Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
0
Helpful
2
Replies

ASA-8.4(3)..

Anukalp S
Level 1
Level 1

‎06-07-2013 06:35 AM - edited ‎03-11-2019 06:54 PM

Hello..

I have recently upgraded software to 8.4(3) and the issue we are facing with our video conferencing. Our VC is on DMZ and natted static with public ip, also any-any ports are open from DMZ & outside. But when we dial VC through public ip then call could not connect, on other hand it connects fine when connect on DMZ local ip.

This was working fine on 8.2(5). I am not sure if some thing is blocking on 8.4(3) or is there any extra feature which i have to configure.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎06-07-2013 07:07 AM

Hi,

The main thing that always comes to mind with 8.4(3) software specifically with connectivity problems is the fact that they introduced changes related to ARP on that software.

So for example if you had an "outside" interface on the ASA configured with one public IP address range directly and the ISP also allocated you with another public address space that they configured on their gateway device directly then this so called "secondary" subnet would stop working for this ASA software.

The reason for that is because they change the ASA so that it no longer inserts information to its ARP table from non-connected subnets (which the secondary public subnet used for Static NAT would be)

The solution in these cases would be to ask the ISP to route the secondary subnet towards the current "outside" interface IP address of the ASA or you should upgrade to a newer software like 8.4(5) perhaps where you can use the command "arp permit-nonconnected"

If you dont have such setup however we would need to look for the problem elsewhere.

You could for example use the "packet-tracer" command to simulate an example connection

packet-tracer input outside tcp 1.2.3.4 12345 1720

Or some other ports. I am not sure what is used.

Naturally looking at the configuration it would be easier to look for any configuration problems.

- Jouni

0 Helpful

Anukalp S
Level 1
Level 1
In response to Jouni Forss

‎06-07-2013 09:22 AM

Hi JOuni..

We dont have running secondary public IPs sunbet. We are provided with single /24 subnet by ISP. Also when VC power on, we get icmp reply from VC public ip which tell there is no issue with reachability or natting.

Here is nat config.

object network VC-a.b.c.d
host a.b.c.d


object network VC-a.b.c.d
nat (DMZ,outside) static w.x.y.z

access-list OUT extended permit ip any host a.b.c.d
access-list DMZ extended permit ip host a.b.c.d any

access-group DMZ in interface DMZ

access-group OUT in interface outside

a.b.c.d ---DMZ local ip
w.x.y.z --- public ip

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card