05-17-2013 07:39 AM - edited 03-11-2019 06:45 PM
Hi everyone!
We got a Cisco ASA 5512X recently to replace our aging ASA 5510. We're intending to use this as the edge device between our network and our ISP's. Our ISP told us to use 12.226.xxx.18/29 as the device's outside address and mask, with a gateway of 12.226.xxx.17. The ISP also gave us the range 12.35.xxx.97/27 to use for our public servers.
I setup static NAT rules for several servers on our inside interface, so that they'll have public IP addresses, and then there's a dynamic NAT rule so that all other devices will simply use the ASA's outside IP address when accessing the Internet:
Partial NAT Rules |
---|
object network Skyward host 10.60.254.80 nat (Inside,Outside) static 12.35.xxx.98 object network AHSWS01-Support host 10.60.254.90 nat (Inside,Outside) static 12.35.xxx.101 object network AHSWS02-Sharepoint host 10.60.254.93 nat (Inside,Outside) static 12.35.xxx.100 ! nat (Inside,Outside) after-auto source dynamic any interface |
However, what I'm noticing is that when we attempt to swap this device inline, all of the servers which have NAT rules setup cannot access the Internet, nor can they be accessed from the Internet. However, all of the devices without static NAT rules (thus using the dynamic rule) are able to get online without any issue. I've compared the config of this device with our old ASA 5510 (which is running ASA Version 8.0(5)), and didn't find anything that stood out that would be causing this issue.
Is there a step I might've missed, or perhaps something I'm misunderstanding about how NAT works in ASA 8.3 and later? Any help would be greatly appriciated.
Cheers!
Joey
Solved! Go to Solution.
05-17-2013 07:50 AM
Hello Francis,
Try adding this command:
ARP permit-nonconnected
Let me know how it goes.
05-17-2013 07:45 AM
Did you use the "Public Servers" Method via the ASA to set these up??
Think this now does it all for you including placing an ACL's in the correct places.
05-17-2013 07:58 AM
I tried that earlier this week and had no luck. My current running-config, however, was setup without the use of "Public Servers" (I instead just created the objects and added access rules by hand), but everything still shows up under the "Public Servers" section of ASDM.
05-17-2013 07:50 AM
Hello Francis,
Try adding this command:
ARP permit-nonconnected
Let me know how it goes.
05-17-2013 08:00 AM
Hi Eddy!
I'll give that a try tonight, thank you
05-20-2013 06:19 AM
That did the trick, thanks!
05-20-2013 07:43 PM
Glad to hear that. You are welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide