cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
853
Views
1
Helpful
8
Replies

NAT not working when the Public IP isnt in the same subnet as WAN IP

Cisco3105
Level 1
Level 1

My WAN IP address is 72.X.X.X and the public IP addresses provided by the ISP is 200.X.X.X subnet

My secondary ISP WAN IP is 33.X.X.X and the public IP addresses are in the same subnet

There is a web server in the DMZ, which does not work when I set the IP from the 200.X.X.X but works fine if I set the IP from 33.X.X.X

NAT for both ISP exists.

How do I ensure that the website will load if I switch the IP to 200.X.X.X?

1 Accepted Solution

Accepted Solutions

If 200.x.x.x is route via primary then 

In nat dont check nat route lookup

The egress interface is done via NAT and that we dont want to. 

Also you access server the return back traffic how it route? I think you have asymmetric traffic' ftd drop asymmetric traffic.

Can you confirm defualt route via which isp primary or backup?

View solution in original post

8 Replies 8

There are two ways to solve this:

1) Let your ISP route the 200 subnet to your firewalls IP. This is the better solution but only works when no other device on this subnet uses IPs from this pool.

2) Push "arp permit-nonconnected" to the firewall with flex-config.

Hello @Karsten Iwen 

The ISP is routing the 200 subnet to the firewall. I ti was working on the ASA but not in FTD

I added "arp permit-nonconnected" but that didnt help

In this case the "arp ..." is not needed, and it should work out of the box. I assume you somehow messed up your NAT and/or your access control. What does packet-tracer tell you about the desired traffic?

If 200.x.x.x is route via primary then 

In nat dont check nat route lookup

The egress interface is done via NAT and that we dont want to. 

Also you access server the return back traffic how it route? I think you have asymmetric traffic' ftd drop asymmetric traffic.

Can you confirm defualt route via which isp primary or backup?

How the web server NAT rule looks like? do you have proxy ARP enabled?

Hello @Aref Alsouqi 

Do not proxy ARP on Destination Interface is not checked

If it's not checked it means proxy ARP is enabled. Please share the NAT rule you created for review.

Auto Nat Rule
Static
Source Interface Objects - DMZ
Destination Interface Objects - ISP
Original source - private IP address
Translated source - ISP provided address in 200.X.X.X range

 

Review Cisco Networking for a $25 gift card