01-03-2017 09:40 AM - edited 03-12-2019 01:43 AM
Wondering if anyone has run into something like this before.
We have an ASA cluster acting as our network firewall.
We are using the ASA to NAT public IPs 1:1 to two different internal servers.
Most of our servers are attached to a Pair of Cisco Nexus switches running virtual port channel.
Traffic is routed between the ASAs and the Nexus using a /30 subnet and static routes.
Network traffic works, the ASA is able to ping Server 1 and Server 2 and vice versa.
We are seeing the ACL gets hits
NAT rules applying to an interface directly on the ASA to Server 1 work fine.
But identical NAT rules (different IPs) applying to the routed interface to the Nexus and Server 2 don't work and we can't figure out why.
Solved! Go to Solution.
01-04-2017 02:47 PM
Hi,
Is this an ASA cluster or a HA failover pair? Yes ** this was an OR question** These are 2 different features.
Configuration looks fine and you also have hits on the NAT rule. Can you get a capture on the internal interface of the ASA and see if you get the return traffic from the server?
It would be a good idea to take an ELAM capture on the Nexus as well.
__ __
Pablo
01-03-2017 04:16 PM
Hi,
Is this an ASA cluster or a HA failover pair?
Can you ping from the ASA to Server 2?
Are you getting hits on the NAT entry?
Did you run a packet tracer on the ASA to see if the traffic is being allowed? If not, what was the drop code?
Can you post the sanitize configurations from the ASA and the Nexus?
__ __
Pablo
01-04-2017 07:08 AM
Is this an ASA cluster or a HA failover pair? Yes
Can you ping from the ASA to Server 2? Yes
Are you getting hits on the NAT entry?
3 (BackhaultoMGMTNetworks) to (outside) source static VeeamWANReplicationTarget VeeamReplicationExternalIP description NAT rule for Veeam Replication
translate_hits = 13, untranslate_hits = 89459
Did you run a packet tracer on the ASA to see if the traffic is being allowed? If not, what was the drop code?
Packet tracer shows the packet is allowed
Can you post the sanitize configurations from the ASA and the Nexus?
Yes, give me a bit
01-04-2017 07:39 AM
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.0
interface GigabitEthernet1/3
nameif BackhaultoMGMTNetworks
security-level 99
ip address 10.254.0.34 255.255.255.248
object network VeeamWANReplicationTarget
host 10.140.50.17
object network VeeamGateway01
host 10.140.50.17
object service VeaamReplication
service tcp destination eq 6180
object-group service VeeamReplicationServices
service-object object VeaamReplication
nat (BackhaultoMGMTNetworks,outside) source static VeeamWANReplicationTarget VeeamReplicationExternalIP description NAT rule for Veeam Replication
access-group Outside in interface outside
access-list Outside extended permit object-group VeeamReplicationServices object-group VeeamReplicationSourceIPs object VeeamGateway01
route BackhaultoMGMTNetworks 10.140.0.0 255.255.0.0 10.254.0.33 1
Nexus
vlan 550
name Backup_Network
vrf context Epiccloud_Mgmt
ip route 0.0.0.0/0 10.254.0.2
ip route 10.107.0.0/24 10.254.0.26
ip route 172.16.4.0/24 10.254.0.34
ip route 192.168.4.0/23 10.254.0.26
interface Vlan550
description VLAN550-Backup_Network
no shutdown
mtu 9216
vrf member Epiccloud_Mgmt
no ip redirects
ip address 10.140.50.2/24
vrrp 150
priority 20
address 10.140.50.1
no shutdown
interface Vlan998
no shutdown
vrf member Epiccloud_Mgmt
ip address 10.254.0.35/29
vrrp 253
priority 20
address 10.254.0.33
no shutdown
interface Ethernet1/1
description UCS-FI-01:1/1
switchport mode trunk
switchport trunk allowed vlan 500-505,510-511,520-521,530,540-542,545,550,1003
-1004,1500-1506,1600
spanning-tree port type edge trunk
channel-group 11 mode active
01-04-2017 02:47 PM
Hi,
Is this an ASA cluster or a HA failover pair? Yes ** this was an OR question** These are 2 different features.
Configuration looks fine and you also have hits on the NAT rule. Can you get a capture on the internal interface of the ASA and see if you get the return traffic from the server?
It would be a good idea to take an ELAM capture on the Nexus as well.
__ __
Pablo
01-05-2017 09:12 AM
HA failover pair of 5508's
I'll get the captures and see what I can see
02-28-2017 09:16 AM
Turns out the issue was a bad default gateway on the nexus. We were sending the default traffic to a different set of firewalls (once that we are in the process of decommissioning).
Once we updated the default route to point to the ASAs the problem went away.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: