cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3236
Views
10
Helpful
12
Replies

New Routed Subnet on Cisco ASA

evlaa1990
Level 1
Level 1

I have a new Cisco firewall which has version 9.8(2) software, yesterday our ISP provided a secondary routed subnet /29 this is routed to the firewalls /30 IP Address. It's not a secondary subnet with a new gateway etc it's just a routed subnet straight to the outside interface IP. I know this is a valid configuration because i've done it many times. 
For some reason I'm not able to communicate with any of the addresses in the /29 network. 
I've setup the 1-2-1 NAT rules and I've added the access lists to allow the inbound traffic. 

I setup a capture to make sure i can see traffic actually hitting these IP's and I can although the only IP Address i can see hitting that IP is our outside interface IP:

14: 20:23:27.587158 89.197.XXX.XXX.6932 > 193.117.XXX.XXX.6801: S 3121657624:3121657624(0) win 14600 <mss 1380,sackOK,timestamp 157364206 0,nop,wscale 0>
15: 20:23:27.587249 89.197.XXX.XXX.6932 > 193.117.XXX.XXX.6801: S 3121657624:3121657624(0) 

 

I'm not seeing any ARP entries for the IP's in the /29 subnet either.

 

I don't get to see traffic originating from any other source. Is there something new in 9.8 software that needs to be done? 

1 Accepted Solution

Accepted Solutions

Thanks for your help all, turns out that the provider had allocated the IP Address range to 3 other customers. All working now with the same provider. 
Not sure why that would need to be escalated to senior tech guys to see.

View solution in original post

12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

Just to understand the setup. I may have few questions

is your ISP link connected directly to ASA ? explain the network setup.

/29 subnet routed to your /30 IP, But do you have default route back to ISP ? or specific routes to ISP ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes the ISP link is directly connected to the Cisco ASA using the /30 address, provider is 1.1.1.1/30 we are 1.1.1.2/30 for example. Then another /29 network been routed to 1.1.1.2 (our Cisco ASA). 

We have a static default route back to the ISP, it's the only connection at this site so everything routes via this. 

Very helpful post. In my setup, ISP is routing to the existing outside interface IP of the FW and I`m able to use New range for the NAT statements.

 

My question is, will I be able to use New range for NAT`ing AnyConnect VPN users which connect to the Outside Interface IP from the Existing Range ?

Ajay Saini
Level 7
Level 7

Hello,

 

Do you have command "arp permit-nonconnected" in the ASA so that it can proxy arp for the non directly connected subnets. As lonng as you have proxy arp enabled on outside interace and the command mentioned along with NAT and access rules , you should be good.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a3.html

 

Run 'debug arp' and initiate traffic for the new subnet and see if you get a request on the ASA. And ASA should respond to these ARP requests.

 

If there is no ARP request seen on ASA, then possibly the request is not sent by ISP device meaning they dont have a route for new subnet pointing to the ASA outside interface.

 

 

HTH

AJ

I do have arp  permit-nonconnected enabled and proxy arp is enabled on outside and inside interface (not specifically required on inside interface). I've not disabled proxy arp on the NAT configuration either? 


I've done a debug arp and don't see a lot of anything especially on the external interface. I've also done an arp capture and see very little nothing for the new IP /29 range. 

I'm thinking a provider issue at the minute but they are not being very forthcoming. 

This is bit bizzard, your provider need to give more support when the service not working.

 

Most provider atleast provide traceroute to new IP address and prove it was routed to your network.

or generate some continue ping that prove you can see the traffic on outside interface.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

They have provided traceroutes but they have done this from the directly connected router - they are saying we can't see MAC Addresses for this /29 range but i don't think they should, because they should just be routing all traffic at the interface IP/MAC. 

 

Now they have said "We will leave this for tomorrow morning with our 2nd line engineers as this is not a priority issue." Very poor!

Let us know how it goes.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

One thing i have just seen in the logs is 'Deny IP spoof from (OUTSIDE INTERFACE IP) to [ONE OF THE ROUTED SUBNET IP's] on interface outside.' I'm not sure this is pertaining to the issue I'm currently experiencing but I'm not sure why it's happening.  Do you think they could be related? 

 

Hello,

 

For the NAT statements that you have created on ASA involving the new /29 subnet, ASA's own outside interface mac address should be visible on the ISP device. They should generate an ARP request and ASA should proxy ARP on behalf of the NATed public ip addresses and the ISP router should have the ARP listed for that Public ip and ASA mac address.

 

I know ISPs are difficult to work with but showing them the proof in terms of debugs and captures is the best bet.

 

-

HTH

AJ

Thanks for your help all, turns out that the provider had allocated the IP Address range to 3 other customers. All working now with the same provider. 
Not sure why that would need to be escalated to senior tech guys to see.

EDIT: All working now with the same config.

Review Cisco Networking for a $25 gift card