ASA5510 static map problem

Answered Question
Jun 25th, 2007
User Badges:

Hi, I have a problem with an ASA5510 configuration: I opened access from outside to inside to a mail server and a service to an AS400. But static NAT doesn't work correctly: if I try from internet I can't, but if I try from a source address in the same class of interface outside of the ASA all works.

As attachment tou can find configuration (I use for this example all private addresses).

If I try to access, for example, to https from a machine with IP address all works correctly, if I try from an IP address outside network ASA reject the connection.

Where is the solution?

Thank you very much.


Correct Answer by acomiskey about 9 years 11 months ago

I've never done route tracking on the ASA but is there a "show track" command. Can you ping from the ASA? It seems like the track was down.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Mon, 06/25/2007 - 09:21
User Badges:
  • Green, 3000 points or more

Francesco, your config looks ok. This looks like more of a routing problem. Are you sure your object track to is up? Can you ping the machine you are trying from the ASA? Also, check the network where you are coming from has a route to

adinef001 Mon, 06/25/2007 - 12:12
User Badges:

Thanks a lot for the quick answer. I'm sure that this is not a routing problem because I have to substitute a pix506 with similar configuration and the routing is good for 506 and not for ASA. I check the ASA routing table and i'm sure that the routes are correct (track is good).

What can I do?

vitripat Mon, 06/25/2007 - 12:19
User Badges:
  • Gold, 750 points or more

Can you login to the outside router and clear the "arp cache" on it?

As when ASA is substituted with PIX506, things start working, I think outside router still has ARP entry for PIX-506's outside interface, once you get this cleared, fresh ARP entries will be made with ASAs mac address.

clear arp-cache

Hope this helps.



adinef001 Mon, 06/25/2007 - 12:25
User Badges:

But from inside I can browse the net. If the problem is arp cache, I can't browse internet too. From the inside I can go out and from the outside I can use inside services only from addresses of outside IP network.

Thank you a lot.

adinef001 Tue, 06/26/2007 - 14:08
User Badges:

I checked configuration again and I found a new thing: if I remove configuration about tracking dual ISP all works correctly. Is it possible that "show route" says a route but this doesn't works?

Correct Answer
acomiskey Tue, 06/26/2007 - 14:50
User Badges:
  • Green, 3000 points or more

I've never done route tracking on the ASA but is there a "show track" command. Can you ping from the ASA? It seems like the track was down.

adinef001 Wed, 06/27/2007 - 12:28
User Badges:

I don't know what's happened but I configure again tracking feature and magically all works fine...

Thank you to all for precious help


This Discussion