ASA 5550 - Traffic for external IP address does not arrive

glensboyd · ‎08-25-2011

Hi everyone,

(First time posting so bear with me please)

We have a new Cisco ASA 5550 that I am trying to configure. We are currently using a borderware firewall.

We have multiple external IP addresses and I can NAT traffic from all except for our external interface IP address.

When watching the packets in the ADSM monitor if the IP address is our external IP then I see nothing unless it is ICMP. I can ping the IP address just cannot do anything else with it.

All the rest of our provided IP addresses can be NATed and work correctly.

Traffic for our external interface IP does show up when we use the borderware firewall so we know the traffic is getting here.

Any suggestions? Request parts of our config if you wish to see that.

Regards

Glen

varrao · ‎08-25-2011

Yes Glen, can you provide the configuration that you have for the external interface ip?? Natting to outside ip is possible, but I need to know how you are doing it and what traffic you are testing with?

-Varun

Thanks,
Varun Rao

glensboyd · ‎08-25-2011

Hi Varun

External interface is set up as such:

!

interface GigabitEthernet0/0

description Internet facing interface

nameif External

security-level 0

ip address External_IP 255.255.255.0

!

where External_IP = 131.203.252.154

I have been testing using port 25 mainly but the port in this case doesn't matter. I'd love to see traffic on any port being denied as then I could set up the NAT and have it work.

Port 25 is currently being allowed for "any" via an ACL.

Regards

Glen

manish arora · ‎08-25-2011

Hi Glen,

you should enable logging and then you will see in "Show logging" packets that have been denied due to configured rules, right now even if you have port 25 open but no port translation/Nat on it , firewall will quitely drop that packet and should show it in information level logging.

if the ip you mentioned above if your real ip then all I am seeing from outside is this :-

[root@x-mailermanish01 ~]# nmap -sS -O -p 20-500 131.203.252.154

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-08-25 11:28 MDT

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

All 481 scanned ports on smtp.napier.govt.nz (131.203.252.154) are filtered

Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 114.105 seconds

Manish

varrao · ‎08-25-2011

Hi Glen,

Does your acl, look something like this??

access-list test permit ip any host 131.203.252.154 eq 25

access-group test in interface outside

I guess a bit more info regarding what acl you have applied woudl help. You can sue captures to trap the packets on outside interface:

https://supportforums.cisco.com/docs/DOC-1222

Thanks,

Varun

Thanks,
Varun Rao

glensboyd · ‎08-25-2011

Hi Varun

I did a little more playing around:

Changed NATed outgoing IP for external interface to one other than our default IP and then everything worked.

Changed it back to how it was before and it still works.

Other traffic for other ports now works as well.

I have no idea how this fixed the issue but I have saved the config, backed it up, rebooted twice and it is still working how I would expect it to.

Thanks for your input

Regards

Glen

varrao · ‎08-25-2011

Thats good to know that the issue is resolved

take care.

-Varun

Thanks,
Varun Rao