Hi,

We're putting the new ASA in tonight, so just to cover all of my bases, what routes do I need to have set up for the multiple public IP subnets?

I've got:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address y.y.56.201 255.255.255.248

arp permit-nonconnected

route outside 0.0.0.0 0.0.0.0 y.y.56.206 1 (that is the gateway for the first subnet)

Do I need to also route my second subnet to the outside IP of my ASA like this:

route outside x.x.131.212 255.255.255.248 y.y.56.201 1

Or should that traffic be routed out through my primary gateway of y.y.56.206 along with the rest of the traffic?

Thank you in advance for any help you can give me!!

Thank you Ron!  Any help you can give me would be greatly appreciated. 

Hi,

I am a bit confused why I am seeing both "arp permit-nonconnected" and "no arp permit-nonconnected" in your configuration.

If your ISP has configured both public subnets on their gateway interface then the "arp permit-nonconnected" should be enough to enable ARP to work so that the secondary nonconnected subnet can be used for NAT.

You should also check that you dont see the following in your configuration

sysopt noproxyarp outside

You can confirm this with the command

show run all sysopt

If  you see "no sysopt noproxyarp outside" then everything should be fine. If you see "sysopt noproxyarp outside" then you will have ARP problems.

When I look at your NAT configurations its mostly seems OK. Though naturally I personally like to keep the naming of objects consistent and clear. The only real thing I would immediately change is the Static NAT configurations.

Here is how you have configured NAT and how I would configure the NAT

CURRENT CONFIGURATION

nat (inside,outside) source static inside_IP_RANGE inside_IP_RANGE  destination static NETWORK_OBJ_10.0.5.0_25 NETWORK_OBJ_10.0.5.0_25  no-proxy-arp

nat (inside,outside) source static  NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static  Remote_inside_drs Remote_inside_drs no-proxy-arp route-lookup

!

object network Exchange

nat (any,any) static y.y.56.204

object network SpamFilter

nat (any,any) static x.x.131.113

object network WEB-02

nat (any,any) static WEB-02_outside

object network DMZ_IP_RANGE

nat (DMZ,outside) dynamic interface

object network inside_IP_RANGE

nat (inside,outside) dynamic interface

object network VOIP_IP_RANGE

nat (VOIP,outside) dynamic interface

MY CONFIGURATION

NAT0 CONFIGURATINS FOR VPN

object network VPN-POOL

subnet 10.0.5.0 255.255.255.128

object network INSIDE

subnet 10.0.0.0 255.255.255.0

object network REMOTE-SITE

subnet 10.0.1.0 255.255.255.0

nat (inside,outside) source static INSIDE INSIDE destination static VPN-POOL VPN-POOL

nat (inside,outside) source static INSIDE INSIDE destination static REMOTE-SITE REMOTE-SITE

BASIC DYNAMIC PAT

object-group network DEFAULT-PAT-SOURCE

network-object 10.0.0.0 255.255.255.0

network-object 10.0.10.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

STATIC NAT

If you only want to NAT these servers to public IP address towards the "outside"

object network Exchange

host 10.0.0.35

nat (inside,outside) static y.y.56.204

object network SpamFilter

host 10.0.0.36

nat (inside,outside) static x.x.131.113

object network WEB-02

host 192.168.40.218

nat (DMZ,outside) static x.x.131.114

If you want to NAT these servers to public IP address towards ANY interface on the ASA

object network Exchange

host 10.0.0.35

nat (inside,any) static y.y.56.204

object network SpamFilter

host 10.0.0.36

nat (inside,any) static x.x.131.113

object network WEB-02

host 192.168.40.218

nat (DMZ,any) static x.x.131.114

I am also somewhat confused as you mention you have 2 public subnets. You mention the end part of the IP address and the network mask. But when I compare one of these to the end of the IP address on your "outside" interface they dont really match? I mean they cant belong to the same /29 subnet.

What you should first determine is that naturally the NAT configurations for the directly connected network configured to your "outside" interface is working correctly.

When this is done you should try to determine what is the situation with the secondary subnet that is not configured on any interface but rather as NAT IP addresses on the ASA.

What you could do is

• If you have Static NAT configured using one of the public IP addresses from the nonconnected network then attempt connections to it from the the Internet.
• Then issue the command "show arp | inc outside" and look if you can see any ARP table markings for that public secondary subnet. The ISPs gateway IP addresses IP/MAC should be visible in the command output IF the ASA is populating its ARP table with the nonconnected networks IP addresses.
• If its showing after the tests and you are still having problems then I would assume there is either some problems with the ASA configurations OR some problem behind the ASA on the local network.

A good tool to test ASA configured rules is to use the "packet-tracer" command. It will simulate a connection through your firewall and tell which rules it hits and if the connection is allowed or dropped

The basic configuration format is

packet-tracer input

If you will the above fields with the correct information related to what you are trying to get working then you should see wha the problem is if there is a problem with the ASA configurations.

Hope this helps

- Jouni

Hi,

To answer your other question about routes.

You will only need to configure the default route pointing towards your ISP gateway IP address of the network that is part of the connected network between the ISP gateway and your ASAs "outside" interface.

You dont need routes on the ASA for the other nonconnected public subnets.

- Jouni

Thank you so much for your help, Jouni!  I'm going to go through my config again now and see if I can apply some of your suggestions.

Shelley

We tried installing our new firewall last night, but it still didn't work properly.  We can access the internet from inside and our phone system on VLAN 1 worked, but no traffic seems to be able to get into the firewall.  I can't ping any of my public IPs and our web server and email server are not visible outside of the network. 

I did a packet trace from the outside to our web server and it comes back with Allowed, so I don't understand what could be wrong.

If anyone has a few minutes to have a look at this for me, I would really appreciate it!  We're going to purchase a SmartNet contract, but I would much prefer to be able to sort this with your help and repair some of the damage to my ego. 

Here is the results of the show xlate command:

gw(config)# show xlate

8 in use, 8 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

       s - static, T - twice, N - net-to-net

NAT from inside:10.0.0.0/24 to outside:10.0.0.0/24

    flags sIT idle 0:00:18 timeout 0:00:00

NAT from outside:10.0.5.0/25 to inside:10.0.5.0/25

    flags sIT idle 0:00:18 timeout 0:00:00

NAT from inside:10.0.0.0/24 to outside:10.0.0.0/24

    flags sIT idle 0:00:18 timeout 0:00:00

NAT from outside:10.0.1.0/24 to inside:10.0.1.0/24

    flags sIT idle 0:00:18 timeout 0:00:00

NAT from outside:0.0.0.0/0 to any:0.0.0.0/0

    flags sIT idle 0:00:18 timeout 0:00:00

NAT from inside:10.0.0.35 to outside:y.y.56.204

    flags s idle 0:00:18 timeout 0:00:00

NAT from inside:SpamFilter to outside:x.x.131.113

    flags s idle 0:00:18 timeout 0:00:00

NAT from DMZ:WEB-02 to outside:WEB-02_OUTSIDE

    flags s idle 0:00:18 timeout 0:00:00

And here is the result of show arp:

gw(config)# show arp
        outside x.x.56.206 000a.41db.ad80 25
        inside WebFilter 0017.5400.c15a 3
        inside 10.0.0.130 2892.4a25.644a 3
        inside FS-01 0004.23dd.efd0 9
        inside 10.0.0.144 0800.0f69.f3a9 11
        inside 10.0.0.138 0800.0f4f.5649 13
        inside 10.0.0.165 0015.17e5.d56f 14
        VOIP 10.0.10.2 0800.0f4e.39e6 14
        DMZ 192.168.40.204 0004.23b8.f713 8

Have I somehow managed to block all outgoing traffic or something like that?

Here is my full config:

: Saved

:

ASA Version 9.1(1) 

!

hostname gw

domain-name domain.ca

enable password **** encrypted

passwd **** encrypted

names

name 10.0.0.3 AS400

name 10.0.0.27 DC-01

name 10.0.0.25 FS-01

name 10.0.0.26 FS-01-26

name 10.0.0.18 Faxserver

name 10.0.0.36 SpamFilter

name 10.0.0.5 WebFilter

name 192.168.40.213 VS-02

name 10.0.0.73 APP-02

name 10.0.0.72 APP-01

name 10.0.0.70 VS-01

name 192.168.40.218 WEB-02

name x.x.131.114 WEB-02_OUTSIDE

ip local pool Remote_Address 10.0.5.10-10.0.5.100 mask 255.255.255.0

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address y.y.56.201 255.255.255.248 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 10.0.0.1 255.255.255.0 

!

interface GigabitEthernet0/1.2

 vlan 2

 nameif VOIP

 security-level 100

 ip address 10.0.10.1 255.255.255.0 

!

interface GigabitEthernet0/2

 nameif DMZ

 security-level 4

 ip address 192.168.40.1 255.255.255.0 

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

ftp mode passive

clock timezone MST -7

dns server-group DefaultDNS

 domain-name firstcanadian.ca

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network AS400

 host 10.0.0.3

object network FS-01

 host 10.0.0.25

object network Exchange

 host 10.0.0.35

object network APP-01

 host 10.0.0.72

object network SpamFilter

 host 10.0.0.36

object network WEB-02

 host 192.168.40.218

object network WEB-02_outside

 host x.x.131.114

object network DMZ_IP_RANGE

 subnet 192.168.40.0 255.255.255.0

object network inside_IP_RANGE

 subnet 10.0.0.0 255.255.255.0

object network VOIP_IP_RANGE

 subnet 10.0.10.0 255.255.255.0

object network NETWORK_OBJ_10.0.5.0_25

 subnet 10.0.5.0 255.255.255.128

object network Remote_inside_drs

 subnet 10.0.1.0 255.255.255.0

object network NETWORK_OBJ_10.0.0.0_24

 subnet 10.0.0.0 255.255.255.0

object network Remote_inside_drs_DMZ

 subnet 192.168.41.0 255.255.255.0

object network Exchange_outside

 host y.y.56.204

object network SpamFilter_outside

 host x.x.131.113

object-group service Mail tcp

 description "Allow Mail Traffic from Outside"

 port-object eq https

 port-object eq 8080

 port-object eq 444

 port-object eq 465

 port-object eq 995

 port-object eq 993

 port-object eq 587

 port-object eq imap4

 port-object eq pop3

object-group service WebAccess tcp

 description "Allow Web Traffic to Web Service"

 port-object eq www

 port-object eq https

object-group service CA400_ODBC tcp

 description "Allow traffic from WEB-02 to AS400"

 port-object eq 446

object-group service Spamfilter tcp

 description "Allow Mail Traffic to the Spamfilter"

 port-object eq smtp

 port-object eq ssh

object-group service IntWebApp tcp

 description "Allow Internal Traffic from WEB-02 to APP-01"

 port-object eq 8383

object-group icmp-type PingTraffic

 description "Allow Echo Echo-Reply Unreachable and Time-Exceeded Traffic"

 icmp-object echo

 icmp-object echo-reply

 icmp-object unreachable

 icmp-object time-exceeded

object-group service DMZtoInsideDomainTCP tcp

 description Allow domain traffic between DMZ and Inside

 port-object range 10000 10200

 port-object eq 135

 port-object range 3268 3269

 port-object eq 42

 port-object eq 445

 port-object eq 88

 port-object eq domain

 port-object eq ldap

 port-object eq ldaps

 port-object eq netbios-ssn

object-group service DMZtoInsideDomainUDP udp

 port-object eq 389

 port-object eq 88

 port-object eq domain

 port-object eq netbios-dgm

 port-object eq netbios-ns

object-group network DEFAULT-PAT-SOURCE

 network-object 10.0.0.0 255.255.255.0

 network-object 10.0.10.0 255.255.255.0

 network-object 192.168.40.0 255.255.255.0

access-list ACL_OUT remark "Allow Ping to WEB-02 on Outside"

access-list ACL_OUT extended permit icmp any object WEB-02 object-group PingTraffic log 

access-list ACL_OUT remark "Allow HTTP and HTTPS to WEB-02_outside"

access-list ACL_OUT extended permit tcp any object WEB-02 object-group WebAccess log 

access-list ACL_OUT extended permit icmp any object Exchange object-group PingTraffic 

access-list ACL_OUT remark "Allow Mail Traffic from Outside to Exchange"

access-list ACL_OUT extended permit tcp any object Exchange object-group Mail log 

access-list ACL_OUT extended permit icmp any object SpamFilter object-group PingTraffic 

access-list ACL_OUT remark "Allow Mail Traffic from Outside to SpamFilter"

access-list ACL_OUT extended permit tcp any object SpamFilter object-group Spamfilter log 

access-list ACL_OUT remark "Allow Site to Site VPN Traffic"

access-list ACL_OUT extended permit esp any 10.0.0.0 255.255.255.0 

access-list ACL_OUT extended permit udp any eq 4500 10.0.0.0 255.255.255.0 eq 4500 

access-list ACL_OUT extended permit udp any eq isakmp 10.0.0.0 255.255.255.0 eq isakmp 

access-list ACL_VPN remark "Allow Access from VPN IPs to Inside"

access-list ACL_VPN extended permit tcp 10.0.5.0 255.255.255.0 10.0.0.0 255.255.255.0 log 

access-list ACL_VPN extended permit ip 10.0.5.0 255.255.255.0 10.0.0.0 255.255.255.0 log 

access-list ACL_VPN extended permit icmp 10.0.5.0 255.255.255.0 any log 

access-list ACL_DMZ remark "Allow FTP Access from DMZ to FS-01 on Inside"

access-list ACL_DMZ extended permit tcp object WEB-02 object FS-01 eq ftp 

access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to AS400"

access-list ACL_DMZ extended permit tcp object WEB-02 object AS400 object-group CA400_ODBC 

access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to APP-01"

access-list ACL_DMZ extended permit tcp object WEB-02 object APP-01 object-group IntWebApp 

access-list ACL_DMZ extended permit tcp host 192.168.40.204 object FS-01 object-group DMZtoInsideDomainTCP 

access-list ACL_DMZ extended permit udp host 192.168.40.204 object FS-01 object-group DMZtoInsideDomainUDP 

access-list ACL_DMZ remark Deny all other access from DMZ to Inside

access-list ACL_DMZ extended deny ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list ACL_DMZ extended deny ip 192.168.40.0 255.255.255.0 10.0.10.0 255.255.255.0 

access-list ACL_DMZ remark Allow all other DMZ traffic out

access-list ACL_DMZ extended permit ip 192.168.40.0 255.255.255.0 any 

access-list Tunnel_Group_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0 

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 object Remote_inside_drs 

access-list Remote_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0 

access-list Remote_splitTunnelAcl standard permit 192.168.40.0 255.255.255.0 

access-list vpn-access extended permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0 

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object Remote_inside_drs 

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu VOIP 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

arp permit-nonconnected

nat (inside,outside) source static inside_IP_RANGE inside_IP_RANGE destination static NETWORK_OBJ_10.0.5.0_25 NETWORK_OBJ_10.0.5.0_25 no-proxy-arp

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static Remote_inside_drs Remote_inside_drs no-proxy-arp route-lookup

!

object network FCIC-Exchange

 nat (inside,outside) static y.y.56.204

object network SpamFilter

 nat (inside,outside) static x.x.131.113

object network FCIC-WEB-02

 nat (DMZ,outside) static x.x.131.114

!

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

access-group ACL_OUT in interface outside

access-group ACL_DMZ in interface DMZ

!

router rip

 passive-interface default

!

route outside 0.0.0.0 0.0.0.0 y.y.56.206 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

*** removed crypto

telnet 192.168.0.99 255.255.255.255 outside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

***removed tunnel info

username test password **** encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

 message-length maximum client auto

 message-length maximum 512

policy-map global_policy

 class inspection_default

 inspect dns preset_dns_map 

 inspect ftp 

 inspect h323 h225 

 inspect h323 ras 

 inspect rsh 

 inspect rtsp 

 inspect esmtp 

 inspect sqlnet 

 inspect skinny 

 inspect sunrpc 

 inspect xdmcp 

 inspect sip 

 inspect netbios 

 inspect tftp 

 inspect ip-options 

 inspect icmp 

 inspect http 

 inspect ipsec-pass-thru 

!

service-policy global_policy global

prompt hostname context 

call-home reporting anonymous

password encryption aes

Cryptochecksum:****

: end

no asdm history enable

Thank you!!!

Hi,

Looking at your Static NAT configurations

object network FCIC-Exchange

nat (inside,outside) static y.y.56.204

object network SpamFilter

nat (inside,outside) static x.x.131.113

object network FCIC-WEB-02

nat (DMZ,outside) static x.x.131.114

I am not quite sure why I am not seeing any "host x.x.x.x" configurations for those "object network" in the above configuration. Just the "nat" portion.

Also, looking at your "show arp" output and comparing it to the IP address which I presume are the servers local IP addresses.

gw(config)# show arp

        outside x.x.56.206 000a.41db.ad80 25

        inside WebFilter 0017.5400.c15a 3

        inside 10.0.0.130 2892.4a25.644a 3

        inside FS-01 0004.23dd.efd0 9

        inside 10.0.0.144 0800.0f69.f3a9 11

        inside 10.0.0.138 0800.0f4f.5649 13

        inside 10.0.0.165 0015.17e5.d56f 14

        VOIP 10.0.10.2 0800.0f4e.39e6 14

        DMZ 192.168.40.204 0004.23b8.f713 8

• 10.0.0.35
• 10.0.0.36
• 192.168.40.218

As you can see, none of those IP addresses are in the ARP table. Which basically means that either

• The ASA hasnt seen any traffic from them
• You have not generated any traffic towards them from the ASA
• No traffic has gotten through the ASA towards those servers
• Or that traffic from the Internet hasnt reached your ASA at all

If during the test you would want to confirm if any traffic from the Internet is coming towards these 3 servers then you could configure traffic capture on the ASA with these configurations

access-list CAP-EXCHANGE permit ip any host y.y.56.204

access-list CAP-EXCHANGE permit ip host y.y.56.204 any

access-list CAP-SPAM permit ip any host x.x.131.113

access-list CAP-SPAM permit ip host x.x.131.113 any

access-list CAP-WEB permit ip any host x.x.131.114

access-list CAP-WEB permit ip host x.x.131.114 any

capture CAP-EXCHANGE type raw-data access-list CAP-EXCHANGE interface outside buffer 1000000 circular-buffer

capture CAP-SPAM type raw-data access-list CAP-SPAM interface outside buffer 1000000 circular-buffer

capture CAP-WEB type raw-data access-list CAP-WEB interface outside buffer 1000000 circular-buffer

You could then use the following command to view if any data is being captured during tests

show capture

You could view the contents of the captures on the CLI with the following commands

show capture CAP-EXCHANGE

show capture CAP-SPAM

show capture CAP-WEB

If testing from the Internet producses no data for these captures then there is probably some problem between your ASA and the ISP. Naturally if you are using these NAT IP addresses with the old firewall and then just replace the firewall with a new one the MAC address for those public IP addresses change and there might be problems with the ARP.

I would still want to know if we are talking about public IP addresses that are actually these

• Subnets x.x.131.212 255.255.255.248 and y.y.56.200 255.255.255.248
• IP addresses used for Static NAT
  • y.y.56.204 is part of one of the above subnets
  • x.x.131.113 is NOT part of either of the above subnets
  • x.x.131.114 is NOT part of either of the above subnets

But since you say that the "packet-tracer" output says allowed it would seem configuration are correct and they do seem to be. The main question is why didnt we see the servers IP/MAC address in the ARP output? Why dont 2 of the Static NAT public IP addresses match the 2 subnets you have given?

Those are obvious big question marks.

I would presume at this point that the problem is related to your setup between the ASA and the its gateway device.

- Jouni

Hi Jouni,

Sorry for the confusion.  We do have two public IP subnets.  Just for the sake of clarity, lets call them:

11.11.131.112 255.255.255.248 gateway 11.11.131.118

10.10.56.200 255.255.255.248 gateway 10.10.56.206

11.11.131.13 and 11.11.131.114 are both servers in the second public IP subnet that we were assigned. 

Our existing firwall is set up with an outside IP of 10.10.56.201 and is routed through 10.10.56.206. 

We are able to access out servers in the second subnet while the existing PIX 515E is in place, but as soon as we put in the new 5515-X, we lose access.  I'm not able to ping any of my outside IPs, in either subnet, once the new firewall is plugged in.

We had our ISP clear their ARP tables last night after we switched out the firewall, but it didn't seem to help at all.  Our connection from them goes through a Cisco 2950 and they said that both public subnets are configured on the port they have assigned us.  From the 2950, we go to a 5 port gigabit switch and then to our firewall.  The switch is there so that we can use an outside IP for testing and also for our TeleWorker server to access the internet.

This whole thing has just completely stumped me.  I assumed that there must be something wrong with my access-lists and that was what was causing the problems, but when I do the packet trace, it comes up as Ok. 

There are matching host records for those nat records, they are near the top of the config.  I'm not sure why it splits them out like that when I do a show run.

object network FCIC-Exchange
nat (inside,outside) static y.y.56.204

object network SpamFilter
nat (inside,outside) static x.x.131.113

object network FCIC-WEB-02
nat (DMZ,outside) static x.x.131.114

object network FCIC-Exchange
host 10.0.0.35
object network SpamFilter
host 10.0.0.36
object network FCIC-WEB-02
host 192.168.40.218

Hi,

There are the original "object network" in the configuration yes, but I cant find any with the FCIC in front of the "object network" name. Just the version with the "Exchange" and "WEB-02"

Can you confirm if the single Static NAT that has the public IP address that is part of the "outside" interfaces directly connected subnet is working? The "Exchange" one I mean?

If its just the secondary subnet that is not working then I would suggest that you ask the ISP to remove that subnet from their gateway interface and configure a route for it pointing towards the ASA "outside" IP address. After that there can be no problems related to the ARP atleast.

I would also ask them to share current ARP table related to your public IP addresses after the change so you can confirm that those are correct.

Also the mentioned traffic capture configurations would be able to confirm if you are getting any traffic from the ISP after the firewall change.

- Jouni

Hi Jouni,

I had removed the FCIC from all of the server names when I was sanitizing my config, but obviously missed it in the NAT section.  I'm sorry about that!

I don't get many opportunities to test my config live because it brings down our website, but as soon as I can talk my bosses into letting me try again, I will test the ping on my Exchange outside address and run those capture commands.

I'll speak to my ISP about changing the way they handle the second subnet.  At least that would help narrow down the issue.

I'll post the results of the capture as soon as I run it. 

Thank you again for your help with this! 

Hi,

Its naturally the best situation if you had the ISP working with your during the change.

The main things to confirm would be

• If ISP has configured both of the public subnets on their gateway interface they should make sure that the MAC address visible in their ARP table is the MAC address of the ASA and not the one of PIX firewall
• You should be able to confirm if any traffic is arriving on your firewall to the Staticly NATed servers by either viewing the ACL hitcount during testing, watching real time logs through ASDM or capturing traffic during the testing

Naturally I dont know what the PIX firewall configuration was so I cant compare those configurations but there shouldnt really be many things that could be wrong.

One problem related to ARP you see every now and then is that someone has configured "sysopt noproxyarp outside" on their firewall. This will basically cause that the ASA will only answer to ARP request related to its "outside" interface IP address BUT NOT the IP addresses that are just used in the NAT configurations. Though I dont see this in your configurations so that shouldnt be the problem.

One bug that I ran into once when doing a firewall change for a local town here was that even though I ran a ARP clearing command on the core device, it refused to do anything and I had to actually manually shutdown the customers gateway inteface in your core and bring it back up to get the old ARP table to clear. But this is something that is very very rare I imagine. Your ISP should be more than able to confirm that everything is ok on their end.

Sadly it is pretty hard to troubleshoot the situation when you dont have access and view to the devices during the problem situation. Especially after we have gone through some of the basic things already.

Naturally if this could be something software related for some reason then you could try some other software level next time.

- Jouni

Hi Jouni,

I just spoke with someone at our ISP.  They said that on our interface on their router, we have one VLAN that is configured for both of our Public IP subnets.  They then use layer 2 trunking to get it to a Cisco 2950 at our site.  We have one access port on that 2950 and it is configured for both subnets.

The lady I spoke with said that she thinks I need to add a route for each subnet through it's own gateway on the ASA.  She couldn't understand how it was currently working on our PIX with all of the traffic routed through the one subnets gateway.

Thank you!

Shelley