Thanks Jouni for the quick response...

Wish that were the answer... a sh run sysopt gives nothing... I added the no sysopt command and still no joy.

I had thought about calling the ISP however this ASA is a replacement of an PIX which I only just put into place. Under the PIX, that IP address responded.

Do you know what else could be causing this...?

Hi,

Well you can check the ASA configurations fast with the "packet-tracer" command

packet-tracer intput outside tcp 1.2.3.4 12345 x.x.x.218 3389

This would simulate a connection coming from behind "outside" interface from source address 1.2.3.4 with source port 12345 to your Static NAT IP address of the server.

This should tells us if the ASA configuration are fine for the most part.

If you have a host outside your network that can be used to test connectivity I would check if the ACL rule gets any hits

Also when testing configurations and frequently changing NAT configurations I would suggest using "clear xlate local " to clear any possible old NAT translations active on the firewall (they may remain even if the commands have been removed)

You can also use "show xlate | inc " to check the active translations for your host

- Jouni

Jouni,

OK..., packet tracer output shows allow on all points which is confusing

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

After the packet tracer there was 1 match on my outside access list... cleared the counters and tried to connect via an external IP... and 0 matches!!!

Have also cleared the xlate and still nothing...

Yes, the "packet-tracer" command generates hitcounts on the ACLs when used.

There shouldnt really be many possibilities why this would not work.

If indeed you have not disabled Proxy ARP on the "outside" (which seemed to be ok) and have cleared Xlates and allowed the traffic and the "packet-tracer" goes through then I cant see any other reasons other than the ISP.

Wonder if doing Trace Route from a Internet host towards both the ASA interface IP address and this extra IP used for the Static NAT would show up differently. This could perhaps provide some information if the ISP has indeed messed up something.

- Jouni

Hi Jouni,

Traceroute follows the same path up until the interface IP address and does not go any further, although I am not allowing ping/traceroute to the other IP addresses, only the outside interface IP...

Seems like it is routed to the right place from ISP point of view.

Any other suggestions? Really appreciate your help and quick repsonses on this.

Hi,

Just to be sure, would it be possible to see your ASAs whole configuration (with masked public IP addresses ofcourse)

To be able to go through them.

You can also use traffic capture on the ASA itself to confirm if ANY traffic is coming towards the extra public IP address

access-list CAPTURE permit ip any host x.x.x.218

access-list CAPTURE permit ip host x.x.x.218 any

capture CAPTURE type raw-data access-list CAPTURE interface outside buffer 1000000

Then test from the Internet and use the commands

show capture

and

show capture CAPTURE

To see if any traffic reaches your ASA. If not I cant think of anything else at the moment than ISP configurations or some device infront of the ASA causing problems.

- Jouni

Hey Jouni,

Packet capture gave me this output which didnt have any TCP 3389... but had some random UDP ports only?

   1: 21:54:55.108377 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.222.222.53:  udp 44

   2: 21:54:58.751929 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.220.220.53:  udp 44

   3: 21:54:59.492238 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.222.222.53:  udp 45

   4: 21:55:02.807468 802.1Q vlan#2 P0 X.X.X.218.63207 > 216.239.34.10.53:  udp 55

   5: 21:55:02.807651 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.220.220.53:  udp 45

   6: 21:55:06.863495 802.1Q vlan#2 P0 X.X.X.218.63414 > 199.253.183.183.53:  udp 56

   7: 21:55:24.599563 802.1Q vlan#2 P0 X.X.X.218.65039 > 208.67.222.222.53:  udp 42

Config is below:

ASA Version 8.2(5)

!

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

description TO LAN

!

interface Ethernet0/3

description TO LAN

!

interface Ethernet0/4

description TO LAN

!

interface Ethernet0/5

description TO LAN

!

interface Ethernet0/6

description TO LAN

!

interface Ethernet0/7

description TO LAN

!

interface Vlan1

description TO LAN

nameif inside

security-level 100

ip address 10.1.12.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.217 255.255.255.248

!

interface Vlan3

shutdown

no forward interface Vlan2

nameif backup

security-level 0

ip address X.X.X.42 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ICMP

description ICMP types permitted

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list OUTSIDE-IN remark TRAFFIC PERMITTED TO ENTER THE OUTSIDE INTERFACE

access-list OUTSIDE-IN extended permit tcp any host X.X.X.218 eq 3389

access-list OUTSIDE-IN extended permit icmp any interface outside object-group ICMP

access-list INSIDE-IN remark INSIDE ACCESS

access-list INSIDE-IN extended permit tcp any any

access-list INSIDE-IN extended permit ip any any

access-list INSIDE-IN extended permit icmp any any

access-list BACKUP-IN remark TRAFFIC PERMITTED TO ENTER THE BACKUP INTERFACE

access-list BACKUP-IN extended permit icmp any interface backup object-group ICMP

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) X.X.X.218 10.1.12.10 netmask 255.255.255.255

access-group INSIDE-IN in interface inside

access-group OUTSIDE-IN in interface outside

access-group BACKUP-IN in interface backup

route outside 0.0.0.0 0.0.0.0 X.X.X.222 1 track 1

route backup 0.0.0.0 0.0.0.0 X.X.X.41 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho X.X.X.X interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

!

track 1 rtr 1 reachability

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

Hi,

So we are only seeing the host using the Static NAT IP address is trying to do DNS querys but receives no reply.

I would still bet that some device in front of the ASA is causing this or the ISP has configured something wrong.

Sometimes when replacing the firewall it might be possible that the ISP still has an old ARP table marking for the IP address (Public IP -> PIX MAC address).

If the setting is at its default it would mean that it would take 4 hours to clear and after that update with the MAC of the new ASA (instead of the PIX MAC) Naturally you could test this with the PIX if it indeed had this Static NAT also.

Then again the interface IP address is functioning ok so I am not sure about that. The way a device might update the upsteam devices ARP is Gratuitous ARP. I am not sure if ASA does this.

- Jouni

Hi Jouni,

Still the same... I am going to give up on this for the time being as I cant be bothered trying to explain this to customer service at the ISP... will end up wasting more time. I have forwarded all RDP to the interface IP and all works there so there is no need at this point to continue. Whn in fact I need another IP from the /29, will chase up the ISP then...

Thanks very much for your help.

Ok,

Shame we couldnt get this to work.

Unless there is somekind of misstype/typo in the IP addresses then I dont know what the problem could have been on your side.

Maybe if you get this solved at some point with the ISP you could let us know that the problem was if it indeed was on the ISP side.

- Jouni