08-14-2013 06:46 PM - edited 03-11-2019 07:25 PM
Hi Everyone,
If i do Auto NAT from DMZ interface to outside interface using config below
object network Auto_NAT
subnet 192.168.70.0 255.255.255.0 *********************DMZ subnet
description Auto NAT DMZ Interface
object network Outside_pool
range 192.168.51.3 192.168.51.100
object network Auto_NAT
nat (DMZ,outside) dynamic Outside_pool
My outside interface has IP of 192.168.71.2
I am unable to access the internet using above config
when i change the range in outside_pool to 192.168.71.3 192.168.71.100 i am able to access the internet.
Does this mean that using auto nat using dynamic NAT the outside pool range should be in same subnet as outside interface ip address?
Regards
MAhesh
Solved! Go to Solution.
08-14-2013 08:48 PM
Hi Mahesh,
The NAT Pool doesnt have to be the same network as the "outside" interfaces network.
But in that case you have to make sure that the router infront of the ASA knows about this NAT Pool network.
The router either needs
- Jouni
08-14-2013 08:49 PM
Hello Mahesh,
No it does not,
That behavior let us know that there is an ARP issue with those IP addresses,
Does the ISP side know that you have that range of IP addresses 192.168.51.x.
Also what version are you running as Proxy-ARP is disabled in some versions (8.4.3 and 8.6 if I am not wrong ) so the ASA will not proxy-arp for IP addresses not connected or on the same subnet than the ASA.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-14-2013 10:18 PM
Hello,
The command that jounni recommend (arp permit non-connected) is available on that version
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 08:18 PM
Hello Mahesh,
The configuration on the ASA should remain the same.
On the Upstream device it should be:
no ip route 192.168.72.0 255.255.255.0 192.168.71.2
ip route 192.168.51.0 255.255.255.0 192.168.71.2
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 09:09 PM
Hello Mahesh,
Okey,
Please share both the config from L3 switch and ASA at the moment,
I will need to analize the configuration
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 09:28 PM
Hello,
Looks like we are receiving a Reset pacekt from the device on the lower security level.
The Deny TCP no connection could mean 2 things
1)Asymetric routing
2) Server is sending information after the connection was released on the ASA
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 10:19 PM
Hello Mahesh,
But I mean that traffic is on the same subnet, I mean 70.3 to 70.1...
Can you share the configuration please Or you can email me the setup
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 09:23 AM
Hello Mahesh,
Configuration looks good ( I did not see something wrong)
Add
fixup protocol icmp
cap capin interface inside match icmp any any eq 4.2.2.2
cap capout interface outside match icmp any any eq 4.2.2.2
Then ping from an inside PC to 4.2.2.2
and provide
show cap capin
show cap capout
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 10:27 PM
Hello Mahesh,
I must have been really tired when I send the capture syntax lol. It's completely wrong.
It should be
cap capdmz interface dmz match icmp any host 4.2.2.2
cap capout interface outside match icmp any host 4.2.2.2
I am sorry
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 11:06 PM
There are no packets comming back from the Switch.
Add the following to the ASA
arp permit-nonconnected
Can you share the show ip route from the Switch (I just need the entry for the 192.168.72.0)
also show arp | include 192.168.72.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 11:21 PM
Hello.
Do the following on the ASA side
arp permit non-connected and then try again
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-16-2013 11:32 PM
Hello,
At the moment, the only thing that I could possibly think of is make sure that the router 192.168.5.3 has a route to the 192.168.72 subnet and that it's also Natting this Subnet range
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-17-2013 12:02 AM
Hello Mahesh,
Well basically:
Long troubleshooting Mahesh But we did it.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-14-2013 08:48 PM
Hi Mahesh,
The NAT Pool doesnt have to be the same network as the "outside" interfaces network.
But in that case you have to make sure that the router infront of the ASA knows about this NAT Pool network.
The router either needs
- Jouni
08-14-2013 09:46 PM
Hi Julio,
Something new learn today .
I will test that tomorrow.
Best regards
MAhesh
08-14-2013 08:49 PM
Hello Mahesh,
No it does not,
That behavior let us know that there is an ARP issue with those IP addresses,
Does the ISP side know that you have that range of IP addresses 192.168.51.x.
Also what version are you running as Proxy-ARP is disabled in some versions (8.4.3 and 8.6 if I am not wrong ) so the ASA will not proxy-arp for IP addresses not connected or on the same subnet than the ASA.
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-14-2013 09:45 PM
Hi Julio,
IOS is
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
I will test it tomorrow after work
Regards
MAhesh
08-14-2013 10:18 PM
Hello,
The command that jounni recommend (arp permit non-connected) is available on that version
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 08:03 PM
Hi jouni,
I config the Outside pool ip which was not from the outside interface of ASA.
Also on Switch which has direct connection to ASA outside interface ip i config command
3550SMIA(config)#ip route 192.168.72.0 255.255.255.0 192.168.71.2
where 192.168.71.2 is ASA outside interface ip.
Now i can not access the internet.
ciscoasa# sh xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.70.3 to outside:192.168.72.56 flags i idle 0:00:00 timeout 3:00:00
Regards
Mahesh
08-15-2013 08:18 PM
Hello Mahesh,
The configuration on the ASA should remain the same.
On the Upstream device it should be:
no ip route 192.168.72.0 255.255.255.0 192.168.71.2
ip route 192.168.51.0 255.255.255.0 192.168.71.2
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 08:24 PM
Hi Julio,
I change the outside_pool ip to subnet 192.168.72.0
object network Auto_NAT_DMZ
subnet 192.168.70.0 255.255.255.0
description Auto NAT DMZ Interface
object network Outside_pool
range 192.168.72.3 192.168.72.100
Regards
MAhesh
08-15-2013 08:45 PM
Hello Mahesh,
Okey.
And what happens, same thing?
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 08:52 PM
Yea samething no internet from pc
but from asa i can ping internet
08-15-2013 09:09 PM
Hello Mahesh,
Okey,
Please share both the config from L3 switch and ASA at the moment,
I will need to analize the configuration
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 09:13 PM
Hi Julio,
Here is log from ASA
Aug 15 2013 22:09:08: %ASA-6-302014: Teardown TCP connection 8398 for DMZ:192.168.70.3/5703 to identity:192.168.70.1/443 duration 0:00:00 bytes 3619 TCP Reset-O
Aug 15 2013 22:09:08: %ASA-6-106015: Deny TCP (no connection) from 192.168.70.3/5703 to 192.168.70.1/443 flags FIN ACK on interface D
Config is attached with original post.
Regards
Mahesh
08-15-2013 09:28 PM
Hello,
Looks like we are receiving a Reset pacekt from the device on the lower security level.
The Deny TCP no connection could mean 2 things
1)Asymetric routing
2) Server is sending information after the connection was released on the ASA
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-15-2013 10:02 PM
Hi Julio,
As per this message seems its natting issue
Aug 15 2013 22:11:59: %ASA-6-110003: Routing failed to locate next hop for TCP from identity:192.168.70.1/443 to DMZ:192.168.70.3/5712
where 70.3 is pc ip
70.1 is DMZ interface
Regards
mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide