cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1020
Views
0
Helpful
21
Replies

NAT and a migration from PIX 506 to ASA 5505

mlinzbach
Level 1
Level 1

I'm trying to migrate from a PIX 506 with 6.3 code to an ASA 5505 with 7.2 code and am running into problems with NATing.

With the 506 I had all outbound traffic going out the outside interface but for a server that I had a static NAT for. When I try the same commands on the ASA I don't get any outbound traffic for that single host.

Here's the pertinent commands from the PIX:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0

On the ASA 5505 box I can get out from 192.168.6.11 if I don't add the static entry.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

When I add the static command traffic is prohibited from 192.168.6.11 to the Outside yet it can ping the ASA box, internal hosts, etc.

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255

I've tried the ASDM packet tracer and no faults appear in the simulation. The logs aren't helping me much in this either.

Other ASA configs are basically out of the box with Higher-to-lower interface traffic being permitted. Only added an incoming access-list to the outside interface to allow replies from internal ping/traceroute commands.

Any assistance would be greatly appreciated.

21 Replies 21

acomiskey
Level 10
Level 10

Is that outside address in the same subnet as the pix outside interface? If not, is it being routed to your pix? I assume it is ok as it was working before on 506 but I can't think of any other reason for this.

I guess you could test this, does everyone get out if you do...?

global (outside) 1 aaa.bbb.ccc.ddd

nat (inside) 1 0 0

Is the outside address on the same subnet as the pix outside interface? Yes it is.

I guess you could test this, does everyone get out if you do ...? Yes they do but first I needed to remove the global command for the interface:

no global (outside) 1 interface

When I do a show xlate where previously outside traffic was aaa.bbb.ccc.eee it is now aaa.bbb.ccc.ddd.

Yes, I figured you would remove the existing global statement. My intention was only to prove that the address, aaa.bbb.ccc.dddd, was usable.

laurent.geyer
Level 1
Level 1

What's your interface security level look like on the outside and inside interface?

interface Vlan1

nameif inside

security-level 100

ip address 192.168.6.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif ClientAccess

security-level 50

ip address 192.168.66.1 255.255.255.0

!

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Ah, didnt realize that ip was also your interface ip. Replace ip with keyword "interface".

static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0

Not following your logic here, please explain.

Presently my outside interface is aaa.bbb.ccc.eee and I would like all outbound traffic to use this PAT IP address except for internal device 192.168.6.11 which I want to use aaa.bbb.ccc.ddd.

Why would I use:

static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0

and not:

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0

because interface=aaa.bbb.ccc.eee and not aaa.bbb.ccc.ddd.

Thanks

You posted this above...

!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd 255.255.255.248

Sorry that was a mistake on my part, it should have been aaa.bbb.ccc.eee.

Actual IP address of outside interface ends with 17 IP address I'd like to statically NAT ends with 21.

Strange, I really don't see anything wrong here... Would be interesting to see the full configuration.

Don't know if its worth adding but the host behind the ASA box in question has an IP with a default gateway pointing to a 2600 series router behind it. The 2600 router has a static route 0.0.0.0 0.0.0.0 that points to 192.168.6.254.

See attached for a sanitized config.

Where is your static statement, isn't that how you said you were facilitating outside connectivity for this single host?

I've removed the static statement because the host needs to be able to communicate outside. The static statement in question was previously posted as:

static (inside,outside) aaa.bbb.ccc.21 192.168.6.11 netmask 255.255.255.255

I'd be looking for a bug at this point unless we're all overlooking something here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: