10-07-2014 09:22 PM - edited 03-11-2019 09:52 PM
Hi Experts,
Please help me on this. I have attached my network diagram with this post.
My firewall is cisco ASA 5510 running with software version 8.4. I have configured static NAT for three servers (in diagram, server 1,2 and 3). The issue is, the static NAT is only working with the first server. No traffics are going in and out from other two server (Server 2 and 3). All servers are in DMZ.
When I remove the static NAT for the server 2 and 3, all the traffic is going from the server with WAN IP of the firewall, that means the dynamic NAT is working. I have attached the configuration file also.
(NOTE: NAT is working for the Server 72.16.34.1)
Regards,
Ejaz
Solved! Go to Solution.
10-08-2014 01:29 AM
Hi Ejaz,
Would you be able to try this workaround:-
https://supportforums.cisco.com/blog/149276/asapix-proxy-arp-vs-gratuitous-arp
I think the issue is with the IP addresses provided by the ISP.
Thanks and Regards,
Vibhor Amrodia
10-07-2014 09:53 PM
Hi Ejaz,
Can you please verify the NAT statements for only the servers which are not wokring. It is very difficult to search it through the configuration which you have provided.
Also , you can send the Packet Tracer outputs form the outside to DMZZ for the Servers which are not working.
Thanks and Regards,
Vibhor Amrodia
10-07-2014 10:30 PM
Hi Vibhor,
I have attached the NAT configuration of one the server that having issue. Also please see that pact tracer output :
ASA5510# packet-tracer input Outside tcp 4.2.2.2 12345 w.w.w.w 80 detaile$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
nat (DMZ,Outside) static 23.30.88.139 dns
Additional Information:
NAT divert to egress interface DMZ
Untranslate w.w.w.w/80 to 172.16.34.3/80
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-VOIPSRV-02-172.16.34.3 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac8f08c0, priority=13, domain=permit, deny=false
hits=1, user_data=0xa9863780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.3, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
hits=152903, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf133240, priority=70, domain=inspect-http, deny=false
hits=10024, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca29438, priority=50, domain=ids, deny=false
hits=33660, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=65250, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 172.16.34.3_Rev_NAT
nat (DMZ,Outside) static w.w.w.w dns
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaeb79b70, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xafa57f48, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.34.3, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=Outside, output_ifc=DMZ
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
hits=41909, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=DMZ
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
hits=64267, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
hits=150381, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=Outside
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 609401, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
10-07-2014 11:30 PM
Hi Ejaz,
Thank you for the reply. To be sure all the public IP being used for Nat on the ASA device are in the Outside Interface Pool ? Correct ?
If no , add this command:- arp permit-nonconnected
If yes , i think the issue might not be with the ASA device. Are these some new IP addresses and have we used it before ?
I would request you to apply the captures on the ASA device interfaces and see which device is not replying:-
capture capout interface Outside match ip host <Public IP of server which is not working> any
capture capin interface DMZ match ip host <Private IP of server which is not working> any
Send me the captures if required.
Thanks and Regards,
Vibhor Amrodia
10-08-2014 12:04 AM
Hi
Thank you for the reply.
"outside interface pool"??? I didn't get. Could you please explain this to me??
I am using the public IP addresses in the same IP block provided by ISP. When I configured the public IP in the server and connected it direcly to the ISP router, it was working fine.
Regards
Ejaz
10-08-2014 12:04 AM
Hi Ejaz,
For ex:- If you have the External Interface configured as :-
ip address 1.1.1.1 255.255.255.248
The Natted Ip should be within this range of IP addresses:-
For Ex:- 1.1.1.1 -1.1.1.6.
If not , you would need this command on the ASA device:-
arp permit-nonconnected
Thanks and Regards,
Vibhor Amrodia
10-08-2014 12:08 AM
Hi Vibhor,
Thank you so much for that quick response.
We are using the IP addresses in the same pool.
Regards
Ejaz
10-08-2014 12:11 AM
Hi Ejaz,
Then , I think you should proceed with the captures on the ASA device interfaces.
Thanks and Regards,
Vibhor Amrodia
10-08-2014 01:14 AM
10-08-2014 01:22 AM
Hi Ejaz,
I think as you can see in the captures , we only see Uni-directional traffic through the ASA device and no reply from the Outside server.
This can mean that the IP Addresses might not be working.
Is this ASA device in production at this moment ?
Thanks and Regards,
Vibhor Amrodia
10-08-2014 01:27 AM
Hi Vibhor,
Yes, this ASA is in production. I have assigned the public IP to the server directly and connected the server to the ISP router, it was working fine.
Regards,
Ejaz
10-08-2014 01:29 AM
Hi Ejaz,
Would you be able to try this workaround:-
https://supportforums.cisco.com/blog/149276/asapix-proxy-arp-vs-gratuitous-arp
I think the issue is with the IP addresses provided by the ISP.
Thanks and Regards,
Vibhor Amrodia
10-15-2014 09:28 PM
Hi Vibhor
Thank you very much for the help. It was the same issue mentioned the link. Once we rebooted the ISP router everything started working.
Thanks again .:) :):)
Ejaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide