04-04-2018 08:22 PM - edited 02-21-2020 07:36 AM
Greetings,
The topology is a MPLS network. NAT is done on the edge network-based firewall before the traffic goes to the Internet. Each remote site on the MPLS has its own router. The site in question also has an ASA 5510 that sits behind the router (mainly to allow VPN connections). We just acquired this network and found a few issues. I believe the main issue is the ASA 5510 is also trying to do some sort of NAT as well. I constantly see errors in the logs like this:
%ASA-4-419002: Received duplicate TCP SYN from
%ASA-4-313005: No matching connection for ICMP error message:
I can't ping the inside interface of the ASA unless I'm on the same subnet. Also, the realtime log doesn't appear to be showing my ICMP attempts? The location does have a few static NAT devices facing the public, but those translations are done on the edge NBFW. Here is the current NAT config:
nat (inside,Outside) source static any any no-proxy-arp route-lookup
I think that I need to 'disable NAT' on the 5510, but I'm unsure of exactly what needs done. Any help would be greatedly appreciated.
Thanks
04-04-2018 09:53 PM
04-04-2018 10:27 PM
04-07-2018 06:36 AM
Anyone have any ideas? Thanks.
04-07-2018 11:16 AM
04-09-2018 03:16 AM
run the packet tracer tool on the ASA and similate the traffic, this will quickly tell you whjat is blocking and what NAT is being applied.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide