We actually don't use the same IP on the outside interface as our global NAT address, so that wouldn't work for us.
First, about the pings - have managed to ping the default gateway IP, without specifying source interface? This will source your pings with the IP address of the outside interface.
If you are not successful with this, ask your ISP about any MAC ACL or port security applied on the 3550's interface, on which the ASA is connected.
Also, I don't think sourcing the pings with the inside's ip is the same as a traffic arrived at the inside interface. This is locally generated traffic and it traverses cpu-to-interface rather than interface-to-interface. Thus it would leave the ASA just having source ip of the inside, but w/o traversing any NAT statements. A better test would be to try a telnet connection from your router, to lets say www.google.com on port 80, and post here the ASA output from the 'show xlate' and 'show connections' commands. A good practice at that time would be to have debug level logging enabled, either on the monitor or the console, or the buffer, so you can see what happened actually.
Ok I'm attaching both the PIX config and the converted ASA config as well as a topology map showing how our Internet traffic is routed.
An example traceroute:
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 172.16.128.1
2 1 ms 1 ms 1 ms host-199-216-81-1.sturgeon.ab.ca [126.96.36.199]
3 * * * Request timed out.
4 7 ms 6 ms 6 ms ra2so-ge3-2-77.cg.bigpipeinc.com [188.8.131.52]
The 3550 Switch labelled A is a managed device owned by Alberta SuperNet - who provides our WAN services between schools. Our Internet traffic goes through that device but it provides no layer 3 services for net traffic, it's all passed onto our ISP further upstream.
Both SuperNet and our ISP have said nothing is set on their side that would prevent us from a cutover - MAC security or ACLs.
We're really stumped. I'm hoping someone can shed some light on this puzzle. I'm not really a WAN/Security expert but everything I've read about moving from PIX to ASA should be rather simple. My hair is getting grayer. :)
The topology you have posted represents the physical one, which does not match the logical interconnections.
For example, it is not clear how the inside networks have been routed:
- many vlnas to the router, and it routes intervlan, or
- a switch on the path is doing L3 switching.
I saw the asa config, it looks to me ok, although I have not compared it to the pix one if they match completly. As you have posted the output of a tracert from a host somewhere behind the router works fine ;-).
As I mentioned before, try a telnet connection to a internet host on port 80, and post here the output of the 'show xlate' and show connections' asa commands.
Also, please, be more specific what exactly is not working.
Our router does inter vlan routing.
The switch (3550) does not provide any layer 3 routing for the internet connection, it is just a conduit.
Using the packet tracer in the ASDM the traffic appears to be failing due to NAT.
The packet tracer shows this as the config that is causing the drop:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (184.108.40.206)
translate_hits = 971, untranslate_hits = 74
The NAT config on the ASA:
global (outside) 1 220.127.116.11 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
The NAT config on the PIX:
global (outside) 1 18.104.22.168
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Where is the problem??
Missed translation hits might be caused by the static entries you have, because they would be different translation entries.
It might be a problem with the proxy-arp functionality.
To be sure that it is properly configured issue:
show running-config sysopt
In the output you should not have 'sysopt noproxyarp outside'. But it's the default setting. Just check it for sure.
Otherwise, if the above looks OK, try to replace the global with nat to the interface ip and see if that way things would work:
no global (outside) 1 22.214.171.124 netmask 255.255.255.255
global (outside) 1 interface
If it seems to you a bug, try to move to higher version, 8.0(4) for example.