cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2064
Views
0
Helpful
4
Replies

Cisco ASA5505 multiple public ip nat problem

ohenttonen
Level 1
Level 1

Hello,

I've been having weird problem with static nat.

First have to say that i've been searching answer for this and not yet found...

I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask 255.255.255.0.

I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.

Using Cisco ASA 5505 software v9.02

Config:

object network obj_guest

nat (guest,outside) dynamic interface

object network obj_any

nat (inside,outside) dynamic interface

object network w2008

host 192.168.1.10

object network w2008

nat (inside,outside) static 83.x.x.27

object service RDP

service tcp destination eq 3389

access-list outside_access_in extended permit object RDP any object w2008

access-group outside_access_in in interface outside

This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...

It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.

What trick i need to do with ASA to get this working?

2 Accepted Solutions

Accepted Solutions

Hi,

Just browsing settings from my ASDM, i got this solved.

Command that i needed to enable was:  arp permit-nonconnected

Don't know why this does the trick, but anyway, case closed so far, my static nat works like should.

View solution in original post

Here is the command reference for that:

http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414

Apology, didn't know that you are running that version that supports this new command.

The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

The ASA should proxy arp for those NATed public ip addresses normally.

Do you have "no sysopt noproxyarp outside" configured on your ASA?

Also, I assume that your ISP is routing those /24 public subnet towards your ASA interface ip (83.x.x.10)?

I rerun that command, but i believe it wasn't configured.

If i look at arp table, i see my local ip:s + isp gateway IP, nothing else...

But i believe the proxy arp is not funtioning right.. i have tried with other versions of ASA also, but no good..

What should i do next?

Hi,

Just browsing settings from my ASDM, i got this solved.

Command that i needed to enable was:  arp permit-nonconnected

Don't know why this does the trick, but anyway, case closed so far, my static nat works like should.

Here is the command reference for that:

http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414

Apology, didn't know that you are running that version that supports this new command.

The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: