03-10-2013 12:33 PM - edited 03-11-2019 06:12 PM
Hello,
I've been having weird problem with static nat.
First have to say that i've been searching answer for this and not yet found...
I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask 255.255.255.0.
I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.
Using Cisco ASA 5505 software v9.02
Config:
object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
object network w2008
host 192.168.1.10
object network w2008
nat (inside,outside) static 83.x.x.27
object service RDP
service tcp destination eq 3389
access-list outside_access_in extended permit object RDP any object w2008
access-group outside_access_in in interface outside
This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
What trick i need to do with ASA to get this working?
Solved! Go to Solution.
03-13-2013 10:56 AM
Hi,
Just browsing settings from my ASDM, i got this solved.
Command that i needed to enable was: arp permit-nonconnected
Don't know why this does the trick, but anyway, case closed so far, my static nat works like should.
03-13-2013 03:08 PM
Here is the command reference for that:
http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414
Apology, didn't know that you are running that version that supports this new command.
The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled.
03-11-2013 05:39 AM
The ASA should proxy arp for those NATed public ip addresses normally.
Do you have "no sysopt noproxyarp outside" configured on your ASA?
Also, I assume that your ISP is routing those /24 public subnet towards your ASA interface ip (83.x.x.10)?
03-11-2013 07:52 AM
I rerun that command, but i believe it wasn't configured.
If i look at arp table, i see my local ip:s + isp gateway IP, nothing else...
But i believe the proxy arp is not funtioning right.. i have tried with other versions of ASA also, but no good..
What should i do next?
03-13-2013 10:56 AM
Hi,
Just browsing settings from my ASDM, i got this solved.
Command that i needed to enable was: arp permit-nonconnected
Don't know why this does the trick, but anyway, case closed so far, my static nat works like should.
03-13-2013 03:08 PM
Here is the command reference for that:
http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414
Apology, didn't know that you are running that version that supports this new command.
The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: