Hi Varun -

First off thank you very much for responding!  Yes, you are correct.  Those NAT statements are the issue.

I think I yanked the laptop group to simplify the config to isolate, but it was identical to the others.

As extra data points:

- The inside machines are all using 10.0.0.1 as the gateway and it is statically assigned as is the ISP

   DNS server.

- The DHCP entry was just for the laptop and I agree it should be removed as all IPs are statically assigned.

  - Inbound packets destined for inside interfaces seemed to not be going to the path to where they were

    supposed to go.  They appeared to go to the laptop 10.0.0.99 which had identical NAT statements,

    or they just wouldn't show up anywhere at all.

I even got deep into packet tracing before finally giving up.  It showed leo_in_1 sending DNS calls out and

not being answered as well as ICMP calls (to gateway and to public IPs) being sent out but never answered.

Dug deep into the ARP tables for MAC issues, Xlate's all looked fine. Curiously in one of the Cisco

troubleshooting guides it lists reverse order (putting the NAT on the outside interface object) so I had tried

that as well.

Basically I can get one NAT-ted IP working, the laptop but none of the linux servers.  I could try some other

devices.  Just a strange and frustrating issue.

Again - thanks so much for any hints of things to try.

Hi,

For testing purpose I woudl suggest rather than working on so many machines together we take one machine at a time, lets work on the nat statement:

object network leo_in_1

nat (inside,outside) static leo_out_1

If this gets resolved, all omther would also be resolved.

First of all, if all the machines are using static ip's I woudl request you to remove these commands:

dhcpd address 10.0.0.100-10.0.0.131 inside

dhcpd dns YYY.YYY.176.253 YYY.YYY.176.254 interface inside

From the firewall.

On the leo_in_1 machine, the dns server address should be 4.2.2.2

Then, I would also request you to change the nat statement to:

object network leo_in_1_test

host 10.0.0.11

object network leo_out_1_test

host YYY.YYY.184.150

nat (inside,outside) source static leo_in_1_test leo_out_1_test

let me know if this works, if not, we woudl need to take captures on the firewall to troubleshoot it.

Thanks,

Varun

Thanks Varun.  Where are you getting the 4.2.2.2 for DNS?  That isn't some secret trick or something is it?

DNS servers are:

YYY.YYY.176.253 YYY.YYY.176.254

The inside gateway I was using was 10.0.0.1  I can remove DHCP.

I did do the isolation method, was able to isolate to get laptop working and then tried to get one server port working on a server.  I also tried the "separate NAT" method you show with no change for those devices.

I basically believe it is a NIC/ASA incompatibility, or this device doesn't actually support the number of public IPs we need, sort of an intentionally broken device that Cisco dumps on the market cheap (not a good branding idea in my view).

Before I put more hours in, can anyone verify the VLan protocols for this device?   I couldn't find this information anywhere, but specifically:

  - Does it support 802.1Q VLan standard or is it only Cisco ILS?

  - My network cards are very nice server cards but they don't support Cisco ILS.

- Is Cisco ILS Vlan support required for NICs on a Vlan?

I do actually like the design/etc and the CLI. I can tell this would be a great device ... if it actually worked the way the videos and config information say it should.

Going to try one more thing ... the steps you say above, as well as put a switch on the servers and just use it for the NAT to try to isolate the NIC issue.  I don't want to unfairly criticize a piece of technology but after putting the same commands into the thing and re-writing them several dozen times just to see "if this is a way I can put the command in that it can work", even if there is some trick somewhere to make it work, I do personally have a higher bar for converting docs to reality.

I know I could open a support ticket, but that's what they want me to do right?  I definitely don't want a vendor where there is insufficient publicly available or included product information to make the product work as it is supposed to.  Does it evens upport 6 public IPs and more than one NAT at all?  Can anyone verify they have gotten more than one public IP to work with this device?

I will try the suggestions you have, going to isolate the servers on a switch, I have two different ones to try, will remove DHCP, take another pass through remaking the config with only a server available, if all this fails ... to the junkyard it goes!

Deleted all of the related stuff, cleaned everything out, added a switch, reconnected the laptop, it basically just "works" perfectly with the laptop.

It's only the servers that are the issue.  Going to add in 4-5 more test devices on the switch and try natting to them to see how it goes.

Okay, I verified ... I connected multiple devices in the lab.  it seems only the first NAT rule works.  If I swap the order of the rules then the top one starts working and the follow on ones don't work.

Can anyone verify for me that they actually got more than one IP on the outside interface working ever before?

Hi,

You need to verify whether the objects used in the nat statements are sort of a superset or any conflicting subnets that stops the communication for the other nat statetments. Are you talking aout these same nat statements??

object network leo_in_1

nat (inside,outside) static leo_out_1

object network leo_in_2

nat (inside,outside) static leo_out_2

object network orion_in_1

nat (inside,outside) static orion_out_1

object network orion_in_2

nat (inside,outside) static orion_out_2

object network leo_in_cons

nat (inside,outside) static leo_out_cons

object network orion_in_cons

nat (inside,outside) static orion_out_cons

Thanks,

Varun

Definitely no conflicts.  I did as you said with the split nat rule above and it worked the same as the object-linked rule.

Basically the situation I have now in the lab is:

192.168.1.30 -> 10.0.0.99

192.168.1.31 -> 10.0.0.30

These are different test devices, these are the only two rules.   On the NAT display in the ASDM, whichever rule is first works perfectly, the second rule doesn't work (the packets don't even seem to make it into the outside interface with external testing).

Now, the 192.168.1.* IPs are defined on mask 255.255.255.0 as are the 10.0.0.* ones are on a 255.255.255.0 mask.

But the only place to specify things is for the Host and for the end points.  Should I actually try to put in 255.255.255.255 for the subnet mask on the objects themselves?

The screwey thing here is that -ONLY- the first rule works.  If I swap the two NAT rules in ASDM then the other rule works and the first one stops working.  I cleared all NAT from the config and typed exactly the commands you had above (for these two cases).   It really just seems like the ASA only allows one NAT entry for a public IP on the outside.

Anyway - at least this is some progress and the issue is more deterministic, LOL.

On a quick google, the Internet is littered with these questions "does ASA 5505 support more than one public IP?".

Looks like it's not just me.   Can anyone figure out if this is the case? That the device basically just doesn't work properly with one more than one public IP to sort of put me out of my misery so I can get us migrated?

Here are the -exact- NAT rules.

>show run nat

nat (inside,outside) source static laptop_in_test laptop_out_test

nat (inside,outside) source static hegel_in_test hegel_out_test

And the objects are both hosts with these IPs:

laptop_out_test  192.168.1.30

hegel_out_test   192.168.1.31

laptop_in_test:  10.0.0.99

hegel_in_test  10.0.0.30

-----

If I use the ASDM to swap the NAT rules, whichever rule is the first one is the only one that works.

If I swap them, then the other starts working ...

At leas the issue here is more narrowed.  I really just want to know if it is some intentional crippling in

the device that isn't advertised that cost me 1.5 weeks of time.

Hmmm... that could be it?  Where do I specify the 255.255.255.255?

Does that go on the outside interface?

Where do I put the 255.255.255.255 to limit it to just the one host?