06-07-2013 06:35 AM - edited 03-11-2019 06:54 PM
Hello..
I have recently upgraded software to 8.4(3) and the issue we are facing with our video conferencing. Our VC is on DMZ and natted static with public ip, also any-any ports are open from DMZ & outside. But when we dial VC through public ip then call could not connect, on other hand it connects fine when connect on DMZ local ip.
This was working fine on 8.2(5). I am not sure if some thing is blocking on 8.4(3) or is there any extra feature which i have to configure.
06-07-2013 07:07 AM
Hi,
The main thing that always comes to mind with 8.4(3) software specifically with connectivity problems is the fact that they introduced changes related to ARP on that software.
So for example if you had an "outside" interface on the ASA configured with one public IP address range directly and the ISP also allocated you with another public address space that they configured on their gateway device directly then this so called "secondary" subnet would stop working for this ASA software.
The reason for that is because they change the ASA so that it no longer inserts information to its ARP table from non-connected subnets (which the secondary public subnet used for Static NAT would be)
The solution in these cases would be to ask the ISP to route the secondary subnet towards the current "outside" interface IP address of the ASA or you should upgrade to a newer software like 8.4(5) perhaps where you can use the command "arp permit-nonconnected"
If you dont have such setup however we would need to look for the problem elsewhere.
You could for example use the "packet-tracer" command to simulate an example connection
packet-tracer input outside tcp 1.2.3.4 12345
Or some other ports. I am not sure what is used.
Naturally looking at the configuration it would be easier to look for any configuration problems.
- Jouni
06-07-2013 09:22 AM
Hi JOuni..
We dont have running secondary public IPs sunbet. We are provided with single /24 subnet by ISP. Also when VC power on, we get icmp reply from VC public ip which tell there is no issue with reachability or natting.
Here is nat config.
object network VC-a.b.c.d
host a.b.c.d
object network VC-a.b.c.d
nat (DMZ,outside) static w.x.y.z
access-list OUT extended permit ip any host a.b.c.d
access-list DMZ extended permit ip host a.b.c.d any
access-group DMZ in interface DMZ
access-group OUT in interface outside
a.b.c.d ---DMZ local ip
w.x.y.z --- public ip
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide