Solved: Problems running ASA5510 as 172.x.y.z (final resolution: subnet masks) - Page 3

Loxmyth · ‎08-17-2023

On my 5510, NAT rules appear to be needed for successful communication between interfaces at different security levels.
On Ricky's 5540, the security levels alone are sufficient to control flow between these; no NAT rules are required.

I'd say that was the result of nat-control being set differently on the two boxes, except that we're both running firmware versions after nat-control was deprecated.

So... Is there a command that has equivalent effect, that we might have set differently on the two boxes without noticing it in the .cfg dumps? Or might that control still be there but invisible and inaccessible, so our two machines are unavoidably going to behave differently?

(We've been beating our heads against this for the past week, trying to find the point of divergence between our setups. This looks suspiciously likely.)

Loxmyth · ‎08-23-2023

Took the simplest route and switched the addresses to the 192.168 range.

Yes, it now works without address translation.

I still want to know where the assumption that 172 implied 255.255.0.0 was coming from. I'm guessing that it's a Raspbian Linux misbehavior, since as noted back at the beginning the same configuration seemed to be working fine for another user who was testing the config on a different set of hardware.

Long way around the barn, but I finally got there. THANKS again to all who contributed to narrowing this down until the obvious kicked us between the eyes. It's been a great lesson in using the ASA's tracing tools, and in understanding the ASA's logic and configuration.

Again, if anyone thinks it'd be worth posting a summary of this little excursion for others, I'd be glad to write it up -- just point me to good places to post it. Slapped a brief summary on my Facebook account.