08-24-2015 05:13 AM - edited 03-11-2019 11:29 PM
Hello, I am having an issue migrating a client's firewall from a Sonicwall to an ASA. The issue is with static PAT when using a public ip that is not the same ip as the outside interface. I am unable to see any traffic when running packet captures for the public ip addresses. All nat rules were copied from the old firewall. I am also not able to see any issues when running packet tracer on the outside. I have not worked on ASA's since 8.2 so i am wondering if perhaps I am missing something or this might be an upstream ISP issue. I have posted the config below. Thanks. ASA Version 9.2(2)4 ! names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 173.x.x.66 255.255.255.0 ! interface GigabitEthernet0/1 nameif failover security-level 0 ip address 65.x.x.18 255.255.255.248 ! interface GigabitEthernet0/2 nameif inside security-level 100 ip address 172.25.5.254 255.255.255.0 ! interface GigabitEthernet0/3 nameif wlan security-level 100 ip address 172.25.6.1 255.255.255.252 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only no nameif security-level 100 no ip address ! ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 172.25.5.246 name-server 172.25.5.247 domain-name cbg.local object network obj_any subnet 0.0.0.0 0.0.0.0 object network internal subnet 172.25.5.0 255.255.255.0 description LAN Subnet Inside Network Object object network hst-172.25.5.254 host 172.25.5.254 description ASA Inside Host Object object network 173.49.213.66 host 173.49.213.66 description ASA Outside Host Object object network hst-172.25.5.90 host 172.25.5.90 description CBG-CITRIX Host Object object network hst-172.25.5.90-tcp80 host 172.25.5.90 description CBG-CITRIX TCP/80 Static PAT Object object network hst-172.25.5.90-tcp443 host 172.25.5.90 description CBG-CITRIX TCP/443 Static PAT Object object network hst-172.25.5.90-tcp1494 host 172.25.5.90 description CBG-CITRIX TCP/1494 Static PAT Object object network hst-172.25.5.243 host 172.25.5.243 description CBG-EXFE Host Object object network hst-172.25.5.243-tcp25 host 172.25.5.243 description CBG-EXFE TCP/25 Static PAT Object object network hst-172.25.5.243-tcp80 host 172.25.5.243 description CBG-EXFE TCP/80 Static PAT Object object network hst-172.25.5.243-tcp443 host 172.25.5.243 description CBG-EXFE TCP/443 Static PAT Object object network hst-172.25.5.243-tcp587 host 172.25.5.243 description CBG-EXFE TCP/587 Static PAT Object access-list outside_access_in extended permit tcp any object hst-172.25.5.90 eq www access-list outside_access_in extended permit tcp any object hst-172.25.5.90 eq https access-list outside_access_in extended permit tcp any object hst-172.25.5.90 eq citrix-ica access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq smtp access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq www access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq https access-list outside_access_in extended permit tcp any object hst-172.25.5.243 eq 587 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended deny ip any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu failover 1500 mtu inside 1500 mtu wlan 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network hst-172.25.5.90-tcp80 nat (inside,outside) static 173.x.x.x service tcp www www object network hst-172.25.5.90-tcp443 nat (inside,outside) static 173.x.x.x service tcp https https object network hst-172.25.5.90-tcp1494 nat (inside,outside) static 173.x.x.x service tcp citrix-ica citrix-ica object network hst-172.25.5.243-tcp25 nat (inside,outside) static 173.x.x.x service tcp smtp smtp object network hst-172.25.5.243-tcp80 nat (inside,outside) static 173.x.x.x service tcp www www object network hst-172.25.5.243-tcp443 nat (inside,outside) static 173.x.x.x service tcp https https object network hst-172.25.5.243-tcp587 nat (inside,outside) static 173.x.x.x service tcp 587 587 ! nat (inside,outside) after-auto source dynamic any interface access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 173.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 172.25.5.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 172.25.5.0 255.255.255.0 inside ssh timeout 30 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:bdc0af16d6774ca874b7198952319f72 : end
Solved! Go to Solution.
08-24-2015 05:43 AM
Are the IPs from the same subnet as the outside interface IP ?
If so then it may be your ISP routers arp cache is still recording the old firewall's mac address against those IPs.
How long has it been since you switched over ?
Jon
08-24-2015 05:43 AM
Are the IPs from the same subnet as the outside interface IP ?
If so then it may be your ISP routers arp cache is still recording the old firewall's mac address against those IPs.
How long has it been since you switched over ?
Jon
08-24-2015 05:54 AM
The external IP's i am having issues with are on the correct subnet as the outside interface. I did contact to reboot the ONT device onsite but I did not have the ISP clear any arp caches on the ISP router.
Didn't mean to select answered, forum is impossible to navigate on a phone.
Thanks.
08-24-2015 07:03 AM
I suspect that may be the issue then unless you have configured your NAT statements with "no proxy-arp" but I can't think why you would do that.
Jon
08-24-2015 12:44 PM
Nope,
It didn't seem to make sense to disable it. I'll be back onsite later this week to cutover.
Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide