Hello rizwanr74,

Sorry, but when I did the IP changes I did them in the Pix not in the ASA. Now I have to put back the ASA to replace the Pix but I'm still concerned about the issue I had.

Regards 

Are the IPs from the same subnet as the outside interface IP ?

When you reverted back did you try to access the servers before you changed the outside IP address ?

Edit - in addition when you had either firewall in place was there traffic going from inside to outside eg. internal clients accessing the internet ?

If so do you NAT those internal IPs to the outside interface IP address ?

Jon

Hello Jon,

The outside interface 177.x.x.154 255.255.255.240, I changed this of a 152 ip address.

my static nats

static (inside,outside) tcp 177.x.x.152 8020 192.168.100.20 www netmask 255.255.255.255  ---this will be an example of one of my nats.
!

Before i did the change of ips there was no access to the nats, after I did the change, from the 154 to the 152, the static nats started to work, and when I change them again to my outside Ip was 154 they still worked.

In this firewall I have L2l vpn and Remote vpn, I test it and it was working with no issues, (connection, access to the customer intranet, mail) . the only thing that stoped working was that nat.

thanks.

This sounds a lot like an arp cache issue although the fact when you switched back they still didn't work doesn't quite fit.

Basically when you have static NATs the firewall uses proxy arp. 

So the IPs are all in the same subnet and an IP from this subnet is also on the upstream device ie. either your or the ISP router.

When the upstream router asks for the mac address for one of those IPs your firewall responds with it's outside interface mac address so the router will forward the packets to the firewall.

The router will keep a record of this mac to IP mapping in it's arp cache. When you switched over to the ASA obviously that has a different mac address on the outside interface but the router doesn't know this.

Until the router times out the arp entries it will be sending packets to those IPs with the wrong mac address.

The reason you could get to the outside interface IP is because traffic is coming from inside to outside and I'm assuming you NAT internal client IPs to the outside interface IP so this would automatically update the routers arp cache.

But obviously that wouldn't happen for the static NAT IPs because the traffic is coming from outside to inside.

The only thing that doesn't fit with this is why when you switched back you had to change the IP before the static NATs started working again because the router would have the right entries.

So either I'm missing something obvious (it's a bit late here and I'm tired :-)), or this isn't the issue.

The solution is to either do this out of hours ie. after everyone has left and then hopefully the entries on the upstream router will have timed out by the morning or -

a) if you control the router clear the arp cache

b) if you don't you need to liase with the ISP

Like I say, it may not be the issue but it does sound the most likely reason.

Jon

Jon,

When I switched back the IPs it was working.

154 -->151 start working.
151 -->154 kept working.

But for your statements I think you are on the right path and this will be arp cache issue.

Regards.

If your ISP routes the traffic destined to .154 to your circuit as it appears to be and your firewall has a permit entry for .154 only then it will work.

If you are concerned .154 traffic is coming in, then remove the permit line, that should fix up your issue.

thanks

Rizwan Rafeek.