NAT and a migration from PIX 506 to ASA 5505

Unanswered Question
May 8th, 2007
User Badges:

I'm trying to migrate from a PIX 506 with 6.3 code to an ASA 5505 with 7.2 code and am running into problems with NATing.


With the 506 I had all outbound traffic going out the outside interface but for a server that I had a static NAT for. When I try the same commands on the ASA I don't get any outbound traffic for that single host.


Here's the pertinent commands from the PIX:


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0



On the ASA 5505 box I can get out from 192.168.6.11 if I don't add the static entry.


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0


When I add the static command traffic is prohibited from 192.168.6.11 to the Outside yet it can ping the ASA box, internal hosts, etc.


static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255



I've tried the ASDM packet tracer and no faults appear in the simulation. The logs aren't helping me much in this either.


Other ASA configs are basically out of the box with Higher-to-lower interface traffic being permitted. Only added an incoming access-list to the outside interface to allow replies from internal ping/traceroute commands.


Any assistance would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Tue, 05/08/2007 - 11:10
User Badges:
  • Green, 3000 points or more

Is that outside address in the same subnet as the pix outside interface? If not, is it being routed to your pix? I assume it is ok as it was working before on 506 but I can't think of any other reason for this.


I guess you could test this, does everyone get out if you do...?

global (outside) 1 aaa.bbb.ccc.ddd

nat (inside) 1 0 0

mlinzbach Tue, 05/08/2007 - 11:29
User Badges:

Is the outside address on the same subnet as the pix outside interface? Yes it is.


I guess you could test this, does everyone get out if you do ...? Yes they do but first I needed to remove the global command for the interface:


no global (outside) 1 interface


When I do a show xlate where previously outside traffic was aaa.bbb.ccc.eee it is now aaa.bbb.ccc.ddd.



acomiskey Tue, 05/08/2007 - 11:37
User Badges:
  • Green, 3000 points or more

Yes, I figured you would remove the existing global statement. My intention was only to prove that the address, aaa.bbb.ccc.dddd, was usable.

laurent.geyer Tue, 05/08/2007 - 11:48
User Badges:

What's your interface security level look like on the outside and inside interface?

mlinzbach Tue, 05/08/2007 - 12:00
User Badges:


interface Vlan1

nameif inside

security-level 100

ip address 192.168.6.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif ClientAccess

security-level 50

ip address 192.168.66.1 255.255.255.0

!


!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


acomiskey Tue, 05/08/2007 - 12:13
User Badges:
  • Green, 3000 points or more

Ah, didnt realize that ip was also your interface ip. Replace ip with keyword "interface".


static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0


mlinzbach Tue, 05/08/2007 - 12:22
User Badges:

Not following your logic here, please explain.


Presently my outside interface is aaa.bbb.ccc.eee and I would like all outbound traffic to use this PAT IP address except for internal device 192.168.6.11 which I want to use aaa.bbb.ccc.ddd.


Why would I use:

static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0


and not:


static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0


because interface=aaa.bbb.ccc.eee and not aaa.bbb.ccc.ddd.


Thanks



acomiskey Tue, 05/08/2007 - 12:28
User Badges:
  • Green, 3000 points or more

You posted this above...


!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd 255.255.255.248


mlinzbach Tue, 05/08/2007 - 12:33
User Badges:

Sorry that was a mistake on my part, it should have been aaa.bbb.ccc.eee.


Actual IP address of outside interface ends with 17 IP address I'd like to statically NAT ends with 21.

laurent.geyer Tue, 05/08/2007 - 14:55
User Badges:

Strange, I really don't see anything wrong here... Would be interesting to see the full configuration.

mlinzbach Tue, 05/08/2007 - 17:22
User Badges:

Don't know if its worth adding but the host behind the ASA box in question has an IP with a default gateway pointing to a 2600 series router behind it. The 2600 router has a static route 0.0.0.0 0.0.0.0 that points to 192.168.6.254.


See attached for a sanitized config.





Attachment: 
laurent.geyer Wed, 05/09/2007 - 09:10
User Badges:

Where is your static statement, isn't that how you said you were facilitating outside connectivity for this single host?

mlinzbach Wed, 05/09/2007 - 09:58
User Badges:

I've removed the static statement because the host needs to be able to communicate outside. The static statement in question was previously posted as:


static (inside,outside) aaa.bbb.ccc.21 192.168.6.11 netmask 255.255.255.255

acomiskey Wed, 05/09/2007 - 10:06
User Badges:
  • Green, 3000 points or more

I'd be looking for a bug at this point unless we're all overlooking something here.

laurent.geyer Wed, 05/09/2007 - 11:33
User Badges:

I'm absolutely stumped. I regularly use similar configuration and have never run into an issue like this.


At this point I would suggest checking the 7.2.2 release notes for unresolved caveats relating to NAT and opening a TAC.


laurent.geyer Wed, 05/09/2007 - 11:39
User Badges:

I just read this again.


Are you saying that the host 192.168.6.11 has its default route being a 2600 router on the same subnet and that router in turn has its default route being 192.168.6.254?


That begs the question, what is 192.168.6.254?


acomiskey Wed, 05/09/2007 - 11:53
User Badges:
  • Green, 3000 points or more

According to his config that is the inside interface of ASA. It does sound weird although I would not suspect routing problems as he says this host can access the internet without the static command. Why not just make the gateway 192.168.6.254?


laurent.geyer Wed, 05/09/2007 - 12:42
User Badges:

I am suspecting that the router is doing NAT and since his nat rule is so coarse (0.0.0.0/0) it's working without the static statement.


That doesn't explain why it wouldn't work with the static statement, unless he's looking specifically for traffic sourced from the static translation to verify connectivity.

mlinzbach Wed, 05/09/2007 - 13:34
User Badges:

Tried setting the host to have a default gateway of 192.168.6.254 then set static to the following:


static (inside,outside) aaa.bbb.ccc.21 192.168.6.11 netmask 255.255.255.255


Net result: NO difference, still cannot get out.


Next tried the following:


static (inside,outside) aaa.bbb.ccc.20 192.168.6.11 netmask 255.255.255.255


Net result: CAN get out with .20


I've tried updating the ASA from 7.22 to 7.22-19 and get the same results.


Tomorrow I'll try plugging in directly outside the firewall with all ips aaa.bbb.ccc. 17-21 (.22 is my ISP connection) to see if I can route outside of the firewall.


Thanks for everyone's help. Will follow up tomorrow.


bbrendon Wed, 05/09/2007 - 16:27
User Badges:

I just stumbled upon this while trying to figure out the same problem you mention. I don't have an additional router.

mlinzbach Thu, 05/10/2007 - 11:43
User Badges:

OK


I've resolved this problem. Ultimately what I ended up doing was testing the IP addresses from Outside the ASA. True to form, all network activity worked as expected.


I plugged the ASA box back in and couldn't get any connectivity out from behind the ASA box. A reboot of the ISP router cured both the ASA connectivity AND the static entry to aaa.bbb.ccc.21.


Sorry to have wasted everyone's bandwidth. I have no idea why their equipment was holding up the static mapping.



Actions

This Discussion