NAT and a migration from PIX 506 to ASA 5505

Unanswered Question
May 8th, 2007

I'm trying to migrate from a PIX 506 with 6.3 code to an ASA 5505 with 7.2 code and am running into problems with NATing.

With the 506 I had all outbound traffic going out the outside interface but for a server that I had a static NAT for. When I try the same commands on the ASA I don't get any outbound traffic for that single host.

Here's the pertinent commands from the PIX:

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) aaa.bbb.ccc.ddd netmask 0 0

On the ASA 5505 box I can get out from if I don't add the static entry.

global (outside) 1 interface

nat (inside) 1

When I add the static command traffic is prohibited from to the Outside yet it can ping the ASA box, internal hosts, etc.

static (inside,outside) aaa.bbb.ccc.ddd netmask

I've tried the ASDM packet tracer and no faults appear in the simulation. The logs aren't helping me much in this either.

Other ASA configs are basically out of the box with Higher-to-lower interface traffic being permitted. Only added an incoming access-list to the outside interface to allow replies from internal ping/traceroute commands.

Any assistance would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 05/08/2007 - 11:10

Is that outside address in the same subnet as the pix outside interface? If not, is it being routed to your pix? I assume it is ok as it was working before on 506 but I can't think of any other reason for this.

I guess you could test this, does everyone get out if you do...?

global (outside) 1 aaa.bbb.ccc.ddd

nat (inside) 1 0 0

mlinzbach Tue, 05/08/2007 - 11:29

Is the outside address on the same subnet as the pix outside interface? Yes it is.

I guess you could test this, does everyone get out if you do ...? Yes they do but first I needed to remove the global command for the interface:

no global (outside) 1 interface

When I do a show xlate where previously outside traffic was aaa.bbb.ccc.eee it is now aaa.bbb.ccc.ddd.

acomiskey Tue, 05/08/2007 - 11:37

Yes, I figured you would remove the existing global statement. My intention was only to prove that the address, aaa.bbb.ccc.dddd, was usable.

laurent.geyer Tue, 05/08/2007 - 11:48

What's your interface security level look like on the outside and inside interface?

mlinzbach Tue, 05/08/2007 - 12:00

interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd


interface Vlan3

no forward interface Vlan1

nameif ClientAccess

security-level 50

ip address



same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

acomiskey Tue, 05/08/2007 - 12:13

Ah, didnt realize that ip was also your interface ip. Replace ip with keyword "interface".

static (inside,outside) interface netmask 0 0

mlinzbach Tue, 05/08/2007 - 12:22

Not following your logic here, please explain.

Presently my outside interface is aaa.bbb.ccc.eee and I would like all outbound traffic to use this PAT IP address except for internal device which I want to use aaa.bbb.ccc.ddd.

Why would I use:

static (inside,outside) interface netmask 0 0

and not:

static (inside,outside) aaa.bbb.ccc.ddd netmask 0 0

because interface=aaa.bbb.ccc.eee and not aaa.bbb.ccc.ddd.


acomiskey Tue, 05/08/2007 - 12:28

You posted this above...


interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd

mlinzbach Tue, 05/08/2007 - 12:33

Sorry that was a mistake on my part, it should have been aaa.bbb.ccc.eee.

Actual IP address of outside interface ends with 17 IP address I'd like to statically NAT ends with 21.

laurent.geyer Tue, 05/08/2007 - 14:55

Strange, I really don't see anything wrong here... Would be interesting to see the full configuration.

mlinzbach Tue, 05/08/2007 - 17:22

Don't know if its worth adding but the host behind the ASA box in question has an IP with a default gateway pointing to a 2600 series router behind it. The 2600 router has a static route that points to

See attached for a sanitized config.

laurent.geyer Wed, 05/09/2007 - 09:10

Where is your static statement, isn't that how you said you were facilitating outside connectivity for this single host?

mlinzbach Wed, 05/09/2007 - 09:58

I've removed the static statement because the host needs to be able to communicate outside. The static statement in question was previously posted as:

static (inside,outside) aaa.bbb.ccc.21 netmask

acomiskey Wed, 05/09/2007 - 10:06

I'd be looking for a bug at this point unless we're all overlooking something here.

laurent.geyer Wed, 05/09/2007 - 11:33

I'm absolutely stumped. I regularly use similar configuration and have never run into an issue like this.

At this point I would suggest checking the 7.2.2 release notes for unresolved caveats relating to NAT and opening a TAC.

laurent.geyer Wed, 05/09/2007 - 11:39

I just read this again.

Are you saying that the host has its default route being a 2600 router on the same subnet and that router in turn has its default route being

That begs the question, what is

acomiskey Wed, 05/09/2007 - 11:53

According to his config that is the inside interface of ASA. It does sound weird although I would not suspect routing problems as he says this host can access the internet without the static command. Why not just make the gateway

laurent.geyer Wed, 05/09/2007 - 12:42

I am suspecting that the router is doing NAT and since his nat rule is so coarse ( it's working without the static statement.

That doesn't explain why it wouldn't work with the static statement, unless he's looking specifically for traffic sourced from the static translation to verify connectivity.

mlinzbach Wed, 05/09/2007 - 13:34

Tried setting the host to have a default gateway of then set static to the following:

static (inside,outside) aaa.bbb.ccc.21 netmask

Net result: NO difference, still cannot get out.

Next tried the following:

static (inside,outside) aaa.bbb.ccc.20 netmask

Net result: CAN get out with .20

I've tried updating the ASA from 7.22 to 7.22-19 and get the same results.

Tomorrow I'll try plugging in directly outside the firewall with all ips aaa.bbb.ccc. 17-21 (.22 is my ISP connection) to see if I can route outside of the firewall.

Thanks for everyone's help. Will follow up tomorrow.

bbrendon Wed, 05/09/2007 - 16:27

I just stumbled upon this while trying to figure out the same problem you mention. I don't have an additional router.

mlinzbach Thu, 05/10/2007 - 11:43


I've resolved this problem. Ultimately what I ended up doing was testing the IP addresses from Outside the ASA. True to form, all network activity worked as expected.

I plugged the ASA box back in and couldn't get any connectivity out from behind the ASA box. A reboot of the ISP router cured both the ASA connectivity AND the static entry to aaa.bbb.ccc.21.

Sorry to have wasted everyone's bandwidth. I have no idea why their equipment was holding up the static mapping.


This Discussion