01-15-2015 12:06 PM - edited 03-11-2019 10:21 PM
Hi all,
Today I migrated a Pix 515e to and ASA5510 8.2, the issue started on
What I did was replace the IP address from the outside interface with a different IP (example original IP 177
Can any one explain what could the issue be?
Thanks
01-15-2015 01:24 PM
Hi there,
You stated that you were connecting from outside to your internal servers on this IP 177.x.x.151.
If you have not changed the static-nat rule from this IP address (177.x.x.151) to something else and I assume you left unremoved ACL entry outside-in traffic for IP 177.x.x.151 as well, which is why you it is still working for you. Your ISP routes both public IP address to your circuit.
Hope this answers your question.
Thanks
Rizwan Rafeek.
01-15-2015 03:19 PM
Hello rizwanr74,
Sorry, but when I did the IP changes I did them in the Pix not in the ASA. Now I have to put back the ASA to replace
Regards
01-15-2015 04:23 PM
Are the IPs from the same subnet as the outside interface IP ?
When you reverted back did you try to access the servers before you changed the outside IP address ?
Edit - in addition when you had either firewall in place was there traffic going from inside to outside eg. internal clients accessing the internet ?
If so do you NAT those internal IPs to the outside interface IP address ?
Jon
01-15-2015 04:54 PM
Hello Jon,
The outside interface 177
!
Before
In this firewall I have L2l
thanks.
01-15-2015 05:13 PM
This sounds a lot like an arp cache issue although the fact when you switched back they still didn't work doesn't quite fit.
Basically when you have static NATs the firewall uses proxy arp.
So the IPs are all in the same subnet and an IP from this subnet is also on the upstream device ie. either your or the ISP router.
When the upstream router asks for the mac address for one of those IPs your firewall responds with it's outside interface mac address so the router will forward the packets to the firewall.
The router will keep a record of this mac to IP mapping in it's arp cache. When you switched over to the ASA obviously that has a different mac address on the outside interface but the router doesn't know this.
Until the router times out the arp entries it will be sending packets to those IPs with the wrong mac address.
The reason you could get to the outside interface IP is because traffic is coming from inside to outside and I'm assuming you NAT internal client IPs to the outside interface IP so this would automatically update the routers arp cache.
But obviously that wouldn't happen for the static NAT IPs because the traffic is coming from outside to inside.
The only thing that doesn't fit with this is why when you switched back you had to change the IP before the static NATs started working again because the router would have the right entries.
So either I'm missing something obvious (it's a bit late here and I'm tired :-)), or this isn't the issue.
The solution is to either do this out of hours ie. after everyone has left and then hopefully the entries on the upstream router will have timed out by the morning or -
a) if you control the router clear the arp cache
b) if you don't you need to liase with the ISP
Like I say, it may not be the issue but it does sound the most likely reason.
Jon
01-15-2015 05:27 PM
Jon,
When I switched back the IPs it was working.
154 -->151 start working.
151 -->154 kept working.
But for your statements I think you are on the right path and this will be
Regards.
01-16-2015 08:03 AM
If your ISP routes the traffic destined to .154 to your circuit as it appears to be and your firewall has a permit entry for .154 only then it will work.
If you are concerned .154 traffic is coming in, then remove the permit line, that should fix up your issue.
thanks
Rizwan Rafeek.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide