Solved: Hi Dan,In this scenario you

cooper.dan · ‎07-14-2015

Good Morning,

I have an issue similar to this, https://supportforums.cisco.com/discussion/11848306/arp-permit-nonconnected but is different in that the ISP has a firewall instead of a router in place.

Connectivity between both firewalls (on a private /30 subnet) is fine and dandy but as soon as I use the 'secondary/29' subnet, basically a pool of private addresses have given to nat with, I get nothing leaving the firewall egress interface. Routing is in place for the secondary network but no traffic is being generated towards the ISP firewall.

I have confirmed static nat and xlate connections through the firewall but nothing leaves the egress interface. My firewalls is ASA 9.2, the ISP is (I think) 9.1.

Have I missed something obvious? Diagram below.

Best Regards

Dan

prateek.verma · ‎07-15-2015

Hi Cooper,

Try the following command and check whether it works or not:

no nat (INSIDE,1Net) source static INSIDE_NETWORK_10.0.0.0 1net_xlate_128

nat (INSIDE,1Net) source dynamic INSIDE_NETWORK_10.0.0.0 1net_xlate_128

If it doesn't work please share the packet-tracer ouput.

Regards,

Prateek Verma

View solution in original post

Vibhor Amrodia · ‎07-14-2015

Hi,

What do you see in the captures on the Inside Firewall egress interface ? How are you testing the traffic.

Also , have you configured a route on the Secondary Firewall for this subnet ?

I think some relevant configuration on this issue would be required to look into this issue in a bit more detail.

Thanks and Regards,

Vibohr Amrodia

cooper.dan · ‎07-14-2015

Hi Vibor

The secondary firewall (.2) is the ISP firewall and have been reliably informed that the necessary routes for our source subnet (1.1.1.128/29) are in place.

This is not yet a live service so all ip and icmp are open to any host on any interface.

The Nat statements I have in place on my firewall are:

object network INSIDE_NETWORK_10.0.0.0
subnet 10.0.0.0 255.0.0.0

object network 1net_xlate_128
host 1.1.1.128

nat (INSIDE,1Net) source static INSIDE_NETWORK_10.0.0.0 1net_xlate_128

NAT is established:

NAT from INSIDE:10.0.0.0/8 to 1Net:1.1.1.128
flags sT idle 0:55:48 timeout 0:00:00
NAT from 1Net:0.0.0.0/0 to INSIDE:0.0.0.0/0
flags sIT idle 1:56:46 timeout 0:00:00

Connections are going out but with no bytes. Testing is just pinging at present (which is failing). Packet-tracer is happy.

I just want to know that what I've configured is appropriate in this instance.

Regards Dan

prateek.verma · ‎07-15-2015

Hi Cooper,

Try the following command and check whether it works or not:

no nat (INSIDE,1Net) source static INSIDE_NETWORK_10.0.0.0 1net_xlate_128

nat (INSIDE,1Net) source dynamic INSIDE_NETWORK_10.0.0.0 1net_xlate_128

If it doesn't work please share the packet-tracer ouput.

Regards,

Prateek Verma

cooper.dan · ‎07-15-2015

Prateek,

That worked, thank you.

Could you go into why the static entry failed?

Many Thanks

Dan

prateek.verma · ‎07-15-2015

Hi Dan,

In this scenario you were trying to map a subnet with single ip so it's a dynamic PAT, that's the reason it was not working with static keyword.

Regards,

Prateek Verma

arp-permit-nonconnected issue with back to back firewalls