Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
12
Replies

ASA nat proxy don't work

stranger1971
Level 1
Level 1

‎08-08-2015 05:23 AM - edited ‎03-11-2019 11:24 PM

Hello.

Could anybody explain what's wrong with my configuration?

I have ASA ASA-5525-X with 9.12 software. Outside interface has 3 real address ranges from ISP. 

Inside network's (9 distinct LANs) users access the Internet through one ip address. It's outside interface address.

Other ISP's addresses is for outside access to internal resources. NAT configuration follows.

Section 2 records:

object network Rule360
 nat (emts_vpn_admin,outside) static XX.YY.ZZ.DD service tcp sqlnet sqlnet 

and so on about 100 times.

Section 3 records:

nat (architecture,outside) after-auto source dynamic architecture-NAT-to-Internet interface

nat (esx_mgmt,outside) after-auto source dynamic esx_mgmt-NAT-to-Internet interface

and so on 7 times.

Section 3 works well. But Section 2 don't work.

capture command shows outage arp answers for all external addresses besides outside interface address.

Wireshark shows arp request for mapped addresses from outside interface?! show arp interface outside shows full ARP cache. 

So, NAT Proxy ARP don't function correctly. 

 

Labels:
0 Helpful
12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

‎08-08-2015 06:14 AM

Are the other IPs part of the same IP subnet range as the IP assigned to the outside interface ?

If they are not do you know if the ISP has added routes for the other IP ranges pointing to your outside interface or have they added secondary IP addresses for these ranges to their router.

If they have added secondary addresses then they will use arp to resolve these IPs. If you have "no arp permit-nonconnected" in your configuration, which you may well have, then it won't work.

Solution would be to change the command ie. "arp permit non-connected" or get the ISP to modify their router to just route those additional ranges to the outside interface of your ASA. 

Jon

0 Helpful

stranger1971
Level 1
Level 1
In response to Jon Marshall

‎08-08-2015 06:33 AM

Hi.

Of course, arp permit non-connected exists in the config.

One subnet is in common range, but other one isn't.

I have forgot to say that the ASA is a replacement for old Linux-based firewall.

That old firewall works with ISP without problem. So ISP's routing is well enough.

Problem is located on ASA side.

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stranger1971

‎08-08-2015 06:38 AM

That old firewall works with ISP without problem. So ISP's routing is well enough.

Not necessarily.

It may be that the ISP did arp for the other ranges but your previous firewall would answer.

I wasn't saying the issue is with the ISP but rather it depends on how the ISP have setup their router.

If it is using secondary addressing which it may be then your firewall won't respond to arp requests for any IPs that don't have an IP from the range assigned to an interface.

Are you saying the ISP is definitely routing the other ranges and not using arp to resolve them ?

Jon

0 Helpful

stranger1971
Level 1
Level 1
In response to Jon Marshall

‎08-08-2015 06:46 AM

The ISP router interface has only one IP from the first address range.

No secondary IP on this interface at all. And I captured arp requiests from ISP router,

but no answers on them. Beside one address, ASA's ouside interface.

For this address arp response exits.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stranger1971

‎08-08-2015 06:54 AM

If the ISP was routing the other ranges to your ASA then you would not see arp requests for these IPs because the only arps you would see would be for -

1) the outside interface IP

or

2) any IPs that are part of the same IP subnet as the outside interface IP.

If you are seeing arp requests for IPs that are not either of the above then your ISP thinks those IPs are directly connected to their router and so you would need "arp permit-nonconnected" in your configuration.

Apologies but still not sure whether you have this or whether you have "no arp permit-nonconnected".

Jon

0 Helpful

stranger1971
Level 1
Level 1
In response to Jon Marshall

‎08-08-2015 07:04 AM

It exists. But not works. Look on this

access-list redcom_in extended permit tcp host ---------- host 10.0.0.51 eq 3389 
access-list intranet_in remark Allow Echo, Echo-Reply, Unreachable and Time-Exceeded on Outside
access-list intranet_in extended permit icmp any4 any4 object-group PingTraffic 
pager lines 50
mtu km66 1500
mtu redcom 1500
mtu km66_dmz 1500
mtu emts_vpn_admin 1500
mtu emts_intranet 1500
mtu library 1500
mtu intranet_cod 1500
mtu architecture 1500
mtu management 1500
mtu esx_mgmt 1500
mtu Mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any km66
icmp permit any redcom
icmp permit any km66_dmz
icmp permit any emts_vpn_admin
icmp permit any emts_intranet
icmp permit any library
icmp permit any intranet_cod
icmp permit any architecture
icmp permit any management
icmp permit any esx_mgmt
icmp permit any Mgmt
no asdm history enable
arp timeout 14400
arp permit-nonconnected
!
object network Rule439

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stranger1971

‎08-08-2015 07:13 AM

Okay so can we clarify where we are.

If the ISP is using arp for all IPs then it does not have a single IP on it's router or something is wrong.

You have captured arp requests from the ISP but the ASA is not responding ?

Does this include arp requests for IPs that are part of the same IP subnet as the outside interface ?

Have you just switched this over from your old firewall ie. when did you do the switch over.

Jon

0 Helpful

stranger1971
Level 1
Level 1
In response to Jon Marshall

‎08-08-2015 07:25 AM

> You have captured arp requests from the ISP but the ASA is not responding ?

Yes.

>Does this include arp requests for IPs that are part of the same IP subnet as the outside >interface ?

Yes!!!

x.x.x.65 - no answer

x.x.x.66 - yes (outside)

x.x.x.67-94 - no answer

Provider's address x.x.x.78

I switched over back-force several times.

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stranger1971

‎08-08-2015 07:30 AM

Were these IPs in use on the old firewall ?

If they were the usual issue is that the ISP router has the old firewalls mac address in it's arp cache so it doesn't work.

But it does work for the outside interface usually because your internal clients are always connecting to the internet so that refreshes the ISP arp cache continually.

However you are saying you can see arp requests coming from the ISP so it doesn't sound like this is the issue here.

I will have a quick check of bugs to see if there is one for your version.

Can you post a "sh nat" ?

Jon

0 Helpful

stranger1971
Level 1
Level 1
In response to Jon Marshall

‎08-08-2015 07:43 AM

Ok. See the attacment.

sh nat will be tomorrow.

It's 0:42 am here.

Preview file
54 KB
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stranger1971

‎08-08-2015 07:36 AM

Actually can you post the full configuration please ?

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stranger1971

‎08-08-2015 06:44 AM

Sorry I may have misread your last post.

Are you saying you have "arp permit non-connected" configured ?

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card