05-11-2012 08:03 AM - edited 03-11-2019 04:05 PM
Hi All, I'm having some trouble getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. Am I missing a step? What is the proper way to setup additional IP address on my ASA v8.4? Thanks!
Solved! Go to Solution.
05-11-2012 01:07 PM
It could possibly be a routing issue with your ISP.
You can test this, to see whether your ISP route traffic to your circuit in question.
You can get a SOHO DSL router and assign either one of the IP .250 or .251 with gateway .254 and trying access to web-browsing and see if trying your ISP route traffic to your circuit.
thanks
05-15-2012 04:36 AM
It is quite odd since you have verified the usability of the two problem addresses. You've only given us part of your configuration file - TAC would normally suspect something else in the config using those addresses.
Personally I would not use:
object network webserver1
nat (any,any) static x.x.x.250 service tcp www www
But rather would specify the interfaces e.g. nat (outside, inside)
Re TAC cases on devices without a support contract - last I checked most Cisco devices come with 90 day product warranty - covering hardware failures or software defects. Configuration issues, no matter how vexing, are not covered.
05-11-2012 12:13 PM
Hi David,
Have you tried as shown below.
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 209.165.201.3
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic 209.165.201.4
thanks
05-11-2012 12:49 PM
Hi rizwanr, My commands look a bit different. Maybe because I'm using ASDM? Anyway, after poking around some more, I have some additional findings. I have a public /29 (x.x.x.249 through .254). The Default Gateway is .254. I've setup my outside interface as .249, which works fine both for outbound surfing and inbound web server access. However, when I try to use .250 or .251, I cannot access the same internal web server, but if I use .252, .252 or .253, it works!?!? Really strange why 2 of my 6 addresses will not work for static NAT. Here are the relevant commands in my config >
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.249 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside
security-level 100
ip address x.x.1.5 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address x.x.96.5 255.255.255.0
management-only
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network webserver1
host x.x.1.212
access-list outside_access_in extended permit tcp any object webserver1 eq www
access-group outside_access_in in interface outside
object network obj_any
nat (inside,outside) dynamic interface
object network webserver1
nat (any,any) static x.x.x.250 service tcp www www
05-11-2012 01:07 PM
It could possibly be a routing issue with your ISP.
You can test this, to see whether your ISP route traffic to your circuit in question.
You can get a SOHO DSL router and assign either one of the IP .250 or .251 with gateway .254 and trying access to web-browsing and see if trying your ISP route traffic to your circuit.
thanks
05-11-2012 04:07 PM
If you've been making changes to your NAT configurations you might also add the step of "clear xlate" in between to make sure you don't have any stale translation table entries.
Another possibility is a stale arp cache on your ISPs upstream device. You'd have to get them to clear their arp cache or ping the new address to straighten that out.
05-14-2012 07:13 AM
rizwanr, was thinking the same thing on my way home Friday. This morning I applied each external IP to my laptop while connected to ISP modem and I was able to ping and tracert successfully to 4.2.2.2 with all IP's so all appears well with the IP range.
Marvin, great thought and considering my pix background, I should have remembered that one. However, it didn't buy me anything and a sh xlate shows the correct translation. It's really strange because only 2 of the 6 IP's are affected by this issue. I even tried allowing tcp-any as opposed to only www, but that didn't help either. I guess I can factory default the ASA and start over to see what happens....
05-14-2012 01:37 PM
Still no luck. I've tried everything including resetting to Factory default.
On a side note, this 5510 is brand new so I tried to open a TAC case, but was told that it is not covered. I thought that Cisco ASA's came with one year of support?
05-15-2012 04:36 AM
It is quite odd since you have verified the usability of the two problem addresses. You've only given us part of your configuration file - TAC would normally suspect something else in the config using those addresses.
Personally I would not use:
object network webserver1
nat (any,any) static x.x.x.250 service tcp www www
But rather would specify the interfaces e.g. nat (outside, inside)
Re TAC cases on devices without a support contract - last I checked most Cisco devices come with 90 day product warranty - covering hardware failures or software defects. Configuration issues, no matter how vexing, are not covered.
05-17-2012 08:23 AM
Wanted to let you guys know that this mysteriously started working.
I was able to open a TAC case since we're a large Cisco reseller and we spent over an hour doing captures, etc. to no avail. To prove the IP's were ok and routable, I put the test web server directly on the Internet at the .250 address and it worked fine. When I put the web server back behind the ASA, I was then able to use all external IP's successfully. The only other thing I did during this process was reboot the cable modem, but I'm 99% sure I tried that before with no luck. Anyway, it's been a good learning experience for v8.4 and all appears well now. Thanks so much for the assistance!
05-17-2012 08:28 AM
Hi David,
Thank you very much sharing your experince with all.
I was wondering, then what was the source of the issue?
thanks
05-17-2012 08:37 AM
rizwanr, unfortunately this may be one of those issues for which we will not be able to determine a root cause. Cisco TAC confirmed that my config was correct, but he could not figure out why traffic did not appear to arrive or pass to the troubled IP addresses. He also thought it may be a problem with the cable circuit although Comcast said everything was fine on their end and a Windows box had no trouble using and routing those same IP's. My best guess is that the cable modem reboot cleared the issue, but it doesn't explain why I could successfully route to/from the .250 and .251 address using a windows box, but not with the ASA. This issue mysteriously disappeared today as I prepared for another round of troubleshooting with TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide