Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2786
Views
0
Helpful
5
Replies

ASA Static NAT issue

Go to solution
cmonks
Level 1
Level 1

‎05-27-2011 12:25 PM - edited ‎03-11-2019 01:39 PM

I just replaced a PIX 501 with a new ASA5505. I had a very weird problem and would like to know what caused it incase I run into it again.

The setup is a DSL connection, with an old-ish speedstream DSL modem. Static IP, no PPPoE. I had a PIX 501, then two servers with static NAT entries on secondary WAN IPs. Everything was working fine on the PIX, I just duplicated the config over to the ASA. I swapped out the PIX for the ASA, and rebooted the DSL modem to clear out it's cache. After installation, NAT was working fine for the the global pool, but the systems with static NAT could not get online. I tried lots of different things to fix them, and they never worked. Finally I rememberd running into an issue like this a long time ago, in that the static NAT IP's wouldn't work without giving them a bump-start on the network. So I assigned the ASA each of my WAN IPs, one at a time, and tested them all. After that I went back to the original WAN IP, configured the static NATs, and they fired right up.

So my question is, why did my static NAT entries not work until I first assigned them to the ASA, then swapped back? I did reset the DSL modem when I swapped the firewalls, so I don't believe it was an ARP issue (unless it was an ARP issue at the far end?) I would like to know if there is something I can do differently with the devices or with the config to not have this issue again in the future.

Thanks.

Craig

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Allen P Chen
Level 5
Level 5

‎05-27-2011 12:52 PM

Hello,

Sounds like the DSL modem was not ARP'ing the ASA for the NAT'ed IPs.  The ASA will proxy ARP for the NAT'ed IP addresses, but it will only gratuitous ARP for its interface IP address.  That is why when you assigned the interface of the ASA with all the WAN IP addresses, it gratiutously ARP'ed all the IPs to the DSL modem with its MAC address.  Thus, the DSL modem was able to associate the NAT'ed IPs to the ASA.

Here is another post which discusses proxy ARP and gratuitous ARP:

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2010/10/27/asapix-proxy-arp-vs-gratuitous-arp

There is an enhancement request on the ASA to gratuitous ARP for all NAT'ed IPs.  However, the enhancement is still in Assigned state:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy85614

Hope this helps.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-27-2011 12:46 PM

Well.... not easy to say....

Just copy/paste the config from the PIX into the ASA might not be exactly fine if running different OS versions.

Could you let us know the OS version from both PIX/ASA?

Federico.

0 Helpful

Go to solution
cmonks
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-27-2011 01:01 PM

Sorry, I didn't copy and paste the config, I meant I recreated the config with the same settings. Configured the ASA from scratch with ASDM. pretty basic config.

I think the ASA was on or 8.2 or something. ASDM was 6.2 I believe.

0 Helpful

Go to solution
Allen P Chen
Level 5
Level 5

‎05-27-2011 12:52 PM

Hello,

Sounds like the DSL modem was not ARP'ing the ASA for the NAT'ed IPs.  The ASA will proxy ARP for the NAT'ed IP addresses, but it will only gratuitous ARP for its interface IP address.  That is why when you assigned the interface of the ASA with all the WAN IP addresses, it gratiutously ARP'ed all the IPs to the DSL modem with its MAC address.  Thus, the DSL modem was able to associate the NAT'ed IPs to the ASA.

Here is another post which discusses proxy ARP and gratuitous ARP:

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2010/10/27/asapix-proxy-arp-vs-gratuitous-arp

There is an enhancement request on the ASA to gratuitous ARP for all NAT'ed IPs.  However, the enhancement is still in Assigned state:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy85614

Hope this helps.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Allen P Chen

‎05-27-2011 01:03 PM

I think Allen could be right and might be an ARP thing.

I was just thinking about the difference of syntax of static NAT commands between PIX and ASA but was not changed until 8.3

Federico.

0 Helpful

Go to solution
cmonks
Level 1
Level 1
In response to Allen P Chen

‎05-27-2011 03:01 PM

I'm betting this is exactly what was going on. So it sounds like there isn't much I could have done differently. Oh well, I'll just try to remember that the next time I have this issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card