ASA5510 static map problem

Answered Question
Jun 25th, 2007

Hi, I have a problem with an ASA5510 configuration: I opened access from outside to inside to a mail server and a service to an AS400. But static NAT doesn't work correctly: if I try from internet I can't, but if I try from a source address in the same class of interface outside of the ASA all works.

As attachment tou can find configuration (I use for this example all private addresses).

If I try to access, for example, to https from a machine with 10.0.0.234 IP address all works correctly, if I try from an IP address outside network 10.0.0.224/27 ASA reject the connection.

Where is the solution?

Thank you very much.

Francesco

Attachment: 
I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 months ago

I've never done route tracking on the ASA but is there a "show track" command. Can you ping 10.0.0.1 from the ASA? It seems like the track was down.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 06/25/2007 - 09:21

Francesco, your config looks ok. This looks like more of a routing problem. Are you sure your object track to 10.0.0.1 is up? Can you ping the machine you are trying from the ASA? Also, check the network where you are coming from has a route to 10.0.0.224/27.

adinef001 Mon, 06/25/2007 - 12:12

Thanks a lot for the quick answer. I'm sure that this is not a routing problem because I have to substitute a pix506 with similar configuration and the routing is good for 506 and not for ASA. I check the ASA routing table and i'm sure that the routes are correct (track is good).

What can I do?

vitripat Mon, 06/25/2007 - 12:19

Can you login to the outside router and clear the "arp cache" on it?

As when ASA is substituted with PIX506, things start working, I think outside router still has ARP entry for PIX-506's outside interface, once you get this cleared, fresh ARP entries will be made with ASAs mac address.

clear arp-cache

Hope this helps.

Regards,

Vibhor.

adinef001 Mon, 06/25/2007 - 12:25

But from inside I can browse the net. If the problem is arp cache, I can't browse internet too. From the inside I can go out and from the outside I can use inside services only from addresses of outside IP network.

Thank you a lot.

adinef001 Tue, 06/26/2007 - 14:08

I checked configuration again and I found a new thing: if I remove configuration about tracking dual ISP all works correctly. Is it possible that "show route" says a route but this doesn't works?

Correct Answer
acomiskey Tue, 06/26/2007 - 14:50

I've never done route tracking on the ASA but is there a "show track" command. Can you ping 10.0.0.1 from the ASA? It seems like the track was down.

adinef001 Wed, 06/27/2007 - 12:28

I don't know what's happened but I configure again tracking feature and magically all works fine...

Thank you to all for precious help

Actions

This Discussion