cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2679
Views
10
Helpful
7
Replies

ASA 5505 8.4(3) inter LAN connectivity issues

danparsons
Level 1
Level 1

I have LAN connectivity issues after replacing a PIX506 with an ASA 5505 8.4(3)

OK some background:

"Current Network diagram"

Netgear Router >>>> Cisco 506E >>>> HP procurve switch >>>>> 4 servers and 30 odd devices.

Status:

All devices and servers can ping and contact each other fine.

"Replacement Network diagram"

Netgear Router >>>> Cisco ASA 5505 8.4(3) >>>> HP procurve switch >>>>> 4 servers and 30 odd devices.

Status:

Intermittent ping problems between servers and devices, loss of exchange connectivity from PC's to servers.

What I have tried:

Removed all devices and switches from the loop, connected two servers and a laptop directly to the ASA interfaces and the ping issues still occur.

I have tried setting the duplex, IF speeds manually etc. I put the 506E in and it works fine. Replaced with an identical ASA (but 8.4(4)) and get the same error

Can you help, have I missed something obvious?

Please find the ASA config below,

Many Thanks,

Dan.

Config:

: Saved

:

ASA Version 8.4(4)

!

hostname TECHFW01

domain-name TECHFW.co.uk

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 195.140.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

ftp mode passive

dns server-group DefaultDNS

domain-name TECHFW.co.uk

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-195.140.10.14

host 195.140.10.14

object network obj-195.140.10.14-02

host 195.140.10.14

object network obj-195.140.10.14-03

host 195.140.10.14

object network obj-195.140.10.15          

host 195.140.10.15

object network obj-195.140.10.57

host 195.140.10.57

object network obj-195.140.10.9

host 195.140.10.9

object network obj-195.140.10.14-01

host 195.140.10.14

object network VPNCLIENTS

subnet 10.1.1.0 255.255.255.0

object network INTRANGE

subnet 195.140.10.0 255.255.255.0

object network TECHHOUSE

subnet 192.168.0.0 255.255.255.0

access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.0 object obj-195.140.10.14 eq smtp

access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.0 object obj-195.140.10.14-01 eq ldap

access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.0 object obj-195.140.10.14-02 eq ldaps

access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224 object obj-195.140.10.14 eq smtp

access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224 object obj-195.140.10.14-01 eq ldap

access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224 object obj-195.140.10.14-02 eq ldaps

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.15 eq 3389

access-list SERVICES extended permit tcp any object obj-195.140.10.14-03 eq https

access-list SERVICES extended permit tcp any object obj-195.140.10.57 eq 10622

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200

access-list SPTNL extended permit ip 195.140.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list TECHTNL extended permit ip 195.140.10.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RAS-TECHVC 10.1.1.1-10.1.1.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,any) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS

nat (inside,any) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj-195.140.10.14

nat (inside,outside) static xxx.xxx.xxx.xxx service tcp smtp smtp

object network obj-195.140.10.14-02

nat (inside,outside) static xxx.xxx.xxx.xxx service tcp ldaps ldaps

object network obj-195.140.10.14-03

nat (inside,outside) static xxx.xxx.xxx.xxx service tcp https https

object network obj-195.140.10.15

nat (inside,outside) static xxx.xxx.xxx.xxx service tcp 3389 3389

object network obj-195.140.10.57

nat (inside,outside) static interface service tcp 10622 10622

object network obj-195.140.10.9

nat (inside,outside) static xxx.xxx.xxx.xxx

object network obj-195.140.10.14-01

nat (inside,outside) static xxx.xxx.xxx.xxx service tcp ldap ldap

access-group SERVICES in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 195.140.10.0 255.255.255.0 inside

http xxx.xxx.xxx.xxx 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set TECHVCSET esp-3des esp-md5-hmac

crypto dynamic-map dynmap 100 set ikev1 transform-set TECHSET

crypto map TECHFW-MAP 1 match address TECHTNL

crypto map TECHFW-MAP 1 set peer xxx.xxx.xxx.xxx

crypto map TECHFW-MAP 1 set ikev1 transform-set TECHSET

crypto map TECHFW-MAP 100 ipsec-isakmp dynamic dynmap

crypto map TECHFW-MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 195.140.10.0 255.255.255.0 inside

telnet timeout 5

ssh 195.140.10.0 255.255.255.0 inside

ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

ssh timeout 10

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy TECHGOORAS internal

group-policy TECHGOORAS attributes

wins-server value 195.140.10.14 195.140.10.15

dns-server value 195.140.10.14 195.140.10.15

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPTNL

default-domain value TECHFW.co.uk

tunnel-group TECHGOORAS type remote-access

tunnel-group TECHGOORAS general-attributes

address-pool RAS-TECHVC

default-group-policy TECHGOORAS

tunnel-group TECHGOORAS ipsec-attributes

ikev1 pre-shared-key *****

ikev1 user-authentication none

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:35fb6bb122770cbf36ef04a95c14bb66

: end

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Can't see anything wrong with the configuration, except, you might want to change the following static NAT:

from:

nat (inside,any) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS

nat (inside,any) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE

to:

nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS

nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE

then "clear xlate"

also disable proxy arp on the inside interface:

sysopt noproxyarp inside

View solution in original post

Hi,

To my understanding if the "sysopt noproxyarp " isnt enabled the ASA might reply to a ARP query even though it doesnt "own" the IP address. I usually enable this when a L2 segment is directly connected to some ASA interface/subinterface.

- Jouni

View solution in original post

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1165189

8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.

(8.4(2) and later) The default behavior for identity NAT has proxy ARP  enabled, matching other static NAT rules. You can disable proxy ARP if  desired.

Instead of the sysopt command, I would suggest adding no-proxy-arp keyword to the identity NAT commands:

nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS no-proxy-arp

nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE no-proxy-arp

From 8.4(2), identity NAT lines should always contain no-proxy-arp (and route-lookup if 'any' interface is used).

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

Can't see anything wrong with the configuration, except, you might want to change the following static NAT:

from:

nat (inside,any) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS

nat (inside,any) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE

to:

nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS

nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE

then "clear xlate"

also disable proxy arp on the inside interface:

sysopt noproxyarp inside

Hi Jennifer,

Thanks for your prompt reply!

sysopt noproxyarp inside

Why is this needed in my case? I have put it in and it has made a difference on my testbed, I can ping devices that I could not before. I will be putting it back into production to test later this week. I'm just not sure what this line is doing with regard to my config as the Natting is pretty simple. Or is this always neccessary in a post ASA 8.3 environment?

The Nat translations you listed were a typo I put in when changing the config to put on the forums, oops.

Thanks again,

Dan.

Hi,

To my understanding if the "sysopt noproxyarp " isnt enabled the ASA might reply to a ARP query even though it doesnt "own" the IP address. I usually enable this when a L2 segment is directly connected to some ASA interface/subinterface.

- Jouni

proxy arp is always enabled by default, you might have disabled it on your pix before.

Jouni's explaination is correct as the ASA might reply to an ARP query with its own mac address. But remember not to disable it on the outside interface as normally you have NAT configured on the outside, and ASA needs to proxy arp for those NATed public IP.

Thanks to you both!

It makes more sense after your explanations.

I have found the line is in place on the Pix506, however, as I wrote the ASA config from scratch I did not include the line.

It appears as you say that it is enabled by default on PIX and early ASAs, but it was definitley not default on either the 8.4(3) or 8.4(4) version devices I have. I will ensure to add it to all future configurations and retrofit it to all other 8.4 devices I have already put in place (which strangely have no issues even without the line in place).

      

Edit: After further tests, I have used an ASA 7.2(4) device and it does not have the LAN connectivity issues or loss of pings with or without the sysopt noproxyarp inside line in place. So it seems that it is definitley only an issue (possibly due to the new natting?) on 8.3 + ASA versions. With my 8.4 version, literally as soon as I take the line out, I get weird ping drops again, put it back in and it is fine.

Hi,

ASA and PIX to my understanding do Proxy ARP by default. The command you enter to the firewall is to counter that operation as it has "noproxyarp"

Maybe a packet capture on a test computer with Wireshark might shed some light to whats different when the Proxy ARP is either enabled(default) or disabled(with the command).

Also one thing to note with the "sysopt" commands. IF the setting is on default you will NOT see a sysopt command in the running config.

- Jouni

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1165189

8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.

(8.4(2) and later) The default behavior for identity NAT has proxy ARP  enabled, matching other static NAT rules. You can disable proxy ARP if  desired.

Instead of the sysopt command, I would suggest adding no-proxy-arp keyword to the identity NAT commands:

nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS no-proxy-arp

nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE no-proxy-arp

From 8.4(2), identity NAT lines should always contain no-proxy-arp (and route-lookup if 'any' interface is used).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: