Solved: ASA 9.2 NAT Issue

kinnerst1 · ‎08-24-2015

Hello,

I am having an issue migrating a client's firewall from a Sonicwall to an ASA. The issue is with static PAT when using a public ip that is not the same ip as the outside interface. I am unable to see any traffic when running packet captures for the public ip addresses. All nat rules were copied from the old firewall. I am also not able to see any issues when running packet tracer on the outside. 

I have not worked on ASA's since 8.2 so i am wondering if perhaps I am missing something or this might be an upstream ISP issue. I have posted the config below. 

Thanks.

ASA Version 9.2(2)4
!

names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 173.x.x.66 255.255.255.0
!
interface GigabitEthernet0/1
 nameif failover
 security-level 0
 ip address 65.x.x.18 255.255.255.248
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 172.25.5.254 255.255.255.0
!
interface GigabitEthernet0/3
 nameif wlan
 security-level 100
 ip address 172.25.6.1 255.255.255.252
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 no nameif
 security-level 100
 no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.25.5.246
 name-server 172.25.5.247
 domain-name cbg.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network internal
 subnet 172.25.5.0 255.255.255.0
 description LAN Subnet Inside Network Object
object network hst-172.25.5.254
 host 172.25.5.254
 description ASA Inside Host Object
object network 173.49.213.66
 host 173.49.213.66
 description ASA Outside Host Object
object network hst-172.25.5.90
 host 172.25.5.90
 description CBG-CITRIX Host Object
object network hst-172.25.5.90-tcp80
 host 172.25.5.90
 description CBG-CITRIX TCP/80 Static PAT Object
object network hst-172.25.5.90-tcp443
 host 172.25.5.90
 description CBG-CITRIX TCP/443 Static PAT Object
object network hst-172.25.5.90-tcp1494
 host 172.25.5.90
 description CBG-CITRIX TCP/1494 Static PAT Object
object network hst-172.25.5.243
 host 172.25.5.243
 description CBG-EXFE Host Object
object network hst-172.25.5.243-tcp25
 host 172.25.5.243
 description CBG-EXFE TCP/25 Static PAT Object
object network hst-172.25.5.243-tcp80
 host 172.25.5.243
 description CBG-EXFE TCP/80 Static PAT Object
object network hst-172.25.5.243-tcp443
 host 172.25.5.243
 description CBG-EXFE TCP/443 Static PAT Object
object network hst-172.25.5.243-tcp587
 host 172.25.5.243
 description CBG-EXFE TCP/587 Static PAT Object


access-list outside_access_in extended permit tcp any object hst-172.25.5.90 eq www
access-list outside_access_in extended permit tcp any object hst-172.25.5.90 eq https
access-list outside_access_in extended permit tcp any object hst-172.25.5.90 eq citrix-ica
access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq smtp
access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq www
access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq https
access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq 587
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu failover 1500
mtu inside 1500
mtu wlan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network hst-172.25.5.90-tcp80
 nat (inside,outside) static 173.x.x.x service tcp www www
object network hst-172.25.5.90-tcp443
 nat (inside,outside) static 173.x.x.x service tcp https https
object network hst-172.25.5.90-tcp1494
 nat (inside,outside) static 173.x.x.x service tcp citrix-ica citrix-ica
object network hst-172.25.5.243-tcp25
 nat (inside,outside) static 173.x.x.x service tcp smtp smtp
object network hst-172.25.5.243-tcp80
 nat (inside,outside) static 173.x.x.x service tcp www www
object network hst-172.25.5.243-tcp443
 nat (inside,outside) static 173.x.x.x service tcp https https
object network hst-172.25.5.243-tcp587
 nat (inside,outside) static 173.x.x.x service tcp 587 587
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.25.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:bdc0af16d6774ca874b7198952319f72
: end

Jon Marshall · ‎08-24-2015

Are the IPs from the same subnet as the outside interface IP ?

If so then it may be your ISP routers arp cache is still recording the old firewall's mac address against those IPs.

How long has it been since you switched over ?

Jon

View solution in original post

Jon Marshall · ‎08-24-2015

Are the IPs from the same subnet as the outside interface IP ?

If so then it may be your ISP routers arp cache is still recording the old firewall's mac address against those IPs.

How long has it been since you switched over ?

Jon

kinnerst1 · ‎08-24-2015

The external IP's i am having issues with are on the correct subnet as the outside interface. I did contact to reboot the ONT device onsite but I did not have the ISP clear any arp caches on the ISP router.

Didn't mean to select answered, forum is impossible to navigate on a phone.

Thanks.

Jon Marshall · ‎08-24-2015

I suspect that may be the issue then unless you have configured your NAT statements with "no proxy-arp" but I can't think why you would do that.

Jon

kinnerst1 · ‎08-24-2015

Nope,

It didn't seem to make sense to disable it. I'll be back onsite later this week to cutover.

Thanks for the help.