cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
748
Views
0
Helpful
9
Replies

CISCO ASA 707-k8 NAT giving tough time

ahmad82pkn
Level 3
Level 3

I have been working with ASA from last 3 years, but this one made me mad

its 5510 with base license.

broswing not working

nat (inside) 1 access-list permitall

global (outside) 1 58.65.x.x

and nat not working.

Capture shows packet leaving outside, but they never come back in.

few people suggested it might be upstream ISP issue, but currently a PIX is connected with same config to the ISP and working fine, i am just replicating the PIX config to ASA and replacing the cable connections, and NAT/browsing dont works,

means something to do with this ASA, any idea? is there any known BUG in this IOS version? ( though i cant find on internet )

any suggestion would be helpfull.

All i see in capture is below, and this capture is placed with permit ip any any on both inside/outside interface.

packet capture cant be shared, as this IOS dont support it

53: 03:35:26.827471 10.1.3.12.4721 > 74.125.39.105.80: S 3722025514:3722025514

(0) win 65535 <mss 1460,nop,nop,sackOK>

  54: 03:35:32.843706 10.1.3.12.4721 > 74.125.39.105.80: S 3722025514:3722025514

(0) win 65535 <mss 1460,nop,nop,sackOK>

Even if i do static 1 to 1 NAT, it dont help, no browsing :-s

2 Accepted Solutions

Accepted Solutions

Hi Ahmad,

Pretty straight config. Have you tried removing the 'permitall' ACL from outside interface (although ip any/any allowed). Secondly, the ISP router/gateway where the PIX/ASA connected.Sometimes that needs a reboot when you move the connection from PIX to ASA.

hth

MS

View solution in original post

Hi Ahmed,

What mvsheik said is correct, its not only in the case of PIX to ASA replacement, but even if you replace the ASA with another ASA, you might need to reboot the uptsream device because the router or modem might be still having the arp entry for the old pix device, so reloading the ISP device would create the correct arp entry for your new ASA. I am not relaly sure about the stat, but by default on a router the arp en try is refreshed after evry 4 hours, so rebooting may resolve it.

Moreover, to verify it, apply captures:

access-list cap permit ip host 57.67.177.89 host 4.2.2.2

access-list cap permit ip host 4.2.2.2 host 57.67.177.89

cap capin access-list cap interface inside

Do a ping from firewwall:

ping 4.2.2.2 inside

Then check the captures:

show cap capin

See from where you are not getting the replies. If router is not replying back, this might be the issue. This is no bug, but a very common issue.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

9 Replies 9

mvsheik123
Level 7
Level 7

Hello,

Please post the config. Iam sure you have 'permitall' ACL configured on ASA.

Thx

MS

hi MV,

here is full config, and its same config that works on PIX, 515 but dont work on ASA 5510

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 57.67.177.89 255.255.255.248

!

interface Ethernet0/1

description STATE Failover Interface

!

interface Ethernet0/2

speed 100

duplex full

nameif inside

security-level 100

ip address 10.1.3.1 255.255.252.0

!

!

pager lines 24

logging enable

logging trap warnings

logging host inside 10.1.3.12

mtu outside 1500

mtu inside 1500

failover

failover link pristate Ethernet0/1

failover interface ip pristate 192.168.0.1 255.255.255.0 standby 192.168.0.2

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (outside) 2 57.67.177.90

nat (inside) 2 access-list lan_access_to_internet

access-list lan_access_to_internet extended permit ip 10.0.0.0 255.0.0.0 any

access-list permitall extended permit ip any any

access-group permitall in interface outside

route outside 0.0.0.0 0.0.0.0 57.67.177.93 1

route inside 10.6.1.0 255.255.255.0 10.1.3.2 1

route inside 10.5.1.0 255.255.255.0 10.1.3.2 1

route inside 10.4.1.0 255.255.255.0 10.1.3.2 1

route inside 10.3.1.0 255.255.255.0 10.1.3.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

: end

Hi Ahmad,

Pretty straight config. Have you tried removing the 'permitall' ACL from outside interface (although ip any/any allowed). Secondly, the ISP router/gateway where the PIX/ASA connected.Sometimes that needs a reboot when you move the connection from PIX to ASA.

hth

MS

Hi  MS, you were right   i asked the guy on site to reboot what ever connected infront of the ASA, when he connect it again, and you know what there was a cisco 5500 switch in front of it , and he rebooted it lolz, though we could clear the ARP as well, but he layman, and my timing wasnt matching his to work in recent days

and issue resolved, thank you very much for your help.

Thanx to varun as well

Hum Point 1, Yes i did.

Your point two attracts me for some reason

Secondly, the ISP router/gateway where the PIX/ASA connected.Sometimes  that needs a reboot when you move the connection from PIX to ASA.

I will work on this, if that would be reason i am going to hit my head on table thrice for sure i dont have on site tech at this time, but i will check this on monday now and see if it works, not sure what is in front of ASA, a DSL? a Router ? lolz.

will check, thanx for the hint, i need more hints. lolz.

else my last plan is to upgrade the IOS on monday, but now i have your option in mind to test first.

what else? any one else? with some cool idea? or may be dumb idea:( some time things work this way:)

But, just a thought, do we really need to reboot the front end device? because as soon i move the connectinos back to PIX, internet starts working though i will give it a shot

On a side note, i can ping google etc from Firewall fine, so its NAT that is having some sort fo issue

Hi Ahmed,

What mvsheik said is correct, its not only in the case of PIX to ASA replacement, but even if you replace the ASA with another ASA, you might need to reboot the uptsream device because the router or modem might be still having the arp entry for the old pix device, so reloading the ISP device would create the correct arp entry for your new ASA. I am not relaly sure about the stat, but by default on a router the arp en try is refreshed after evry 4 hours, so rebooting may resolve it.

Moreover, to verify it, apply captures:

access-list cap permit ip host 57.67.177.89 host 4.2.2.2

access-list cap permit ip host 4.2.2.2 host 57.67.177.89

cap capin access-list cap interface inside

Do a ping from firewwall:

ping 4.2.2.2 inside

Then check the captures:

show cap capin

See from where you are not getting the replies. If router is not replying back, this might be the issue. This is no bug, but a very common issue.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

Thank you both of you, will give a try.

Varun your statement "This is no bug, but a very common issue." broke my heart Looks like i need to study hard   lolz, actually never had chance to replace firewall with ASA or vice versa, always deployed a new firewall or managed existing one. learning learning learning, every day i learn something new. loving it "some time hate it" lolz.

Thanks for the update & rating.

Review Cisco Networking for a $25 gift card