cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
0
Helpful
7
Replies

ASA5510 static map problem

adinef001
Level 1
Level 1

Hi, I have a problem with an ASA5510 configuration: I opened access from outside to inside to a mail server and a service to an AS400. But static NAT doesn't work correctly: if I try from internet I can't, but if I try from a source address in the same class of interface outside of the ASA all works.

As attachment tou can find configuration (I use for this example all private addresses).

If I try to access, for example, to https from a machine with 10.0.0.234 IP address all works correctly, if I try from an IP address outside network 10.0.0.224/27 ASA reject the connection.

Where is the solution?

Thank you very much.

Francesco

1 Accepted Solution

Accepted Solutions

I've never done route tracking on the ASA but is there a "show track" command. Can you ping 10.0.0.1 from the ASA? It seems like the track was down.

View solution in original post

7 Replies 7

acomiskey
Level 10
Level 10

Francesco, your config looks ok. This looks like more of a routing problem. Are you sure your object track to 10.0.0.1 is up? Can you ping the machine you are trying from the ASA? Also, check the network where you are coming from has a route to 10.0.0.224/27.

Thanks a lot for the quick answer. I'm sure that this is not a routing problem because I have to substitute a pix506 with similar configuration and the routing is good for 506 and not for ASA. I check the ASA routing table and i'm sure that the routes are correct (track is good).

What can I do?

Can you login to the outside router and clear the "arp cache" on it?

As when ASA is substituted with PIX506, things start working, I think outside router still has ARP entry for PIX-506's outside interface, once you get this cleared, fresh ARP entries will be made with ASAs mac address.

clear arp-cache

Hope this helps.

Regards,

Vibhor.

But from inside I can browse the net. If the problem is arp cache, I can't browse internet too. From the inside I can go out and from the outside I can use inside services only from addresses of outside IP network.

Thank you a lot.

I checked configuration again and I found a new thing: if I remove configuration about tracking dual ISP all works correctly. Is it possible that "show route" says a route but this doesn't works?

I've never done route tracking on the ASA but is there a "show track" command. Can you ping 10.0.0.1 from the ASA? It seems like the track was down.

I don't know what's happened but I configure again tracking feature and magically all works fine...

Thank you to all for precious help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: