>I appreciate your professionalism!!!!</P><P></P><P>Have a Great week-end!!!</P><P></P><P>Jimmy-</P></BODY></HTML> Fri, 02 Oct 2009 20:26:08 GMT https://community.cisco.com/t5/network-security/static-doesn-t-work/m-p/1266904#M825569 jimmy.tran 2009-10-02T20:26:08Z