09-25-2015 09:01 AM - edited 03-11-2019 11:39 PM
I am completely stumped. We are replacing an old PIX running 6.3(4) with an ASA running 9.2(4). After migrating the config and swapping it out, some of the devices cannot pass traffic.
Here is a sanitized version of the relevant config. Any idea why the object "testnat" (NAT'ed to .187) can pass traffic but the object "mail" (NAT'ed to .188) cannot?
! ASA Version 9.2(4) ! terminal width 200 xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names name 192.168.0.253 mail name 192.168.0.41 testnat ! interface Ethernet0/0 description Outside Interface switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 description Inside Interface ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address ...179 255.255.255.240 ! boot system disk0:/asa924-k8.bin ftp mode passive object network mail host 192.168.0.253 object network global_nat subnet 0.0.0.0 0.0.0.0 object network testnat host 192.168.0.41 object-group service Mail-Services service-object tcp destination eq 587 service-object tcp destination eq imap4 service-object tcp destination eq pop3 service-object tcp destination eq smtp access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit object-group Mail-Services any host 192.168.0.253 access-list outside_access_in extended permit object-group Mail-Services any host 192.168.0.41 access-list inside_access_out extended permit icmp any4 any4 access-list inside_access_out extended permit ip any4 any4 logging enable logging timestamp logging monitor warnings logging trap warnings logging facility 16 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-722.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network mail nat (inside,outside) static ...188 object network global_nat nat (any,outside) dynamic interface object network testnat nat (inside,outside) static ...187 access-group inside_access_out in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ...177 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global prompt hostname context
Solved! Go to Solution.
09-27-2015 12:55 PM
Hi Toby,
As you have mentioned that you are replacing your old firewall with new then the issue might be due to stale ARP cache on the upstream device. You can try clearing ARP cache on the upstream device as it might still point to MAC address of old firewall.
If issue still exists then let us know if you correct packet flow in packet- tracer output. Check if packet tracer shows correct NAT being evaluated for your traffic.
Thanks,
R.Seth
09-25-2015 09:09 AM
Hi,
If this is the configuration , I am sure that the problem is with the Public Address.
Try to check with the captures for the non working ip address and see if you see any traffic on the outside interface from the internet on that IP ?
Thanks and Regards,
Vibhor Amrodia
09-25-2015 09:16 AM
I'll will try that on Sunday (it is currently Friday) when we have a maintenance window and update this post then.
Thanks &
Cheers,
Toby
09-27-2015 12:55 PM
Hi Toby,
As you have mentioned that you are replacing your old firewall with new then the issue might be due to stale ARP cache on the upstream device. You can try clearing ARP cache on the upstream device as it might still point to MAC address of old firewall.
If issue still exists then let us know if you correct packet flow in packet- tracer output. Check if packet tracer shows correct NAT being evaluated for your traffic.
Thanks,
R.Seth
09-27-2015 02:35 PM
I'm not sure if it was ARP cache or some kind of sticky-MAC, but when I contacted the ISP they reset their device and everything cleared up. The config was fine.
Thanks &
Cheers,
Toby
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide