05-08-2007 10:38 AM - edited 03-11-2019 03:10 AM
I'm trying to migrate from a PIX 506 with 6.3 code to an ASA 5505 with 7.2 code and am running into problems with NATing.
With the 506 I had all outbound traffic going out the outside interface but for a server that I had a static NAT for. When I try the same commands on the ASA I don't get any outbound traffic for that single host.
Here's the pertinent commands from the PIX:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0
On the ASA 5505 box I can get out from 192.168.6.11 if I don't add the static entry.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
When I add the static command traffic is prohibited from 192.168.6.11 to the Outside yet it can ping the ASA box, internal hosts, etc.
static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255
I've tried the ASDM packet tracer and no faults appear in the simulation. The logs aren't helping me much in this either.
Other ASA configs are basically out of the box with Higher-to-lower interface traffic being permitted. Only added an incoming access-list to the outside interface to allow replies from internal ping/traceroute commands.
Any assistance would be greatly appreciated.
05-08-2007 11:10 AM
Is that outside address in the same subnet as the pix outside interface? If not, is it being routed to your pix? I assume it is ok as it was working before on 506 but I can't think of any other reason for this.
I guess you could test this, does everyone get out if you do...?
global (outside) 1 aaa.bbb.ccc.ddd
nat (inside) 1 0 0
05-08-2007 11:29 AM
Is the outside address on the same subnet as the pix outside interface? Yes it is.
I guess you could test this, does everyone get out if you do ...? Yes they do but first I needed to remove the global command for the interface:
no global (outside) 1 interface
When I do a show xlate where previously outside traffic was aaa.bbb.ccc.eee it is now aaa.bbb.ccc.ddd.
05-08-2007 11:37 AM
Yes, I figured you would remove the existing global statement. My intention was only to prove that the address, aaa.bbb.ccc.dddd, was usable.
05-08-2007 11:48 AM
What's your interface security level look like on the outside and inside interface?
05-08-2007 12:00 PM
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.ccc.ddd 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif ClientAccess
security-level 50
ip address 192.168.66.1 255.255.255.0
!
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
05-08-2007 12:13 PM
Ah, didnt realize that ip was also your interface ip. Replace ip with keyword "interface".
static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0
05-08-2007 12:22 PM
Not following your logic here, please explain.
Presently my outside interface is aaa.bbb.ccc.eee and I would like all outbound traffic to use this PAT IP address except for internal device 192.168.6.11 which I want to use aaa.bbb.ccc.ddd.
Why would I use:
static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0
and not:
static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0
because interface=aaa.bbb.ccc.eee and not aaa.bbb.ccc.ddd.
Thanks
05-08-2007 12:28 PM
You posted this above...
!
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.ccc.ddd 255.255.255.248
05-08-2007 12:33 PM
Sorry that was a mistake on my part, it should have been aaa.bbb.ccc.eee.
Actual IP address of outside interface ends with 17 IP address I'd like to statically NAT ends with 21.
05-08-2007 02:55 PM
Strange, I really don't see anything wrong here... Would be interesting to see the full configuration.
05-08-2007 05:22 PM
05-09-2007 09:10 AM
Where is your static statement, isn't that how you said you were facilitating outside connectivity for this single host?
05-09-2007 09:58 AM
I've removed the static statement because the host needs to be able to communicate outside. The static statement in question was previously posted as:
static (inside,outside) aaa.bbb.ccc.21 192.168.6.11 netmask 255.255.255.255
05-09-2007 10:06 AM
I'd be looking for a bug at this point unless we're all overlooking something here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: