cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1056
Views
0
Helpful
6
Replies
joeyhogan
Beginner

ASA 5512X - NAT'd devices cannot access outside network?

Hi everyone!

We got a Cisco ASA 5512X recently to replace our aging ASA 5510. We're intending to use this as the edge device between our network and our ISP's. Our ISP told us to use 12.226.xxx.18/29 as the device's outside address and mask, with a gateway of 12.226.xxx.17. The ISP also gave us the range 12.35.xxx.97/27 to use for our public servers.

I setup static NAT rules for several servers on our inside interface, so that they'll have public IP addresses, and then there's a dynamic NAT rule so that all other devices will simply use the ASA's outside IP address when accessing the Internet:

Partial NAT Rules

object network Skyward

host 10.60.254.80

nat (Inside,Outside) static 12.35.xxx.98

object network AHSWS01-Support

host 10.60.254.90

nat (Inside,Outside) static 12.35.xxx.101

object network AHSWS02-Sharepoint

host 10.60.254.93

nat (Inside,Outside) static 12.35.xxx.100

!

nat (Inside,Outside) after-auto source dynamic any interface

However, what I'm noticing is that when we attempt to swap this device inline, all of the servers which have NAT rules setup cannot access the Internet, nor can they be accessed from the Internet. However, all of the devices without static NAT rules (thus using the dynamic rule) are able to get online without any issue. I've compared the config of this device with our old ASA 5510 (which is running ASA Version 8.0(5)), and didn't find anything that stood out that would be causing this issue.

Is there a step I might've missed, or perhaps something I'm misunderstanding about how NAT works in ASA 8.3 and later? Any help would be greatly appriciated.

Cheers!

Joey

1 ACCEPTED SOLUTION

Accepted Solutions
Eddy Duran
Beginner

Hello Francis,

Try adding this command:

ARP permit-nonconnected

Let me know how it goes.

View solution in original post

6 REPLIES 6
jasonmnichols
Beginner

Did you use the "Public Servers" Method via the ASA to set these up??

Think this now does it all for you including placing an ACL's in the correct places.

I tried that earlier this week and had no luck. My current running-config, however, was setup without the use of "Public Servers" (I instead just created the objects and added access rules by hand), but everything still shows up under the "Public Servers" section of ASDM.

Eddy Duran
Beginner

Hello Francis,

Try adding this command:

ARP permit-nonconnected

Let me know how it goes.

View solution in original post

Hi Eddy!

I'll give that a try tonight, thank you

That did the trick, thanks!

Glad to hear that. You are welcome.