Solved: Traffic not passing to one NAT address, works fine to different address

TOBY SIMMONS · ‎09-25-2015

I am completely stumped. We are replacing an old PIX running 6.3(4) with an ASA running 9.2(4). After migrating the config and swapping it out, some of the devices cannot pass traffic.

Here is a sanitized version of the relevant config. Any idea why the object "testnat" (NAT'ed to .187) can pass traffic but the object "mail" (NAT'ed to .188) cannot?

!
ASA Version 9.2(4) 
!
terminal width 200

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 192.168.0.253 mail
name 192.168.0.41 testnat
!
interface Ethernet0/0
 description Outside Interface
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 description Inside Interface
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ...179 255.255.255.240 
!
boot system disk0:/asa924-k8.bin
ftp mode passive
object network mail
 host 192.168.0.253
object network global_nat
 subnet 0.0.0.0 0.0.0.0
object network testnat
 host 192.168.0.41
object-group service Mail-Services
 service-object tcp destination eq 587 
 service-object tcp destination eq imap4 
 service-object tcp destination eq pop3 
 service-object tcp destination eq smtp 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit object-group Mail-Services any host 192.168.0.253 
access-list outside_access_in extended permit object-group Mail-Services any host 192.168.0.41 
access-list inside_access_out extended permit icmp any4 any4 
access-list inside_access_out extended permit ip any4 any4 
logging enable
logging timestamp
logging monitor warnings
logging trap warnings
logging facility 16
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network mail
 nat (inside,outside) static ...188
object network global_nat
 nat (any,outside) dynamic interface
object network testnat
 nat (inside,outside) static ...187
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ...177 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy

!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context

Rishabh Seth · ‎09-27-2015

Hi Toby,

As you have mentioned that you are replacing your old firewall with new then the issue might be due to stale ARP cache on the upstream device. You can try clearing ARP cache on the upstream device as it might still point to MAC address of old firewall.

If issue still exists then let us know if you correct packet flow in packet- tracer output. Check if packet tracer shows correct NAT being evaluated for your traffic.

Thanks,

R.Seth

View solution in original post

Vibhor Amrodia · ‎09-25-2015

Hi,

If this is the configuration , I am sure that the problem is with the Public Address.

Try to check with the captures for the non working ip address and see if you see any traffic on the outside interface from the internet on that IP ?

Thanks and Regards,

Vibhor Amrodia

TOBY SIMMONS · ‎09-25-2015

I'll will try that on Sunday (it is currently Friday) when we have a maintenance window and update this post then.

Thanks &
Cheers,

Toby

Rishabh Seth · ‎09-27-2015

Hi Toby,

As you have mentioned that you are replacing your old firewall with new then the issue might be due to stale ARP cache on the upstream device. You can try clearing ARP cache on the upstream device as it might still point to MAC address of old firewall.

If issue still exists then let us know if you correct packet flow in packet- tracer output. Check if packet tracer shows correct NAT being evaluated for your traffic.

Thanks,

R.Seth

TOBY SIMMONS · ‎09-27-2015

I'm not sure if it was ARP cache or some kind of sticky-MAC, but when I contacted the ISP they reset their device and everything cleared up. The config was fine.

Thanks &

Cheers,

Toby