Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
1
Helpful
7
Replies

Issue - Cisco ASA can't communicate between Private and Public Network

Netty
Level 1
Level 1

‎06-03-2023 07:29 PM

Hi There,

I got an issue after migrating the firewall from Cisco ASA 5545 to 5525.

1 of 20 tenants can't communicate to Public Network but can still communicate between Private Network,

but the Public Interface (Gi0/0.5) can ping to the Public Network.

interface GigabitEthernet0/0.5
mac-address 0200.0005.1d00 standby 0200.0005.1d01
nameif INTERNET
security-level 0
ip address 27.254.23.xx 255.255.255.128 standby 27.254.23.xx
!
interface GigabitEthernet0/2.224
nameif IN-01
security-level 30
ip address 10.10.124.xx 255.255.255.224 standby 10.10.124.xx
!
interface GigabitEthernet0/4.123
nameif OUT-01
security-level 0
ip address 10.10.124.xx 255.255.255.224 standby 10.10.124.xx

So, what is pointed to is the NAT table issue.

Did you guy heard about the bug related to NAT table or the issue like this before?

Thank you,

Net

 

7 Replies 7

MHM Cisco World
VIP
VIP

‎06-04-2023 12:54 AM

you have two interface OUT-01 and INTERNET 
which one you use in 
NAT and Routing traffic ?

0 Helpful

Netty
Level 1
Level 1
In response to MHM Cisco World

‎06-04-2023 05:36 PM

I am using NAT for the INTERNET interface
and static routing for OUT-01

0 Helpful

MHM Cisco World
VIP
VIP
In response to Netty

‎06-04-2023 11:50 PM

sorry again 
your Host connect to IN-01 and need to access internet what Interface is egress of traffic ?
are this interface is config with NATing ?

0 Helpful

Netty
Level 1
Level 1
In response to MHM Cisco World

‎06-10-2023 09:04 AM

The host behind the IN-01 interface will access the internet through the INTERNET interface.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Netty

‎06-11-2023 06:26 PM

you have default route toward the INTER link and you have NATing to NAT private to public IP 
NOW for OUTside we need statice route to forward traffic via this interface and we need in router or L3SW connect to FW static route also toward the ASA for subnet connect to INside 

you have missing one of route either in ASA or in R/L3SW connect to ASA
Screenshot (789).png

0 Helpful

Netty
Level 1
Level 1

‎06-11-2023 09:43 PM - edited ‎06-11-2023 09:46 PM

Hi Guy
I am sorry for the unclear information.

The problem is the VM behind the private subnet (R3) can't reach the internet (8.8.8.8 behind R1 router)
but able to reach the VM behind another subnet interface with in the firewall.

and the INTER interface on the firewall itself can reach the 8.8.8.8 (behind the 1.1.1.1 or R1 Router in your picture)

Commonly, the issue like this we always point to the NAT configuration, am I correct?

But as I checked, the NAT configuration on the existing firewall and new firewall is totally the same.
So, Did you guy used to facing the problem like this ?

IOS version : 9.14(4)7 on both existing and new firewall

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Netty

‎06-14-2023 05:37 AM

Yes it point to NAT 
can you do packet tracer for this traffic and share the result here 
NOTE:- please add detail keyword to packet tracer 
Thanks 
MHM

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card