ASA 5510 8.2 (5) PAT issues

lkumar2272 · ‎08-19-2013

Hi,

Need some help with PAT.

I want to use a different public IP address for NAT from the one assigned to the "outside2" interface. Below are the configs that I have used. When I am running "Config - I" (please see below) everything is fine, i am able to browse, ping etc. We run into problems and nothing works when I run "Config- II".

FYI, This asa is also a VPN concentrator.

Ethernet0/0 outside 2X2.X.X.X 255.255.255.248 CONFIG Security-level = 0

Ethernet0/1 inside 172.x.x.x 255.255.252.0 CONFIG

Ethernet0/2 outside2 1X2.X.X.X 255.255.255.248 CONFIG Security-level = 0

Config - I

It works all fine if I use "interface" with the global command

nat-control

nat (inside) 2 0.0.0.0 0.0.0.0

global (outside2) 2 interface

route outside2 0.0.0.0 0.0.0.0 182.X.X.X 1

Config - II

This one below does not work, when I use one of our Public IP addresses with global command.

nat-control

nat (inside) 2 0.0.0.0 0.0.0.0

global (outside2) 2 182.x.x.x

route outside2 0.0.0.0 0.0.0.0 182.X.X.X 1

We still can manage with the interface command, but just want to know if something is wrong with the config. The device is a ASA 5510 running 8.2(5).

As we have nat-control in place, I have also tried putting an ACL, from inside to outside2 which did not work either. Please let me know if you need anything. Any help is greatly appreciated.

Thanks,

Kumar

Jouni Forss · ‎08-19-2013

Hi,

Have you cleared the translations/xlates for the users that use the "interface" after you have changed it to the "182.x.x.x" ?

I can't think of many reason why it should fail in this situation

Reasons might be:

Proxy ARP has been disabled on the ASA "outside2" interface with command "sysopt noproxyarp outside"
The configured IP address is not from the same network as the "outside2" interfaces network. And if its from different network, it might be that the gateway device doesnt have a route for this IP/subnet towards the current ASA "outside2" IP address

You can use the "packet-tracer" command to confirm that the Dynamic PAT works and that the traffic is allowed by the ASA

For example

packet-tracer input inside tcp 12345 8.8.8.8 80

It should show what translation is applied for the packet (provided that the traffic is allowed)

You can use the following command to view the active translations for a local host

show xlate local

- Jouni

lkumar2272 · ‎08-19-2013

Hi Jouni,

Thanks for your response.

- Yes, I have cleared the translations. No luck with that.

- A far as proxyarp is concerned, no command is configured. Earlier, I have added a manual arp entry on the ASA for the NATed IP in use, this did not work either.

- IP address is from the same subnet as the interface IP, but the gateway is in a different subnet. For this to work we have added a route.

- Packet-tracer has allow on all the phases.

- When I run "show xlate local I get

PAT Global 182.x.x.x(41586) Local 172.x.x.x ICMP id 512

Clueless.

Jouni Forss · ‎08-19-2013

Hi,

Do you mean that the gateway IP address of the default route is from different network/subnet than the interface which the route is for?

route outside2 0.0.0.0 0.0.0.0 182.x.x.x 1

Why would you have such a configuration?

I would imagine that you are using a ISP failover and have 2 default routes configure on the ASA and the active ISP links default route is monitored and changed to failover link when the active/primary one fails?

- Jouni

lkumar2272 · ‎08-19-2013

Hi, Sorry for the confusion.

I meant we have a different route for the IP pool that ISP has assigned to us.

route outside2 182.x.x.x 255.255.255.248 182.x.x.x(gateway) 1

ISP allocated us two different subnets, 182.x.x.x/30 and 182.x.x.x/29. /29 is advertised to outside world with the command above. On ASA we use IPs from /29 subnet.

No, we donot have any failover configured.

Hope this is clear.

Thanks,

Kumar

Jouni Forss · ‎08-19-2013

Hi,

With the Failover I didnt mean ASA Failover pair but your 2 OUTSIDE interfaces mentioned in the original post.

With regards to your setup with the 2 public subnets.

You dont need any route for the secondary subnet used on the ASA. The only place where a route is needed is on the ISP Router in front of the ASA firewall. That route should then be pointing at the ASAs current OUTSIDE interface IP address.

So lets take an example

Public Subnet 1 = 1.1.1.0/30
Public Subnet 2 = 2.2.2.0/29

ASA

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.252

route outside 0.0.0.0 0.0.0.0 1.1.1.1

global (outside) 1 inteface

global (outside) 2 2.2.2.2

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 2 10.10.10.0 255.255.255.0

static (inside,outside) 2.2.2.3 10.10.10.10 netmask 255.255.255.255

ISP Router

interface GigabitEthernet0/1

description ASA

ip address 1.1.1.1 255.255.255.252

ip route 2.2.2.0 255.255.255.248 1.1.1.2

OR

interface GigabitEthernet0/1

description ASA

ip address 1.1.1.1 255.255.255.252

ip address 2.2.2.1 255.255.255.248 secondary

- Jouni

lkumar2272 · ‎08-19-2013

Hi,

Yes, you are right and this is what I expected when ISP gave this subnet. But, it didnot work until we added this command. I might have to test it again removing the route which I added.

Anyway, Good to know how its done.

Thanks,

Kumar