09-06-2010 12:38 AM - edited 03-11-2019 11:35 AM
Hi all,
I recently upgraded a router to asa5505. I did a static NAT for a particular private ip address to public ip as below.
static (inside,outside) public_ip private_ip netmask 255.255.255.255
However when this is done, this particular server could not access the internet. My firewall does not restrict outgoing traffic. If i remove this static NAT, the server will go through PAT and it will be able to access the internet. I use the packet tracer in asdm to test my outgoing traffic for this particular and it shows my config is fine. Before the upgrade everything was working fine including NAT for this particular server. Pls advise what may be missing. Thks in advance.
09-06-2010 12:41 AM
I would suggest that after you change it to a static statement, please perform "clear xlate" and "clear arp". Also check on the next hop router that the public ip address has the ASA outside interface MAC address as the ARP entry.
Hope that helps.
09-06-2010 01:08 AM
Hi Halijenn,
Did that but problem still persist.
09-06-2010 01:12 AM
Hello,
Do you see any hit counts increasing on the outside interface for the
access-list corresponding to the server?
Regards,
NT
09-06-2010 04:41 AM
Hi,
There is no hit counts for this particular server. I can see hit counts for my clients that access the internet via PAT.
09-06-2010 05:14 AM
If there is no hit count, that means that the traffic is not even coming towards the ASA. I would suggest that you check the next hop router for the ARP entry. Either clear the arp cache on the next hop router, OR try reloading the router and check again if that works.
Also, assuming that the public ip address is in the same subnet as the ASA outside interface, and it is not being used by other device.
09-06-2010 06:55 AM
Hello,
Can you access the server from internet? If that is also not possible, as
halijenn said, reboot the router. That should clear out all the ARP entries
on the ISP router and should build a new ARP cache. If that still did not
work, that means your ISP is not sending packets destined to that IP to your
ASA. Please talk to them and see what is happening on their end.
Note: Also make sure that you have enabled proxy-arp on your outside
interface.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide