Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
959
Views
0
Helpful
3
Replies

ASA 5505-ISP providing DHCP and separate IP block

jeremy.lebeau
Level 1
Level 1

‎03-13-2011 06:50 PM - edited ‎03-11-2019 01:06 PM

I have a ASA 5505 that I have been using for a while, but a new ISP is trying to configure my service so that the outside interface has to be configured as DHCP to receive a reserved IP address, and then they will route a separate, non-contiguous block of addresses to that address.

Essentially, they have a DHCP reservation for 1.2.3.4 for my ASA, and then they have 10.2.3.16/28 as a separate block routed to me.

Obviously, I can do my static NAT translations using outside as the address, but I cannot get the separate block of addresses to route through the ASA. Is there a way to do this and get them to work? My ASA is running 7.2(2)

Thanks to anybody for any help you can give.

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-13-2011 06:59 PM

You should be able to use the routed address range from your ISP for NAT translation on your ASA, as long as the ISP has routed that block towards the ASA outside interface.

Just make sure that the ISP has routed that block to your ASA outside interface.

Have you configured any static NAT for that new ip range yet? If you have, you can test accessing it from the outside (assuming that you have access-list on your outside interface to allow it too), and run packet capture on the ASA outside interface and see if the traffic is even coming into the ASA.

The access-list on the outside interface can also help determine that (assuming the ACL is specific to that new ip range), and if traffic is hitting the ASA outside interface when you test it, you should see a hit count on the access-list.

0 Helpful

jeremy.lebeau
Level 1
Level 1
In response to Jennifer Halim

‎03-13-2011 07:31 PM

The only static NAT statments that I can get to work are in the format of:

          static (inside,outside) tcp outside smtp 192.168.1.1 smtp netmask 255.255.255.255

If I change it to use one of the IP addresses, either the DHCP address or an assigned one, it does not make it through the ASA.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jeremy.lebeau

‎03-13-2011 07:39 PM

If you have checked the hitcount and also packet capture on the ASA outside interface, and seeing no traffic towards those IP range, then it's definitely not an ASA issue. You will need to speak to your ISP and confirm that they have definitely route those block to the ASA.

If the ASA never receives the traffic, it won't be able to do anything.

Also, did you perform "clear xlate" and "clear arp" after configuring the static translation?


Lastly, just confirming that "no sysopt noproxyarp outside" is configured, this is to ensure that ASA proxy arp on its outside interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card