Unable to access server from static NAT

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 12:27 PM - edited 03-11-2019 11:51 AM
%ASA-session-6-302021: Teardown ICMP connection for faddr 192.168.1.109/0 gaddr 192.168.1.4/0 laddr 192.168.1.4/0
I have upgraded my ASA from 8.0 to 8.2.
However, none of static NAT working. All outside_access_in access-list has no HIT. Please help.
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 01:15 PM
Hi Alex,
Can you post the config? That would help us identify where the problem lies.
-Mike

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 01:35 PM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 01:48 PM
Hi Alex,
Which static statements aren't working? I tried to connect to a handful on TCP/80 and they all seemed to go through.
-Mike

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 01:51 PM
It is because the primary firewall with old 8.0 version is still in production.
I am updating the standby firewall and testing tonight.
But fail to access any of NAT, so I put it offline now.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 01:59 PM
Dear Support:
static (inside,outside) 210.177.218.1 192.168.1.23 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.2 192.168.1.24 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.3 192.168.1.11 netmask 255.255.255.255 dns
static (DMZ,outside) 210.177.98.33 192.168.41.63 netmask 255.255.255.255 dns
static (DMZ,outside) 210.177.98.35 192.168.41.62 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.4 192.168.1.51 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.11 192.168.1.20 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.12 192.168.1.18 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.16 192.168.1.19 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.17 192.168.1.48 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.18 192.168.2.16 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.19 192.168.1.81 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.20 192.168.1.17 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.21 192.168.1.26 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.22 192.168.1.37 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.23 192.168.1.52 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.24 192.168.1.54 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.36 192.168.1.53 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.38 192.168.1.27 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.39 192.168.1.65 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.40 192.168.1.30 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.42 192.168.1.3 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.43 192.168.1.71 netmask 255.255.255.255
static (inside,outside) 210.177.98.37 192.168.1.92 netmask 255.255.255.255 dns
None of them are able to ping or access via Internet.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 02:02 PM
Hi Alex,
Is this on the 8.0 or 8.2 unit? They cannot run simultaneously with the same config since the upstream router's ARP table will not be correct and won't know which firewall actually owns the public addresses.
-Mike

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 02:06 PM
Dear Support:
The 8.0 unit is in production now. The 8.2 unit is currently offline. But I am wondering if there is any wrong configuration I have done in the 8.2 unit per attached file I sent since I can't get any of NAT server up.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2010 02:41 PM
Hi Alex,
I assume the 8.0 unit and the 8.2 unit have the exact same IP address and static NAT configurations, correct? And when you initially tested, you just swapped the 8.0 unit with the 8.2 unit and tested the NAT, correct?
The reason the static statements were most likely failing is because the upstream device (probably the ISP router) still had the IP addresses of the static associated with the MAC address of the 8.0 unit. To resolve this issue, you can simply clear the arp cache on the upstream device (clear arp-cache) if you have management access to it, or you can simply reload it to clear the arp cache as well.
Therefore, please try the following:
-replace the 8.0 ASA with the 8.2 ASA (I am assuming both devices have the exact same IP address assignment and configuration)
-clear the arp cache on the upstream device either with the command "clear arp-cache" or reloading the device
Hope that helps.
