12-10-2012 06:49 AM - edited 03-11-2019 05:35 PM
I have LAN connectivity issues after replacing a PIX506 with an ASA 5505 8.4(3)
OK some background:
"Current Network diagram"
Netgear Router >>>> Cisco 506E >>>> HP procurve switch >>>>> 4 servers and 30 odd devices.
Status:
All devices and servers can ping and contact each other fine.
"Replacement Network diagram"
Netgear Router >>>> Cisco ASA 5505 8.4(3) >>>> HP procurve switch >>>>> 4 servers and 30 odd devices.
Status:
Intermittent ping problems between servers and devices, loss of exchange connectivity from PC's to servers.
What I have tried:
Removed all devices and switches from the loop, connected two servers and a laptop directly to the ASA interfaces and the ping issues still occur.
I have tried setting the duplex, IF speeds manually etc. I put the 506E in and it works fine. Replaced with an identical ASA (but 8.4(4)) and get the same error
Can you help, have I missed something obvious?
Please find the ASA config below,
Many Thanks,
Dan.
Config:
: Saved
:
ASA Version 8.4(4)
!
hostname TECHFW01
domain-name TECHFW.co.uk
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 195.140.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
ftp mode passive
dns server-group DefaultDNS
domain-name TECHFW.co.uk
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-195.140.10.14
host 195.140.10.14
object network obj-195.140.10.14-02
host 195.140.10.14
object network obj-195.140.10.14-03
host 195.140.10.14
object network obj-195.140.10.15
host 195.140.10.15
object network obj-195.140.10.57
host 195.140.10.57
object network obj-195.140.10.9
host 195.140.10.9
object network obj-195.140.10.14-01
host 195.140.10.14
object network VPNCLIENTS
subnet 10.1.1.0 255.255.255.0
object network INTRANGE
subnet 195.140.10.0 255.255.255.0
object network TECHHOUSE
subnet 192.168.0.0 255.255.255.0
access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.0 object obj-195.140.10.14 eq smtp
access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.0 object obj-195.140.10.14-01 eq ldap
access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.0 object obj-195.140.10.14-02 eq ldaps
access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224 object obj-195.140.10.14 eq smtp
access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224 object obj-195.140.10.14-01 eq ldap
access-list SERVICES extended permit tcp xxx.xxx.xxx.xxx 255.255.255.224 object obj-195.140.10.14-02 eq ldaps
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.15 eq 3389
access-list SERVICES extended permit tcp any object obj-195.140.10.14-03 eq https
access-list SERVICES extended permit tcp any object obj-195.140.10.57 eq 10622
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit tcp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SERVICES extended permit udp host xxx.xxx.xxx.xxx object obj-195.140.10.9 range 15000 15200
access-list SPTNL extended permit ip 195.140.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list TECHTNL extended permit ip 195.140.10.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAS-TECHVC 10.1.1.1-10.1.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,any) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS
nat (inside,any) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-195.140.10.14
nat (inside,outside) static xxx.xxx.xxx.xxx service tcp smtp smtp
object network obj-195.140.10.14-02
nat (inside,outside) static xxx.xxx.xxx.xxx service tcp ldaps ldaps
object network obj-195.140.10.14-03
nat (inside,outside) static xxx.xxx.xxx.xxx service tcp https https
object network obj-195.140.10.15
nat (inside,outside) static xxx.xxx.xxx.xxx service tcp 3389 3389
object network obj-195.140.10.57
nat (inside,outside) static interface service tcp 10622 10622
object network obj-195.140.10.9
nat (inside,outside) static xxx.xxx.xxx.xxx
object network obj-195.140.10.14-01
nat (inside,outside) static xxx.xxx.xxx.xxx service tcp ldap ldap
access-group SERVICES in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 195.140.10.0 255.255.255.0 inside
http xxx.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TECHVCSET esp-3des esp-md5-hmac
crypto dynamic-map dynmap 100 set ikev1 transform-set TECHSET
crypto map TECHFW-MAP 1 match address TECHTNL
crypto map TECHFW-MAP 1 set peer xxx.xxx.xxx.xxx
crypto map TECHFW-MAP 1 set ikev1 transform-set TECHSET
crypto map TECHFW-MAP 100 ipsec-isakmp dynamic dynmap
crypto map TECHFW-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 195.140.10.0 255.255.255.0 inside
telnet timeout 5
ssh 195.140.10.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy TECHGOORAS internal
group-policy TECHGOORAS attributes
wins-server value 195.140.10.14 195.140.10.15
dns-server value 195.140.10.14 195.140.10.15
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPTNL
default-domain value TECHFW.co.uk
tunnel-group TECHGOORAS type remote-access
tunnel-group TECHGOORAS general-attributes
address-pool RAS-TECHVC
default-group-policy TECHGOORAS
tunnel-group TECHGOORAS ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:35fb6bb122770cbf36ef04a95c14bb66
: end
Solved! Go to Solution.
12-10-2012 08:12 AM
Can't see anything wrong with the configuration, except, you might want to change the following static NAT:
from:
nat (inside,any) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS
nat (inside,any) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE
to:
nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS
nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE
then "clear xlate"
also disable proxy arp on the inside interface:
sysopt noproxyarp inside
12-11-2012 01:52 AM
Hi,
To my understanding if the "sysopt noproxyarp
- Jouni
12-11-2012 11:05 PM
8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.
(8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired.
Instead of the sysopt command, I would suggest adding no-proxy-arp keyword to the identity NAT commands:
nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS no-proxy-arp
nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE no-proxy-arp
From 8.4(2), identity NAT lines should always contain no-proxy-arp (and route-lookup if 'any' interface is used).
12-10-2012 08:12 AM
Can't see anything wrong with the configuration, except, you might want to change the following static NAT:
from:
nat (inside,any) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS
nat (inside,any) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE
to:
nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS
nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE
then "clear xlate"
also disable proxy arp on the inside interface:
sysopt noproxyarp inside
12-11-2012 01:44 AM
Hi Jennifer,
Thanks for your prompt reply!
sysopt noproxyarp inside
Why is this needed in my case? I have put it in and it has made a difference on my testbed, I can ping devices that I could not before. I will be putting it back into production to test later this week. I'm just not sure what this line is doing with regard to my config as the Natting is pretty simple. Or is this always neccessary in a post ASA 8.3 environment?
The Nat translations you listed were a typo I put in when changing the config to put on the forums, oops.
Thanks again,
Dan.
12-11-2012 01:52 AM
Hi,
To my understanding if the "sysopt noproxyarp
- Jouni
12-11-2012 02:34 AM
proxy arp is always enabled by default, you might have disabled it on your pix before.
Jouni's explaination is correct as the ASA might reply to an ARP query with its own mac address. But remember not to disable it on the outside interface as normally you have NAT configured on the outside, and ASA needs to proxy arp for those NATed public IP.
12-11-2012 02:58 AM
Thanks to you both!
It makes more sense after your explanations.
I have found the line is in place on the Pix506, however, as I wrote the ASA config from scratch I did not include the line.
It appears as you say that it is enabled by default on PIX and early ASAs, but it was definitley not default on either the 8.4(3) or 8.4(4) version devices I have. I will ensure to add it to all future configurations and retrofit it to all other 8.4 devices I have already put in place (which strangely have no issues even without the line in place).
Edit: After further tests, I have used an ASA 7.2(4) device and it does not have the LAN connectivity issues or loss of pings with or without the sysopt noproxyarp inside line in place. So it seems that it is definitley only an issue (possibly due to the new natting?) on 8.3 + ASA versions. With my 8.4 version, literally as soon as I take the line out, I get weird ping drops again, put it back in and it is fine.
12-11-2012 03:45 AM
Hi,
ASA and PIX to my understanding do Proxy ARP by default. The command you enter to the firewall is to counter that operation as it has "noproxyarp"
Maybe a packet capture on a test computer with Wireshark might shed some light to whats different when the Proxy ARP is either enabled(default) or disabled(with the command).
Also one thing to note with the "sysopt" commands. IF the setting is on default you will NOT see a sysopt command in the running config.
- Jouni
12-11-2012 11:05 PM
8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.
(8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired.
Instead of the sysopt command, I would suggest adding no-proxy-arp keyword to the identity NAT commands:
nat (inside,outside) source static INTRANGE INTRANGE destination static VPNCLIENTS VPNCLIENTS no-proxy-arp
nat (inside,outside) source static INTRANGE INTRANGE destination static TECHOUSE TECHOUSE no-proxy-arp
From 8.4(2), identity NAT lines should always contain no-proxy-arp (and route-lookup if 'any' interface is used).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide