cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
597
Views
0
Helpful
5
Replies

need NAT assistance on ASA 5510 behind another NAT firewall

ChuckHaynes
Level 3
Level 3

Greetings,

 

The topology is a MPLS network. NAT is done on the edge network-based firewall before the traffic goes to the Internet. Each remote site on the MPLS has its own router. The site in question also has an ASA 5510 that sits behind the router (mainly to allow VPN connections). We just acquired this network and found a few issues. I believe the main issue is the ASA 5510 is also trying to do some sort of NAT as well. I constantly see errors in the logs like this:

%ASA-4-419002: Received duplicate TCP SYN from
%ASA-4-313005: No matching connection for ICMP error message: 

I can't ping the inside interface of the ASA unless I'm on the same subnet. Also, the realtime log doesn't appear to be showing my ICMP attempts? The location does have a few static NAT devices facing the public, but those translations are done on the edge NBFW. Here is the current NAT config:

 

nat (inside,Outside) source static any any no-proxy-arp route-lookup

 

I think that I need to 'disable NAT' on the 5510, but I'm unsure of exactly what needs done. Any help would be greatedly appreciated.

 

Thanks

5 Replies 5

Ping on the inside interface of ASA from outside won't work. Is there
anything not working other than ping?

You can ping inside when connected to ASA via VPN, but not from another MPLS location. SNMP won’t work either on ASA. And the real-time log doesn’t seem to be showing a lot of the traffic at all. Basically the ASA sits between the router and core switch, so everything has to pass through it.

Anyone have any ideas? Thanks.

Dennis Mink
VIP Alumni
VIP Alumni

run the packet tracer tool on the ASA and similate the traffic, this will quickly tell you whjat is blocking and what NAT is being applied. 

Please remember to rate useful posts, by clicking on the stars below.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: